Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats

The DOJ and FBI collaborated to dismantle the Qakbot malware and its botnet, successfully disrupting a long standing threat. However, concerns linger as Qakbot may still pose a risk, although in a reduced form. The takedown removed the malware from a significant number of devices, including 700,000 globally and 200,000 in the U.S. Yet, recent findings suggest Qakbot remains active but weakened.

Simple Hacking Technique Can Extract ChatGPT Training Data

Researchers from Google DeepMind, Cornell University, and other institutions found that the widely used generative AI chatbot, ChatGPT, is susceptible to data leaks. By prompting ChatGPT to repetitively say words like "poem," "company," and others, the researchers were able to make the chatbot regurgitate memorized portions of its training data.

US Govt Sanctions North Korea’s Kimsuky Hacking Group

On Thursday the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight North Korean agents for facilitating sanctions evasion including revenue generation and missile-related technology procurement that support the Democratic People’s Republic of Korea’s (DPRK) weapons of mass destruction programs.

New ‘Turtle’ macOS Ransomware Analyzed

Several vendors on VirusTotal have detected a new ransomware dubbed Turtle which is capable of not only targeting Windows and Linux systems but also macOS. Cybersecurity researcher Patrick Wardle who analyzed this new strain, says that Turtle Ransomware is currently not sophisticated. The malware was developed in the Go programming language.

RedLine Stealer Malware Deployed Via ScrubCrypt Evasion Tool

Researchers from Satori Threat Intelligence discovered a new version of the ScrubCrypt obfuscation tool being used to target organizations with the RedLine stealer malware. This latest version of ScrubCrypt is for sale on dark web marketplaces, and is being used in account takeover and fraud attacks.

Behind the Attack: LUMMA Malware

Researchers at Perception Point recently unveiled a sophisticated malware attack aimed at bypassing threat detection systems. The attack involves impersonating a financial services company via a fake invoice email. The email includes a button that leads to an unavailable website which urges users to visit a seemingly legitimate link for the invoice.

Qlik Sense Exploited in Cactus Ransomware Campaign

According to a new blog post by researchers at Artic Wolf, a set of known vulnerabilities in Qlik Sense, a cloud analytics and business intelligence platform, are being exploited to deploy ransomware. Tracked as CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365, the flaws are being chained together to achieve remote code execution on targeted systems.

Iran-Backed Cyber Av3ngers Escalates Campaigns Against U.S. Critical Infrastructure

The Iran-backed Cyber Av3ngers, affiliated with the IRGC, has been actively exploiting Programmable Logic Controllers (PLCs) in Water and Wastewater treatment plants, targeting critical infrastructure installations in the U.S. The group, known for making false claims, initiated attacks on various water authorities, an aquarium, and a brewery. They focus on Unitronics PLCs, leveraging open source tools and exploiting vulnerabilities. The recent campaign expanded to target critical infrastructure globally, particularly those using equipment associated with Israel.

New BLUFFS Attack Lets Attackers Hijack Bluetooth Connections

Researchers from Eurecom have developed six next attacks they have collectively named “BLUFFS.” These vulnerabilities can be used for device impersonation and man-in-the-middle (MitM) attacks. BLUFFS exploits two previously unknown flaws in Bluetooth, related to how session keys are derived to decrypt data in exchange.

Iranian Hackers Exploit PLCs in Attack on Water Authority in U.S.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is responding to a cyber attack on the Municipal Water Authority of Aliquippa, Pennsylvania. The attack involved the exploitation of Unitronics programmable logic controllers (PLCs) and has been attributed to the Iranian-backed hacktivist group Cyber Av3ngers.

General Electric, DARPA Hack Claims Raise National Security Concerns #2

General Electric (GE) and the Defense Advanced Research Projects Agency (DARPA) are reported to have experienced security breaches, with stolen data allegedly available for sale on the Dark Web. The compromised information includes access credentials, DARPA-related military data, SQL files, and more. GE has acknowledged the breach and is actively investigating the matter. DARPA, known for collaborating with GE on various projects, may have classified information on weapons programs and artificial intelligence research in its data stores.

General Electric, DARPA Hack Claims Raise National Security Concerns

General Electric, an American multinational conglomerate that has several divisions including aerospace, power, and renewable energy, is investigating claims that a threat actor breached its development environment and leaked allegedly stolen data. The development comes after a threat actor named IntelBroker posted to a dark forum claiming to have access to General Electric’s development and software pipelines.

Key Cybercriminals Behind Notorious Ransomware Families Arrested in Ukraine

A joint operation carried out by Europol and law enforcement agencies has led to the arrest of 5 key suspects in Ukraine believed to be core members of various ransomware operations including LockerGoga, MegaCortex, Dharma, and the now defunct Hive ransomware. Since 2019, these individuals have targeted over 1,800 victims across 71 countries, compromising large corporations.

Daixin Team Claims Attack on North Texas Municipal Water District

The Daixin Team, a group known for carrying out ransomware attacks, has listed the North Texas Municipal Water District (NTMWD) as a victim on their data leak site. The actors claim to have stolen large amounts of sensitive data from the company and are threatening to release it publicly. The information stolen is said to include board meeting minutes, internal project documentation, personnel details, audit reports, and more. The leak of the data puts the company at risk of frauds in the next months.

Hacktivists Breach U.S. Nuclear Research Lab, Steal Employee Data

The Idaho National Laboratory (INL) announced this week that they suffered a cyberattack after SiegedSec hacktivists leaked stolen human resources data online. INL is a nuclear research center run by the U.S. Department of Energy that employs 5,700 specialists in atomic energy, integrated energy, and national security.

Exploit for CrushFTP RCE Chain Released, Patch Now

A critical vulnerability (CVE-2023-43177) in CrushFTP, allowing hackers to access files, execute code, and steal passwords. Although a fix was issued in version 10.5.2, a recent public exploit by Converge demands immediate updates for CrushFTP users. This exploit lets attackers read, delete files, and potentially gain total control over systems using specific web ports and functions in CrushFTP.

8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader

Last Friday, Cisco Talos published a blog post, highlighting that 8Base ransomware actors are using a variant of the Phobos ransomware to carry out financially motivated attacks. Although most Phobos variants have been distributed using SmokeLoader, a backdoor trojan, researchers note that in 8Base campaigns, the actors are embedding the ransomware component into encrypted payloads, which are then decrypted and loaded into the SmokeLoader process memory.

Popular Dragon Touch Tablet for Kids Infected with Corejava Malware

Retailers like Amazon have promoted affordable Android devices for children, such as the Dragon Touch KidzPad Y88X 10 tablet. However, research by the Electronic Frontier Foundation (EFF) revealed malware and riskware on the device, leading to Amazon removing it from the platform. Other Y88X models remain available. This is not the first instance; in January 2023, Amazon sold a T95 Android TV box with preinstalled malware. Both instances involved the Corejava malware.

MySQL Servers Targeted by ‘Ddostf’ DDoS-As-A-Service Botnet

The ‘Ddostf’ malware botnet is attacking MySQL servers to turn them into a DDoS service. AnhLab Security Emergency Response Center (ASEC) discovered this while tracking threats against database servers. Ddostf infiltrates MySQL servers either through vulnerabilities in unpatched systems or by cracking weak administrator account passwords. These attackers search the web for exposed MySQL servers, trying to breach them through brute forcing administrator credentials.

Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware

Cybersecurity company Securonix has uncovered a new campaign dubbed SEO#LURKER, where actors are tricking WinSCP users into installing malware via SEO poisoning and bogus Google ads. In particular, the actors are using dynamic search ads which automatically generate ads based on a site's content to serve the malicious ads that take the victims to an infected site, which in this case is a compromised WordPress site (gameeweb[.]com). Researchers say this WordPress site will redirect the victim to a phishing site advertising a fake installation for WinSCP, in turn infecting the victim with malware.

#StopRansomware: Rhysida Ransomware

A new joint advisory from CISA and the FBI has been issued detailing observed TTPs and IOCs to help organizations protect against Rhysida Ransomware. Rhysida is a fairly new ransomware that was first detected in May 2023. Like any other ransomware gang, the group engages in double extortion schemes where it will encrypt and exfiltrate victims’ files, threatening to publish the data online unless a ransom is paid.

FBI Warns: Five Weeks In, Gaza Email Scams Still Thriving

FBI is warning of cybercriminals taking advantage of the war in Gaza to solicit funds from unsuspecting victims. According to alerts sent out by the agency, these fraudsters are using various schemes including emails, social media, cold calls, and websites masquerading as fundraisers and charities to convince end users to donate money, stating that the funds will go to victims of the ongoing conflict. These donations are requested in the form of gift cards, wire transfers, and cryptocurrency, making it difficult to trace back.

Zero-Days in Edge Devices Become China's Cyber Warfare Tactic of Choice

Over the past five years, Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. They have also placed a strong emphasis on operational security and anonymity These changes have been influenced by both internal factors like military restructuring and changes in domestic regulations, as well as external factors including reporting by Western governments and the cybersecurity community.

LockBit Ransomware Exploits Citrix Bleed in Attacks, 10K Servers Exposed

About a month ago, Citrix fixed a critical information disclosure flaw (CVE-2023-4966), “Citrix Bleed,” impacting Citrix NetScaler ADC and NetScaler Gateway. As of writing thousands of internet-exposed endpoints are still running vulnerable appliances despite patches being released. As such threat actors are using this opportunity to launch attacks. One of these actors is the LockBit Ransomware group, which researchers say is using publicly available exploits for CVE-2023-4966 to breach the systems of large organizations, steal data, and encrypt files.

82% of Attacks Show Cyber-Criminals Targeting Telemetry Data

A new report from Sophos indicates that cyber-criminals are disabling or wiping out logs in 82% of incidents, making it difficult for organizations to backtrace and determine what happened on systems during a crisis. What’s more is that based on a case study conducted by Sophos, nearly a quarter of organizations investigated didn’t have the appropriate logging available in place for incident responders. Researchers say this was due to several factors, including insufficient retention, re-imaging, or a lack of configuration. “In an investigation, not only would this mean the data would be unavailable for examination, but the defenders would have to spend time figuring out why it wasn’t available” stated researchers in a recent blog post.

BlackCat Ransomware Gang Targets Businesses Via Google Ads

ALPHV/BlackCat ransomware threat actors have been seen using Google Ads to distribute malware. By masquerading as popular software products like Advanced IP Scanner and Slack, the group has been luring professionals to attacker controlled websites. The victims, thinking they are downloading legitimate software, are unknowingly installing a piece of malware called Nitrogen. Nitrogen serves as initial-access malware providing intruders with a foothold into the target organization’s IT environment.

Steps CISOs Should Take Before, During & After a Cyberattack

In today's complex cybersecurity landscape, cyberattacks are inevitable. Organizations, regardless of size or industry, must establish detailed playbooks for effective response. Chief Information Security Officers (CISOs) play a crucial role in preparing for attacks by fostering relationships, educating leaders, and developing comprehensive frameworks.

DP World Cyberattack Blocks Thousands of Containers in Ports

International logistics firm DP World Australia announced that a cyber attack has severely disrupted it’s regular freight movement in multiple Australian ports. DP World specialized in cargo logistics, port terminal operations, maritime services, and free trade zones, they have an annual revenue of over $10 billion. In total, the firm operates 82 marine and inland terminals in 40 countries, handles 70 million containers annually carried by 70,000 vessels, and manages roughly 10% of all global container traffic. DP World has the largest presence in Australia, handling over 40% of the nation’s container trade.

Update: Iranian Hackers Launch Malware Attacks on Israel’s Tech Sector

Imperial Kitten, also known as Tortoiseshell, TA456, Crimson Sandstorm and Yellow Liderc, has launched a new campaign targeting transportation, logistics, and technology companies in the Middle East. Associated with the Iranian Revolutionary Guard Corps (IRGC), this threat actor, using the online persona Marcella Flores, has been active since at least 2017, conducting cyberattacks across sectors like defense technology, telecommunications, maritime, energy, and consulting.

New Ransomware Group Emerges with Hive's Source Code and Infrastructure

Hunters International, a newly emerged ransomware group, has acquired the source code and infrastructure from the dismantled Hive operation, a once-prolific ransomware-as-a-service (RaaS) group. The Hive group's operations were halted as part of a coordinated law enforcement effort in January 2023. This move allowed Hunters International to start its own cyber threat activities with a mature toolkit.

Signature Techniques of Asian APT Groups Revealed

The Kaspersky Cyber Threat Intelligence team has unveiled crucial insights into the tactics, techniques and procedures (TTPs) employed by Asian Advanced Persistent Threat (APT) groups. In a report published today, Kaspersky reveals TTPs found from their examination of one hundred global cybersecurity incidents.

Dragos: OT Threat Intelligence in Cyber Assessment Framework (CAF)

Dragos recently highlighted the UK National Cyber Security Centre's Cyber Assessment Framework (CAF) in a report, emphasizing its global applicability. The CAF, designed to enhance government cybersecurity, outlines top-level outcomes for good cybersecurity. While initially aimed at the UK, its principles are valuable globally.

Russian-Speaking Threat Actor “Farnetwork” Linked to 5 Ransomware Gangs

According to a report from cybersecurity company Group-IB, a threat actor known as 'farnetwork' has operated under various usernames like farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkitand. They actively sought affiliates for different ransomware operations on Russian-speaking hacker forums. In March, farnetwork started recruiting affiliates for their ransomware-as-a-service (RaaS) program based on the Nokoyawa locker.

Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI

According to a new report from Checkmarx, throughout 2023 threat actors have been distributing malicious Python packages disguised as legitimate obfuscation tools to execute BlazeStealer malware on targeted systems. Once executed, BlazeStealer will retrieve a malicious script from an external source and run a discord bot designed to enable the threat actor to gain complete control over the victim’s computer.

Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools

According to a new advisory from the FBI, the agency noted that ransomware actors continue to gain access through third-party vendors and services. Between 2022 and 2023, the FBI observed ransomware attacks compromising casinos through third-party gaming vendors. In particular, small and tribal casinos were targeted, with the threat actors encrypting the PII data of employees and patrons which would be held for ransom payments.

Ethical Hackers Enhance Cybersecurity with Generative AI

The growing use of digital technology makes cybersecurity more important than ever. Ethical hackers, who identify and prevent cyber threats, are increasingly using AI tools like ChatGPT. A report by Bugcrowd reveals that many hackers believe AI will change how they work in the coming years. While AI can't replace human creativity in security, it helps in tasks like data analysis and vulnerability detection.

Okta Breach: Employee's Personal Google Account Usage on Company Laptop Blamed

In a recent statement from Okta security chief David Bradbury, Bradbury confirmed that from September 28, 2023, to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers. These files contained session tokens, which the threat actor was able to use to hijack the legitimate Okta sessions of 5 customers.

Critical Atlassian Confluence Bug Exploited in Cerber Ransomware Attacks

Last Tuesday, Atlassian released security updates to address a critical improper authorization vulnerability impacting all versions of Confluence Data Center and Server. Tracked as CVE-2023-22518, the vulnerability can be used in data destruction attacks targeting internet-exposed and unpatched instances. While initially, Atlassian noted that it is unaware of reports of active exploitation, the vendor updated its advisory on Friday, stating that threat actors are starting to exploit the flaw in attacks in the wild.

Over Half of Users Report Kubernetes/Container Security Incidents

A report from Infosecurity magazine says that Cloud native development practices are creating dangerous new security blind spots for organizations in the US, UK, France and Germany. A study by Venafi polled 800 security and IT leaders from large organizations based in these four countries. It found that 59% of respondents have experienced security incidents in their Kubernetes or container environments.

A Ukrainian Company Shares Lessons in Wartime Resilience

MacPaw, a Ukrainian software company, faced the challenge of maintaining business continuity during the Russian invasion. Their CTO, Vira Tkachenko, explained how they prepared for wartime cyber resilience, including forming an emergency team, prioritizing employee safety and service delivery, fortifying their headquarters, ensuring power and connectivity options, building hardware reserves, setting up redundant communications, freezing code changes, and dealing with increased cyberattacks.

Adtran - AOE Server Vulnerability Advisory

AOE servers that are not properly secured are susceptible to a security vulnerability that could potentially grant unauthorized access to the server via the AOE Server Admin user account. Such compromised servers are consequently vulnerable to ransomware attacks, posing a significant security risk.

MITRE ATT&CK v14 Released

MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers. The goal of MITRE ATT&CK is to catalog and categorize the known tactics, techniques, and procedures (TTPs) used by adversaries in real-world attacks.

Common Vulnerability Scoring System v4.0 Summary:

FIRST, the Forum of Incident Response and Security Teams, will release this week version 4.0 of the Common Vulnerability Scoring System (CVSS). CVSS is an open framework that allows organizations and researchers to communicate specific characteristics and severities of software vulnerabilities.

Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence

President Joe Biden has signed an executive order aimed at regulating generative AI systems like ChatGPT, recognizing their transformative potential and potential risks. The order focuses on ensuring the safe and responsible development and use of AI. It directs various federal agencies and departments to create standards and regulations for AI in various areas, including criminal justice, education, health care, housing, and labor, with an emphasis on protecting civil rights and liberties.

Mass Exploitation of ‘Citrix Bleed’ Vulnerability Underway

Last week, Citrix warned that threat actors are actively exploiting a critical information disclosure vulnerability impacting Citrix NetScaler ADC and Gateway instances. Tracked as CVE-2023-4966, the vulnerability can be exploited by unauthenticated attackers to leak sensitive information from on-prem appliances that are configured as an AAA virtual server or gateway. In the past couple of days, security researchers have noticed an alarming increase in exploitation attempts, with several threat actors including ransomware groups, targeting vulnerable instances.

Dozens of Countries Will Pledge to Stop Paying Ransomware Gangs

As part of the upcoming third annual meeting of the International Counter-Ransomware Initiative, the Biden administration and dozens of its foreign allies will pledge to stop paying ransomware gangs. Representatives from 48 countries, the European Union, and Interpol are expected to attend this week’s summit, which will focus on strategies to block funds used by ransomware gangs to fuel their operations.

'Prolific Puma' Hacker Gives Cybercriminals Access to .us Domains

A report by Infoblox uncovers a concerning trend involving a link-shortening service called "Prolific Puma." This service assists cyber attackers and scammers by providing them with top-level .us domains, enabling them to run phishing campaigns with reduced visibility. Over the past 18 months, Prolific Puma has generated up to 75,000 unique domain names, often sidestepping regulations to offer malicious actors .us URLs.

Security Brief: TA571 Delivers IcedID Forked Loader

In a recent blog post, cybersecurity firm Proofpoint disclosed that it observed two campaigns on October 11 and 18, 2023, in which TA571, a sophisticated cybercriminal threat actor, delivered the Forked variant of IceID. The forked variant was observed being delivered via emails containing 404 TDS URLs that would lead to the download of a password-protected archive, with the password listed in the email. “The zip file contained a VBS script and a benign text file.

BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group

Researchers at Security Joes have uncovered a new Linux Wiper malware dubbed “BiBi-Linux Wiper,” being used by a pro-Hamas Hacktivist group to target Israeli entities in the ongoing Israeli-Hamas conflict. BiBi-Linux Wiper is an x64 ELF executable that is designed to render files unusable by overwriting their contents, further appending targeted files with an extension that uses the following structure “[RANDOM_NAME].BiBi[NUMBER].”

OT Cyber Attacks Proliferating Despite Growing Cybersecurity Spend

The significant rise in attacks on operational technology (OT) systems is primarily due to two key factors: increasing global threats from nation state actors and the involvement of profit-driven cybercriminals often backed by the former. The lack of success in defending against these attacks can be attributed to several factors, including the complexity of OT environments, the convergence of information technology and OT, insider attacks, supply chain vulnerabilities, and more.

Russia to Launch Its Own Version of VirusTotal Due to US Snooping Fear

The Russian government is developing its own malware scanning platform, similar to VirusTotal, to address concerns that the U.S. government might access data from the popular Google-owned service. This new platform, called "Multiscanner," is being created by Russia's National Technology Center for Digital Cryptography in collaboration with other organizations and private enterprises, including companies like Kaspersky, AVSoft, and Netoscope.

CISA Releases Logging Made Easy Article

We wanted to let members know that CISA has introduced a valuable toolset designed to assist companies with their logging requirements. "Logging Made Easy (LME)," LME is a reimagined offering by CISA, that transforms a well-established log management solution into a reliable, centralized log management alternative.

A Cascade of Compromise: Unveiling Lazarus' New Campaign

Earlier this year, a software vendor fell victim to a Lazarus malware attack due to unpatched legitimate software. Despite previous warnings and patches from the vendor, vulnerabilities remained, allowing the threat actor to exploit them. Fortunately, proactive measures detected and thwarted an attack on another vendor. Further investigation revealed that the software vendor had been repeatedly targeted by Lazarus, indicating a persistent and determined threat actor likely seeking valuable source code or tampering with the software supply chain. The adversary used advanced techniques and introduced the SIGNBT malware for victim control.

Microsoft: Octo Tempest Is One of the Most Dangerous Financial Hacking Groups

Summary: Researchers at Microsoft released a comprehensive profile of Octo Tempest, a native English speaker known for advanced social engineering skills. Octo Tempest primarily focuses on data extortion and ransomware attacks against various companies. This threat actor’s tactics have been continuously evolving since early 2022, with expanded targeting encompassing organizations offering cable telecommunications, email, and tech services.

Cloudflare Sees Surge in Hyper-volumetric HTTP DDoS Attacks

Cloudflare says the number of hyper-volumetric HTTP DDoS (distributed denial of service) attacks recorded in the third quarter of 2023 surpasses every previous year, indicating that the threat landscape has entered a new chapter” (Bleeping Computer, 2023). DDoS attacks are a type of cyber attack that sends large amounts of traffic towards hosting apps, websites, and online services in an attempt to overwhelm and make them unavailable to legitimate visitors.

France Accuses Russian State Hackers of Targeting Government Systems, Universities, Think Tanks

A hacking group associated with Russia’s military intelligence agency has been spying on French universities, businesses, think tanks, and government agencies, according to a new report from France’s top cybersecurity agency ANSII” (The Record, 2023). According to the agency, APT28 (Fancy Bear) has been breaching French networks since the second half of 2021 looking for sensitive data. The group chose not to leverage backdoors and instead compromised devices like routers that aren’t as closely monitored.

Chilean Telecom Giant GTD Hit by the Rorschach Ransomware Gang

Chile's telecommunications company, Grupo GTD, has experienced a cyberattack that affected its Infrastructure as a Service (IaaS) platform. The attack caused disruptions to various online services, including data centers, internet access, and Voice-over-IP (VoIP). The attack has been attributed to the Rorschach ransomware gang, which has led to the disconnection of their IaSS platform from the internet.

StripedFly Malware Framework Infects 1 Million Windows, Linux Hosts

A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time. Kaspersky discovered the true nature of the malicious framework last year, finding evidence of its activity starting in 2017, with the malware wrongly classified as just a Monero cryptocurrency miner.

Israeli-Hamas Conflict Spells Opportunity for Online Scammers

Researchers have exposed multiple cyber scams exploiting the Israeli-Hamas conflict. These scams involve more than 500 deceptive emails and fraudulent websites that take advantage of people’s desire to support those affected by the conflict. Many of these emails contain links to counterfeit websites claiming to provide information about the ongoing situation and encouraging individuals to donate using various cryptocurrency payment methods, as reported by Kaspersky researchers.

Attacks on Web Applications Spike in Third Quarter, New Talos IR Data Shows

There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements.

Citrix Bleed Exploit Lets Hackers Hijack NetScaler Accounts

A proof-of-concept (PoC) exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. CVE-2023-4966 is a critical-severity remotely exploitable information disclosure flaw Citrix fixed on October 10 without providing many details.

ESET: Winter Vivern Exploits Zero-Day Vulnerability in Roundcube Webmail Servers

As per a report by ESET security, a well-known cybersecurity endpoint protection vendor, the threat actor identified as Winter Vivern, also known as TA473 and UAC-0114, has been detected exploiting a zero-day vulnerability in Roundcube webmail software on October 11, 2023, for the purpose of gathering email messages from victims' accounts. Telemetry data indicates that the campaign specifically aimed at Roundcube Webmail servers owned by governmental entities and a think tank, all located in Europe.

Strengthening Ransomware Defense: The Importance of Title Case Security Patch Management

A recent TrendMicro report highlights that IT teams are currently grappling with a deluge of software patches, which are being released on a regular basis, ranging from monthly to daily. As per statistics, contemporary enterprises are burdened with managing an average of 1,061 applications, and due to the frequent issuance of patches by various software vendors, the need for strategic prioritization has become imperative.

'Log in with...' Feature Allows Full Online Account Takeover for Millions

Security flaws in the use of OAuth by Grammarly, Vidio, and Bukalapak could potentially put the financial and credential information of millions of users at risk. These issues also raise concerns that other online services may face similar problems, potentially leading to account takeovers, credential theft, and financial fraud for users across various websites. Salt Labs researchers found serious API misconfigurations on websites like Grammarly, Vidio, and Bukalapak, indicating that numerous other sites might be similarly affected.

September Was a Record Month for Ransomware Attacks in 2023

Ransomware activity in September reached unprecedented levels following a relative lull in August that was still way above regular standards for summer months. According to NCC Group data, ransomware groups launched 514 attacks in September. This surpasses March 2023 activity, which counted 459 attacks, and was heavily skewed by Clop's MOVEit Transfer data theft attacks.

Vietnamese DarkGate Malware Targets META Accounts in the UK, USA, India

Cybersecurity firm WithSecure, has discovered a connection between recent DarkGate malware attacks targeting its clients and Vietnam-based threat actors engaged in a campaign to compromise Meta business accounts and pilfer sensitive data. WithSecure's Detection and Response Team (DRT) reported multiple DarkGate malware infection attempts against their clients' organizations in the UK, USA, and India on August 4, 2023. The attack methods closely resemble those seen in recent DuckTail infostealer campaigns, which WithSecure has been monitoring for over a year.

New TetrisPhantom Hackers Steal Data from Secure USB Drives on Govt Systems

A new sophisticated threat tracked as ‘TetrisPhantom’ has been using compromised secure USB drives to target government systems in the Asia-Pacific region. Secure USB drives store files in an encrypted part of the device and are used to safely transfer data between systems, including those in an air-gapped environment. Access to the protected partition is possible through custom software that decrypts the contents based on a user-provided password. One such software is UTetris[.]exe, which is bundled on an unencrypted part of the USB drive.

US Energy Firm Shares How Akira Ransomware Hacked its Systems

In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities.

Google Chrome's New "IP Protection" Will Hide Users' IP Addresses

Google is set to introduce a new "IP Protection" feature in its Chrome browser to enhance user privacy by concealing their IP addresses through the use of proxy servers. This move aims to address privacy concerns related to IP addresses, which can be used for covert tracking, and marks Google's effort to strike a balance between user privacy and web functionality.

Tracking Unauthorized Access to Okta's Support System

In a recent statement from Okta Security, they've reported the discovery of malicious activity involving the unauthorized use of a stolen credential to access Okta's support case management system. The threat actor was able to access files uploaded by specific Okta customers as part of recent support cases. It's essential to clarify that the support case system operates independently of the primary Okta service, which remains fully functional and unaffected. Notably, the Auth0/CIC case management system has not been impacted by this incident.

Pro-Israeli Hacktivist Group 'Predatory Sparrow' Reappears

A hacktivist group supporting Israel, known as Predatory Sparrow, has resurfaced recently. Last week, the group broke its year-long silence by posting a tweet referencing the ongoing Gaza conflict, warning of its return and sharing a link to a report about the United States sending fighter planes and warships to aid Israel. Predatory Sparrow is recognized as a relatively advanced Israeli hacking operation, and it has a track record of conducting disruptive attacks in Iran, aimed at undermining the Iranian government.

ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges

In a report from Fortinet, they detail a new information-stealing malware named ExelaStealer that has recently emerged in the cybersecurity landscape. ExelaStealer is described as a low-cost, mostly open-source infostealer with the option for paid customizations. This affordability and openness make it accessible to a wide range of cybercriminals, from novices to more seasoned threat actors. The malware is predominantly coded in Python and offers support for JavaScript. It possesses the capability to exfiltrate a variety of sensitive data, including passwords, Discord tokens, credit card information, cookies, session data, keystrokes, screenshots, and clipboard content.

Attacks on 5G Infrastructure from User Devices: ASN.1 Vulnerabilities in 5G Core

In a recent report from TrendMicro, researchers delve into critical vulnerabilities and risks associated with 5G and its infrastructure. They take a particular focus on the control plane and the susceptibility of the NGAP protocol to ASN.1-related issues. The first part of the report reveals how GTP-U tunnels can be exploited by user devices, potentially leading to core network crashes. In the second part, the report discusses how attackers can leverage these vulnerabilities by disguising control messages as user traffic, resulting in the transition from the user plane to the control plane.

North Korean Hackers Are Targeting Software Developers and Impersonating IT Workers

North Korean hackers have notably increased their emphasis on the IT industry, by infiltrating companies involved in software development and organizations seeking IT professionals. On Wednesday, Microsoft disclosed that North Korean affiliated hacking groups Lazarus (Diamond Sleet) and Andariel (Onyx Sleet) have been exploiting a critical authentication bypass vulnerability (CVE-2023-42793) within JetBrains TeamCity server.

QR Codes Used in 22% of Phishing Attacks

Hoxhunt released the results of their Hoxhunt Challenge, an exercise conducted in 38 organizations across nine industries and 125 countries. Their study revealed that 22% of phishing attacks in the first weeks of October 2023 used QR codes to deliver malicious payloads.

E-Root Admin Faces 20 Years for Selling Stolen RDP, SSH Accounts

Sandu Diaconu, the operator of the E-Root marketplace, has been extradited to the U.S. to face a maximum imprisonment penalty of 20 years for selling access to compromised computers. The Moldovan defendant was arrested in the U.K. in May 2021 while attempting to flee the country following the authorities' seizure of E-Root's domains in late 2020. Last month, Diaconu consented to be extradited to the United States for wire fraud, money laundering, computer fraud, and access device fraud

Iran-Linked OilRig Targets Middle East Governments in 8-Month Cyber Campaign

The OilRig threat group, connected to Iran, conducted an eight-month-long cyber campaign against an unspecified Middle Eastern government from February to September 2023. This operation resulted in the theft of files and passwords, and at one point, they used a PowerShell backdoor called PowerExchange. The Symantec Threat Hunter Team refers to this operation as "Crambus." The attackers used the PowerExchange implant to monitor emails from an Exchange Server, execute commands, and send the results to themselves. They compromised at least 12 computers and installed backdoors and keyloggers on an additional dozen machines, indicating a significant breach.

The Iron Swords War – Cyber Perspectives from the First 10 Days of the War in Israel

In a recent report from Check Point, the focus is on escalating cyber activities during the Israel-Hamas conflict. The key points include a surge in cyberattacks targeting Israel, diverse cyber threats like DDoS attacks and hack-and-leak incidents, and the involvement of various hacktivist groups aligned with geopolitical interests. These developments are causing heightened risks and tensions in the cyber domain.

Multiple North Korean Threat Actors Exploiting the TeamCity CVE-2023-42793 Vulnerability

wo North Korean nation-state actors, Lazarus (or Zinc) and Plutonium (or Andariel), have been exploiting a known remote code execution vulnerability in the TeamCity continuous integration and continuous deployment tool. The vulnerability, CVE-2023-42793, was patched by JetBrains in version 2023.05.4. These actors have been targeting on-premises instances of TeamCity, deploying backdoors, stealing credentials, and more. Microsoft's threat intelligence group observed these attacks and noted that both groups may be opportunistically compromising vulnerable servers, but they have also used techniques that could provide persistent access to victim environments.

Ex-Navy IT Head Gets 5 Years for Selling People’s Data on Darkweb

Marquis Hooper, a former U.S. Navy IT manager, has received a sentence of five years and five months in prison for illegally obtaining US citizens' personally identifiable information (PII) and selling it on the dark web. The man was indicted with his wife, Natasha Renee Chalk, in February 2021 and pleaded guilty to aggravated identity theft and conspiracy to commit wire fraud in March 2023.

Ukrainian Activists Hack Trigona Ransomware Gang, Wipe Servers

A group of cyber activists under the Ukrainian Cyber Alliance (UAC) banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available. The Ukrainian Cyber Alliance fighters say they exfiltrated all of the data from the threat actor’s systems, including source code and database records, which may include decryption keys.

D-Link Confirms Data Breach after Employee Phishing Attack

Taiwanese networking equipment manufacturer D-Link confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month. The attacker claims to have stolen source code for D-Link's D-View network management software, along with millions of entries containing personal information of customers and employees, including details on the company's CEO.

Critical Vulnerabilities Expose Weintek HMIs to Attacks

Last week, CISA warned organizations about critical and high-severity vulnerabilities in a human-machine interface (HMI) product made by Taiwan-based Weintek. According to CISA, the impacted product, the Weintek cMT HMI, is used worldwide, including in critical manufacturing organizations, which are considered part of critical infrastructure.

Is It On or Off? Cisco IOS XE Devices Hacked in Widespread Attacks

Amid the COVID-19 pandemic, as remote work became a necessity, IT teams had to rapidly implement protocols and software suites to maintain business continuity and efficiency. This involved enabling routing configurations and adjusting inbound and outbound policies on appliances that previously didn't support remote connections. This allowed networking appliances and software packages to be accessed and configured on-the-fly, enabling staff to access the necessary resources for their work from locations outside the traditional office spaces.

Russian Sandworm Hackers Breached 11 Ukrainian Telcos Since May

The state-sponsored Russian hacking group tracked as 'Sandworm' has compromised eleven telecommunication service providers in Ukraine between May and September 2023. That is based on a new report by Ukraine's Computer Emergency Response Team (CERT-UA) citing 'public resources' and information retrieved from some breached providers.

Researchers Warn of Increased Malware Delivery via Fake Browser Updates

Researchers from Sekoia have released details on a new campaign from the threat group behind SocGholish. This latest activity leverages compromised WordPress sites to push malicious fake browser updates. The campaign, which has been called ClearFake, injects Javascript into compromised WordPress websites so that it downloads another Javascript payload from an attacker controlled domain.

Colonial Pipeline Attributes Ransomware Claims to ‘Unrelated’ Third-Party Data Breach

Colonial Pipeline has reported that there has been no disruption to its pipeline operations or systems following threats from a ransomware group known as Colonial Pipeline is responsible for operating the largest pipeline system for refined oil products in the United States. The gang claimed that they had stolen data from Colonial Pipeline's systems.

macOS Malware 2023 | A Deep Dive into Emerging Trends and Evolving Techniques

In a recent report by SentinelOne, they've highlighted a noteworthy shift in the behavior of macOS malware. The trend we're observing is a move away from the concept of persistence, particularly in many malware families. Specifically, infostealers have taken center stage, aiming to accomplish their objectives in a single execution. This includes the theft of valuable data such as admin passwords, browsing history, and cookies, all achieved without relying on traditional methods of maintaining persistence.

Women Political Leaders Summit Targeted in Romcom Malware Phishing

A less detectable version of the RomCom backdoor was used to target attendees of the Women Political Leaders Summit in Brussels, which centers on gender equality and women in politics. The attackers created a fake website resembling the official WPL portal to lure individuals looking to participate or learn about the summit.

EPA Calls Off Cyber Regulations for Water Sector

The Environmental Protection Agency will no longer require cybersecurity audits of U.S. water utilities through sanitary surveys. “In a letter to state drinking water administrators on Thursday, the EPA said litigation from Republican states and trade associations, which raised questions about the long-term legal viability of the initiative to regulate the cybersecurity of water utilities, drove the decision to rescind a March memorandum implementing the rule.

Ransomware Attacks Now Target Unpatched WS_FTP Servers

Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks. As recently observed by Sophos X-Ops incident responders, threat actors self-described as the Reichsadler Cybercrime Group attempted, unsuccessfully, to deploy ransomware payloads created using a LockBit 3.0 builder stolen in September 2022.

DarkGate Malware Spreading via Messaging Services Posing as PDF Files

The DarkGate malware is being spread through messaging platforms like Skype and Microsoft Teams. It disguises itself as a PDF document, but contains a harmful script that downloads and runs the malware. It’s uncertain how the attackers compromised the messaging app accounts, but it’s suspected to be due to leaked credentials or a previous compromise of the organization.

Newest Ransomware Trend: Attackers Move Faster with Partial Encryption

In a recent report from Check Point, it was observed that ransomware actors can rapidly incapacitate systems through partial encryption. You might be wondering, what is partial encryption and why is it effective? Generally, encryption, especially for large data volumes, can be a time-consuming process. Consequently, attackers are seeking more efficient and effective methods to make victims' data inaccessible until the ransom is paid.

Assessed Cyber Structure and Alignments of North Korea in 2023

North Korea’s state-sponsored hackers, under the direction of its ruling regime, are constantly improving their tactics for conducting cyber operations. This information comes from a recent report by Google’s Mandiant threat intelligence team. The report reveals how the Pyongyang-based regime, despite its small population of 25 million, utilizes cyber intrusions for both espionage and financial crimes, thereby bolstering its power and financing its cyber and kinetic capabilities.

A Frontline Report of Chinese Threat Actor Tactics and Techniques

Microsoft threat intelligence experts are seeing a trend of Chinese threat groups deploying less desktop malware and prioritizing in stealing passwords and tokens that can be used to access sensitive systems used by remote workers. Ever since the COVID-19 pandemic, work from home has become a norm with organizations granting employees remote access to sensitive systems and resources.

LinkedIn Smart Links Attacks Return to Target Microsoft Accounts

Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it.

AvosLocker Ransomware Continues to Target US - CISA Alert AA23-284A

On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.

LinkedIn Smart Links Attacks Return to Target Microsoft Accounts

Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it. Also, because Smart Link uses LinkedIn's domain followed by an eight-character code parameter, they appear to originate from a trustworthy source and bypass email protections” .

AvosLocker Ransomware Continues to Target US - CISA Alert AA23-284A

On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.

High Severity Vulnerability in curl 8.4.0

Last week, researchers warned of a critical flaw in curl, the popular command line transfer tool. Curl project founder and lead developer Daniel Stenberg called it “probably the worst curl security flaw in a long time.” While details were initially withheld, a patch released today fixed two separate vulnerabilities tracked as CVE-2023-38545 and CVE-2023-38546.

One-Click Exploit Reveals Common Software's Supply Chain Risk in Linux Operating Systems

Researchers from GitHub security lab have discovered a critical vulnerability in a library used within the GNOME desktop environment for Linux systems. GNOME is a popular open-source desktop environment found in distributions like Ubuntu and Fedora. The vulnerability, rated 8.8 out of 10, resides in a library called "libcue," which is used for parsing metadata related to CD or DVD track layouts.

Google Mitigated the Largest DDoS Attack to Date, Peaking Above 398 Million RPS

Google says it mitigated a series of DDoS attacks reaching a peak of 398 million requests per second (rps), which is nearly 9 times bigger than the largest-recorded DDoS attack last year, peaking at 46 million rps. The latest set of attacks started in August and are still ongoing. According to Google, the attacks rely on a novel technique dubbed “Rapid Reset” which leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol.

Microsoft to kill off VBScript in Windows to block malware delivery

Microsoft says it is in the works of removing VBScript (Visual Basic Script), a scripting language that was introduced by the tech giant approximately 30 years ago. Although VBScript was originally designed for Windows automation and administrative tasks, over the years, threat actors have misused it to create and distribute malicious payloads.

New Threat Actor “Grayling” Blamed For Espionage Campaign

Security researchers have revealed evidence of a newly discovered APT group that primarily targeted Taiwanese organizations during a cyber-espionage campaign spanning at least four months. Known as "Grayling" according to Symantec, this group initiated their operations in February 2023 and persisted until at least May 2023.

Phishing Scam Alert - Impersonation of USPS and Dozens of National Postal Services

As we approach the holiday season, we've remained vigilant in warning our members about the recent surge in phishing attacks targeting U.S. Postal Service (USPS) customers. These malicious campaigns are disseminated through SMS, email, and various other phishing methods. In these attacks, criminals impersonate USPS services with the intent to deceive individuals and pilfer personal and financial information.

Microsoft Releases New Report on Cybercrime, State-Sponsored Cyber Operations

According to Microsoft’s latest Digital Defense Report, Ukraine, the United States, and Israel were the most targeted countries based on state-sponsored threat activity observed by the tech giant against organizations in more than 120 countries. Based on intel gathered between July 2022 and June 2023, the majority of cyber attacks observed were fueled by nation-state spying and influence operations, with 40% of all observed attacks targeting critical infrastructure organizations.

D.C. Board of Elections Confirms Voter Data Stolen in Site Hack

The District of Columbia Board of Elections (DCBOE) is currently probing a data leak involving an unknown number of voter records following breach claims from a threat actor known as RansomedVC. DCBOE operates as an autonomous agency within the District of Columbia Government and is entrusted with overseeing elections, managing ballot access, and handling voter registration processes.

Hackers Hijack Citrix NetScaler Login Pages to Steal Credentials

Hackers are conducting a large-scale campaign to exploit the recent CVE-2023-3519 flaw in Citrix NetScaler Gateways to steal user credentials. The flaw is a critical unauthenticated remote code execution bug discovered as a zero-day in July that impacts Citrix NetScaler ADC and NetScaler Gateway. By early August, the flaw had been leveraged to backdoor at least 640 Citrix servers, and the figure reached 2,000 by mid-August.

NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations

The UK's National Cyber Security Centre (NCSC) has released guidance to assist medium to large organizations in mapping their supply chains, with a focus on boosting confidence in managing vulnerabilities related to suppliers. Additionally, a report by Picus Security highlights the growing prevalence of multipurpose malware, which possesses multiple functionalities.

GitHub's Secret Scanning Feature Now Covers AWS, Microsoft, Google, and Slack

GitHub recently updated its secret scanning feature to extend validity checks to popular services including Amazon Web Services (AWS), Microsoft, Google, and Slack. The feature was introduced earlier this year to help alert users whether exposed tokens found by the secret scanning are active. While the feature was first enabled for GitHub tokens, the cloud-based code hosting and version control service is now including support for more tokens.

Sony Confirms Data Breach Impacting Thousands in the U.S.

Sony Interactive Entertainment (Sony) has informed both current and former employees and their family members regarding a cybersecurity incident that resulted in the exposure of personal information. The company has dispatched data breach notifications to approximately 6,800 individuals, verifying that the breach transpired due to an unauthorized entity exploiting a zero-day vulnerability in the MOVEit Transfer platform.

Maritime Infrastructure Security Breaches from Drones ‘Becoming a Common Occurrence,’ Says Report

A recent report highlights the growing presence of drones above sensitive maritime facilities, signaling a common occurrence. The report also criticizes the effectiveness of current federal counter-UAS legislation, citing a lack of authorities and capabilities to intercept suspicious drones. U.S. Coast Guard Capt. Andrew J. Meyers emphasized the importance of Area Maritime Security Committees (AMSCs) in safeguarding the nation's ports, praising their role in fostering relationships, collaborative planning, communication, and unity of effort.

Exploits Released for Linux Flaw Giving Root on Major Distros

Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Library's dynamic loader, allowing local attackers to gain root privileges on major Linux distributions. Dubbed 'Looney Tunables' and tracked as CVE-2023-4911, this security vulnerability is due to a buffer overflow weakness, and it affects default installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38.

Atlassian Confluence Hit by New Actively Exploited Zero-Day – Patch Now

Atlassian has published security updates to fix an actively exploited zero-day vulnerability in its Confluence Data Center and Server software. Tracked as CVE-2023-22515, the flaw relates to a case of privilege escalation. Although Atlassian did not specify the root cause of this flaw, the vulnerability could allow a regular user account to elevate to admin.

US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform

In a recent report from Menlo Security, it was discovered that Indeed, a widely recognized global job search platform headquartered in the US, boasting over 350 million monthly visitors and a global workforce of more than 14,000 employees, has become the focus of a significant phishing campaign. This campaign underscores how threat actors can exploit the platform's credibility and popularity.

EvilProxy Uses Open Redirect For Microsoft 365 Phishing

A recently uncovered phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by abusing open redirects from the Indeed employment website for job listings. The threat actor is using the EvilProxy phishing service that can collect session cookies, which can be used to bypass multi-factor authentication (MFA) mechanisms.

New BunnyLoader Threat Emerges as a Feature-Rich Malware-As-A-Service

Security researchers discovered a new malware-as-a-service (MaaS) named 'BunnyLoader' advertised on multiple hacker forums as a fileless loader that can steal and replace the contents of the system clipboard. The malware is under rapid development, with updates adding new features and bug fixes. It can currently download and execute payloads, log keys, steal sensitive data and cryptocurrency, and execute remote commands.

Ransomware Reinfections on the Rise Due to Improper Remediation

According to a recent report from Malwarebytes, it was found that ransomware attacks don't typically originate as a fresh problem for organizations; instead, they are the grim culmination of unresolved network compromises. Threat actors gain initial access through stolen login credentials, deployed malware, or established backdoors—akin to leaving an unlocked door for future visits.

Malware-Infected Devices Sold Through Major Retailers

Human Security has exposed a significant monetization method employed by a sophisticated cyber-criminal operation. This operation involved the sale of backdoored off-brand mobile and CTV (Connected TV) Android devices through major retailers, which had originated from repackaging factories in China.

FBI Warns of Surge in 'Phantom Hacker' Scams Impacting Elderly

The FBI issued a public service announcement warning of a significant increase in 'phantom hacker' scams targeting senior citizens across the United States. ‘This Phantom Hacker scam is an evolution of more general tech support scams, layering imposter tech support, financial institution, and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target,’ the FBI said.

Ransomware Gangs Now Exploiting Critical TeamCity RCE Flaw

Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains' TeamCity continuous integration and deployment server. The flaw (tracked as CVE-2023-42793 and tagged with a 9.8/10 severity score) allows unauthenticated attackers to gain remote code execution (RCE) after successfully exploiting an authentication bypass weakness in low-complexity attacks that don't require user interaction.

Future Government Shutdowns: Potential Impact on National Cybersecurity

In a recent report from Forbes, the nation's cybersecurity was in a tight spot when Congress passed a bill to keep the government running for the next 45 days. A government shutdown could have caused problems for many government functions, including those responsible for protecting the country from cyberattacks. Depending on how long the shutdown lasted, it could have led to a crisis for companies and organizations across the country.

Microsoft Edge, Teams Get Fixes for Zero-days in Open-source Libraries

Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products. The first bug is a flaw tracked as CVE-2023-4863 and is caused by a heap buffer overflow weakness in the WebP code library (libwebp), whose impact ranges from crashes to arbitrary code execution.

Strengths and Weaknesses of a Single-Vendor Approach: Microsoft

In a recent report by SentinelOne, it's highlighted that Microsoft's security business has seen substantial growth, generating over $20 billion annually. The International Data Corporation (IDC) reported that Microsoft holds the largest market share in 2022, at 18.9%, with a 7.2% increase. Similarly, Gartner estimated that in 2021, Microsoft controlled 8.5% of the entire security software market, outperforming its competitors.

Chinese Threat Actors Stole Around 60,000 Emails from US State Department in Microsoft Breach - Filing

This report was filed under "Vendor Reports" because it was investigated by Microsoft (being the vendor) as a notable incident, "Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook[.]com by forging authentication tokens to access user email." Microsoft corrected the issue in its products by, "Revoking all valid MSA signing keys to prevent attackers from accessing other compromised keys."

Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users

An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing the malware. ‘Zanubis's main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device,’ Kaspersky said in an analysis published last week.

Millions of Exim Mail Servers Exposed to Zero-Day RCE Attacks

A critical zero-day vulnerability was disclosed in the Exim mail transfer agent (MTA) software, which if successfully exploited could enable an unauthenticated attacker to gain remote code execution on Internet-exposed servers. Tracked as CVE-2023-42115, the flaw resides in the SMTP service, which listens on TCP port 25 by default. According to Trend Micro’s Zero Day Initiative, which uncovered the flaw, CVE-2023-42115 results from a lack of proper validation of user-supplied data which could result in a write past the end of a buffer and further allow an attacker to execute code in the context of the service account.

Exploit Available for Critical WS_FTP Bug Exploited in Attacks

Over the weekend, security researchers uncovered a critical vulnerability (CVE-2023-40044) in Progress Software's WS_FTP Server. They released a proof-of-concept (PoC) exploit along with technical details. The flaw stems from a .NET deserialization vulnerability in the Ad Hoc Transfer Module, allowing unauthenticated attackers to execute remote commands via a simple HTTP request. Assetnote researchers, who discovered the issue, expressed surprise at how long it remained unpatched.

Exploit Released for Microsoft SharePoint Server Authentication Bypass Flaw

Proof-of-concept exploit code has surfaced on GitHub for a critical authentication bypass vulnerability in Microsoft SharePoint Server, allowing privilege escalation. Tracked as CVE-2023-29357, the security flaw can let unauthenticated attackers gain administrator privileges following successful exploitation in low-complexity attacks that don't require user interaction.

Hackers Steal User Database from European Telecommunications Standards Body

Hackers targeted the European Telecommunications Standards Institute (ETSI), a nonprofit organization responsible for developing communication standards, and stole a user database. The motive behind the attack remains unclear, with suspicions ranging from financial gain to potential espionage. ETSI engaged France's cybersecurity agency ANSSI to investigate and enhance its information systems' security.

Chinese Threat Actors Stole Around 60,000 Emails from US State Department in Microsoft Breach

China-linked hackers breached Microsoft's email platform in May and stole tens of thousands of emails from U.S. State Department accounts, according to a Senate staffer. During a briefing by State Department IT officials, it was revealed that threat actors targeted around 60,000 emails from a total of 10 State Department accounts belonging to officials working in East Asia, the Pacific, and Europe.

Budworm Hackers Target Telcos and Govt Orgs With Custom Malware

A Chinese cyber-espionage group known as Budworm has recently been detected engaging in cyberattacks. They have specifically targeted a telecommunications company in the Middle East and a government organization in Asia. What's noteworthy is that they've deployed a new version of their customized 'SysUpdate' malware.

Google Fixes Fifth Actively Exploited Chrome Zero-Day of 2023

Yesterday, Google released emergency security updates to address a zero-day flaw impacting its Chrome Browser. Tracked as CVE-2023-5217, the flaw relates to a heap buffer overflow weakness in the VP8 encoding of libvpx, an open-source video codec library from Google and the Alliance for Open Media (AOMedia). A successful exploit of this flaw could lead to browser crashes or arbitrary code execution.

Cisco Urges Admins to Fix IOS Software Zero-Day Exploited in Attacks

Multiple vulnerabilities have been identified in Cisco Catalyst SD-WAN Manager (formerly Cisco SD-WAN vManage). These vulnerabilities could potentially allow attackers to access an affected instance or cause a denial of service (DoS) condition on the affected system. Cisco has taken action to address these vulnerabilities through software updates, "Although exploiting this vulnerability demands significant access to the target environment, threat actors have already initiated attacks, as reported by the company in the same advisory.

US and Japan Warn of Chinese Hackers Backdooring Cisco Routers

US and Japanese law enforcement and cybersecurity agencies warn of the Chinese 'BlackTech' hackers breaching network devices to install custom backdoors for access to corporate networks. The joint report comes from the FBI, NSA, CISA, and the Japanese NISC (cybersecurity) and NPA (police), who explain that the state-sponsored hacking group is breaching network devices at international subsidiaries to pivot to the networks of corporate headquarters.

GitHub Repos Bombarded By Info-Stealing Commits Masked as Dependabot

Hackers are breaching GitHub accounts and inserting malicious code disguised as Dependabot contributions to steal authentication secrets and passwords from developers. The campaign unfolded in July 2023, when researchers discovered unusual commits on hundreds of public and private repositories forged to appear as Dependabot commits.

New ZenRAT Malware Targeting Windows Users via Fake Password Manager Software

Researchers at Proofpoint have uncovered a new malware strain dubbed ZenRAT which is being distributed via bogus installation packages of the Bitwarden password manager. ZenRAT is a modular remote access trojan that comes with various modules designed to steal information from victims’ systems. Although researchers noted that ZenRAT is being hosted on fake websites pretending to be associated with Bitwarden, it’s unclear how end users are being directed to these sites.

New Zerofont Phishing Tricks Outlook Into Showing Fake AV-Scans

Threat actors are employing a novel tactic by incorporating zero-point fonts within emails, creating the illusion that malicious emails have undergone successful security scans in Microsoft Outlook. While the ZeroFont phishing method has been previously observed, its current application marks a significant development. ISC Sans analyst Jan Kopriva, in a recent report, cautions that this technique could greatly enhance the success rate of phishing attacks, underscoring the importance of user awareness regarding its deployment in real-world scenarios.

Shadowsyndicate Hackers Linked to Multiple Ransomware Ops, 85 Servers

Security researchers have identified ShadowSyndicate as a threat actor using seven ransomware families in attacks over the past year. They suggest it could be an initial access broker and affiliate to ransomware operations. Their findings are based on a distinct SSH fingerprint found on 85 IP servers, discovered using tools like Shodan and Censys. This fingerprint was first seen in July 2022 and still in use in August 2023. Researchers also found eight different Cobalt Strike watermarks on ShadowSyndicate servers.

BORN Ontario child registry data breach affects 3.4 million people

The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, has announced that it is among the victims of Clop ransomware's MOVEit hacking spree. BORN is a perinatal and child registry that collects, interprets, shares and protects critical data about pregnancy, birth and childhood in the province of Ontario.

Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals

Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin. ‘Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

New Stealthy and Modular Deadglyph Malware Used in Govt Attacks

A highly advanced backdoor malware called 'Deadglyph' was recently employed in a cyber espionage operation targeting a Middle Eastern government agency. This sophisticated malware, known as Deadglyph, has been linked to the Stealth Falcon Advanced Persistent Threat (APT) group, also known as Project Raven or FruityArmor.

Is Gelsemium APT Behind a Targeted Attack in Southeast Asian Government?

Researchers at Kaspersky Lab have uncovered a new backdoor called "SessionManager" that has been used in attacks targeting Microsoft IIS Servers since March 2021. This backdoor allows threat actors to maintain persistent, update-resistant, and stealthy access to a targeted organization's IT infrastructure. It has been deployed in over 20 organizations, and as of late April 2022, many samples were not yet flagged as malicious by online file scanning services.

Dallas says Royal Ransomware Breached its Network Using Stolen Account

The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account. Royal gained access to the City's network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4. During this period, they successfully collected and exfiltrated 1.169 TB worth of files based on system log data analysis conducted by city officials and external cybersecurity experts.

Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape

Proofpoint has observed an increase in activity from specific malware families targeting Chinese-language speakers. Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity. Newly observed ValleyRAT is emerging as a new malware among Chinese-themed cybercrime activity, while Sainbox RAT and related variants are recently active as well.

Pro-Russia Hacker Group NoName Launched a DDoS Attack on Canadian Airports Causing Severe Disruption

Pro-Russia hacker group NoName is suspected of launching a DDoS cyberattack that caused significant disruptions at several Canadian airports. The attack affected check-in kiosks and electronic gates, leading to delays in the processing of arrivals at border checkpoints across the country. The Canada Border Services Agency (CBSA) confirmed the DDoS attack and is investigating the incident, assuring that no personal information has been compromised. No evidence of a data breach has been found at this time.

P2PInfect Botnet Activity Surges 600x with Stealthier Malware Variants

The P2PInfect botnet worm has entered a phase of significantly increased activity, with a notable surge observed from late August through September 2023. Initially documented by Unit 42 in July 2023, P2PInfect is categorized as a peer-to-peer malware that exploits a remote code execution vulnerability to breach Redis instances on internet-exposed Windows and Linux systems.

Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant).

T-Mobile App Glitch Let Users See Other People's Account Info

Today, T-Mobile customers said they could see other peoples' account and billing information after logging into the company's official mobile application. According to user reports on social media, the exposed information included customers' names, phone numbers, addresses, account balances, and credit card details like the expiration dates and the last four digits.

GitLab Releases Urgent Security Patches for Critical Vulnerability

GitLab recently rolled out security updates to address a critical vulnerability impacting its enterprise edition. Tracked as CVE-2023-5009, the flaw could enable an attacker to run pipelines as an arbitrary user via scheduled security scan policies. As such, the actor could use elevated permissions of the impersonated user to further access sensitive information, modify source code, or even run arbitrary code on the targeted system.

Finnish Authorities Dismantle Notorious PIILOPUOTI Dark Web Drug Marketplace

Finnish law enforcement authorities have announced the takedown of PIILOPUOTI, a dark web marketplace that specialized in illegal narcotics trade since May 2022. ‘The site operated as a hidden service in the encrypted TOR network,’ the Finnish Customs (aka Tulli) said in a brief announcement on Tuesday. ‘The site has been used in anonymous criminal activities such as narcotics trade.’

Fake WinRAR Proof-of-Concept Exploit Drops VenomRAT Malware

Threat actors exploited a recently disclosed WinRAR vulnerability (CVE-2023-40477) by repurposing an older proof-of-concept (PoC) code. The Zero Day Initiative initially reported the WinRAR vulnerability to the vendor on June 8, 2023, but publicly disclosed it on August 17, 2023. Within four days of the public disclosure, an actor known as "whalersplonk" uploaded a fake PoC script to their GitHub repository.

Snatch Ransomware Alert

Snatch is a ransomware group primarily targeting Windows-based systems. They employ various tactics, including exploiting vulnerabilities, brute force attacks, and data exfiltration to compromise and extort victims. Snatch operates under a ransomware-as-a-service (RaaS) model and has targeted critical infrastructure sectors such as Defense Industrial Base (DIB), Food and Agriculture, and Information Technology.

ShroudedSnooper Threat Actors Target Telecom Companies in the Middle East

Telecommunications companies have increasingly become the focus of state-sponsored actors and advanced adversaries in recent years. In 2022, the telecommunications sector consistently ranked as one of the most targeted verticals in Talos IR (Incident Response) engagements. Telecom companies control critical infrastructure assets, which make them attractive targets for adversaries seeking to create significant disruptions.

Trend Micro Fixes Endpoint Protection Zero-day Used in Attacks

Trend Micro fixed a remote code execution zero-day vulnerability in the Trend Micro's Apex One endpoint protection solution that was actively exploited in attacks. Apex One is an endpoint security solution catering to businesses of all sizes, and the 'Worry-Free Business Security' suite is designed for small to medium-sized companies.

Earth Lusca Expands Arsenal with SprySocks Linux Malware

China-linked threat group Earth Lusca has deployed a new Linux malware called SprySOCKS in a recent cyber espionage campaign. Researchers at Trend Micro discovered this malware while tracking Earth Lusca's activities. SprySOCKS, based on an open-source Windows backdoor called Trochilus, was adapted for Linux. Earth Lusca continues to develop it, as evidenced by different versions detected.

Bumblebee Malware Returns in New Attacks Abusing WebDAV Folders

The malware loader 'Bumblebee' has broken its two-month vacation with a new campaign that employs new distribution techniques that abuse 4shared WebDAV services. WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that enables clients to perform remote authoring operations such as creating, accessing, updating, and deleting web server content.

Microsoft AI Researchers Accidentally Expose 38 Terabytes of Confidential Data

Microsoft on Monday said it took steps to correct a glaring security gaffe that led to the exposure of 38 terabytes of private data. The leak was discovered on the company's AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data, Wiz said. It also included a disk backup of two former employees' workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages.

New AMBERSQUID Cryptojacking Operation Targets Uncommon AWS Services

A new cloud-native cryptojacking operation, known as AMBERSQUID, is targeting less common AWS services like AWS Amplify, AWS Fargate, and Amazon SageMaker for illicit cryptocurrency mining. Sysdig, a security firm, identified this campaign while analyzing 1.7 million Docker Hub images and attributed it to Indonesian attackers due to their use of the Indonesian language in scripts and usernames.

FBI Hacker USDOD Leaks Highly Sensitive TransUnion Data

“Researchers at vx-underground have uncovered a major data breach involving the hacker known as "USDoD," who leaked highly sensitive data from TransUnion, a leading consumer credit reporting agency. The breach exposed personal information of 58,505 individuals globally, including names, passport details, financial data, and more, dating back to March 2022.

Canadian Government Targeted With DDoS Attacks by Pro-Russia Group

The pro-Russian cybercrime group named NoName057(16) has been observed launching distributed denial-of-service (DDoS) attacks against Canadian organizations, a fresh government alert warns. Since March 2022, the threat actor – also known as NoName05716, 05716nnm or Nnm05716 – has been launching disruptive attacks in support of Russia’s invasion of Ukraine.

BlackCat Ransomware Hits Azure Storage with Sphynx Encryptor

The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage. While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials. After gaining access to the Sophos Central account using a stolen One-Time Password (OTP), they disabled Tamper Protection and modified the security policies

Iranian Hackers Breach Defense Orgs in Password Spray Attacks

Since February 2023, Microsoft has reported that an Iranian-backed threat group known as APT33 (or Peach Sandstorm, HOLMIUM, Refined Kitten) has been conducting password spray attacks against thousands of organizations in the U.S. and globally. These attacks involve attempting to access multiple accounts using a single or commonly used password, increasing the chances of success without triggering account lockouts.

ORBCOMM Ransomware Attack Causes Trucking Fleet Management Outage

Trucking and fleet management solutions provider ORBCOMM has confirmed that a ransomware attack is behind recent service outages preventing trucking companies from managing their fleets. ORBCOMM is a solutions provider for freight companies to manage fleets and track transported assets. The company also provides Electronic Logging Devices (ELD) that truckers use to log their hours to adhere to federal safety regulations.

NodeStealer Malware Now Targets Facebook Business Accounts on Multiple Browsers

An ongoing campaign is targeting Facebook Business accounts with bogus messages to harvest victims' credentials using a variant of the Python-based NodeStealer and potentially take over their accounts for follow-on malicious activities. ‘The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors.

Pirated Software Likely Cause of Airbus Breach

A major data breach at Airbus revealed earlier this week stemmed from a RedLine info-stealer likely hidden in a pirated copy of Microsoft software, according to researchers. The European aerospace giant said it has launched an investigation into the incident.

Enterprises Persist with Outdated Authentication Strategies

Despite authentication being a cornerstone of cybersecurity, risk mitigation strategies remain outdated, according to new research from Enzoic. With the attack surface expanding and the increasing sophistication of cyber threats, organizations are struggling to deliver secure and user-friendly authentication. The research uncovered that despite the emergence of modern strategies, most companies still rely on traditional approaches.

Scattered Spider Behind MGM Cyberattack, Targets Casinos

The "Scattered Spider" threat group is believed to be responsible for the cyberattack on MGM Resorts that occurred on September 10. This attack has left systems offline in over 30 hotels and casinos owned by the conglomerate worldwide, and the disruption continues even days later. As reported by Reuters, the Scattered Spider ransomware group, as identified by sources familiar with the situation, is believed to consist of young individuals based in the US and UK.

Russian Journalist's iPhone Compromised by NSO Group's Zero-Click Spyware

The iPhone belonging to Galina Timchenko, a prominent Russian journalist and critic of the government, was compromised with NSO Group's Pegasus spyware, a new collaborative investigation from Access Now and the Citizen Lab has revealed. The infiltration is said to have happened on or around February 10, 2023. Timchenko is the executive editor and owner of Meduza, an independent news publication based in Latvia.

Update Adobe Acrobat and Reader to Patch Actively Exploited Vulnerability

Adobe recently addressed a critical flaw in Acrobat and Reader that could enable actors to execute malicious code on targeted systems. Tracked as CVE-2023-26369, the vulnerability has been rated 7.8 out of 10 on the CVSS scale, indicating a high level of severity. According to the vendor, CVE-2023-26369 relates to an out-of-bounds write issue and can be exploited to execute arbitrary code via specially crafted PDF documents.

Suspected Ransomware Attack Hits Auckland Transport's Hop Cards

Auckland Transport's Hop card system has been hit by a suspected ransomware attack, leading to disruptions in card top-up services and limited functionality at customer service centers. The attack is under investigation, and there is no indication that personal or financial data has been compromised. Commuters can still use their cards to tag on and off, but online top-ups and services on the AT website are unavailable.

Kubernetes Flaws Could Lead to Remote Code Execution on Windows Endpoints

Akamai researchers recently discovered a high-severity vulnerability in Kubernetes tracked as CVE-2023-3676 (CVSS 8.8). This identification of this issue led to the discovery of two more vulnerabilities tracked as CVE-2023-3893, and CVE-2023-3955 (CVSS 8.8). All three vulnerabilities were caused by insecure function call and the lack of user input sanitization.

MetaStealer Malware is Targeting Enterprise macOS Users

A new strain of macOS malware is targeting enterprise users, as indicated by file names and content. Some versions of this malware, called MetaStealer, masquerade as Adobe files, while others use deceptive methods like password-protected ZIP files sent by fake clients. Once opened, these files reveal an app disguised as a PDF.

Ransomware Access Broker Steals Accounts via Microsoft Teams Phishing

Microsoft has reported a change in tactics by an initial access broker, previously associated with ransomware groups. This actor, identified as Storm-0324, has shifted its focus to Microsoft Teams phishing attacks as a means to infiltrate corporate networks. Storm-0324 is a financially motivated threat group with a history of deploying ransomware such as Sage and GandCrab in previous campaigns.

Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family

A new ransomware family called 3AM has emerged in the wild after it was detected in a single incident in which an unidentified affiliate deployed the strain following an unsuccessful attempt to deliver LockBit (attributed to Bitwise Spider or Syrphid) in the target network. 3AM gets its name from the fact that it's referenced in the ransom note. It also appends encrypted files with the extension .threeamtime.

Microsoft September 2023 Patch Tuesday Fixes 2 Zero-Days, 59 Flaws

As part of the September Patch Tuesday, Microsoft addressed 59 flaws, including two zero-days that were exploited in attacks in the wild. In total, Microsoft released fixes for 3 Security Feature Bypass Vulnerabilities, 24 Remote Code Execution Vulnerabilities, 9 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, 5 Spoofing Vulnerabilities, and 5 Edge - Chromium Vulnerabilities.

Facebook Messenger Phishing Wave Targets 100K Business Accounts Per Week

Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware. The attackers trick the targets into downloading a RAR/ZIP archive containing a downloader for an evasive Python-based stealer that grabs cookies and passwords stored in the victim's browser.

Google Fixes Another Chrome Zero-Day Bug Exploited in Attacks

Yesterday, Google released security updates to fix a critical zero-vulnerability in its Chrome web browser. Tracked as CVE-2023-4863, the flaw relates to a heap-based buffer overflow in the WebP image format. Successful exploitation of this issue could result in browser crashes or arbitrary code execution.

Cuba Ransomware Group Unleashes Undetectable Malware

Security researchers at Kaspersky have exposed the activities of the infamous ransomware group Cuba. In a recent advisory, Kaspersky revealed that this cyber-criminal gang has been targeting organizations across different industries worldwide. In December 2022, Kaspersky detected a suspicious incident on a client's system, which led to the discovery of three mysterious files triggering the komar65 library, also known as BUGHATCH.

Apple Backports BLASTPASS Zero-Day Fix to Older iPhones

Apple released security updates for older iPhones to fix a zero-day vulnerability tracked as CVE-2023-41064 that was actively exploited to infect iOS devices with NSO's Pegasus spyware. CVE-2023-31064 is a remote code execution flaw that is exploited by sending maliciously crafted images via iMessage.

'Redfly' Hackers Infiltrated Power Supplier's Network for 6 Months

An espionage threat group tracked as 'Redfly' hacked a national electricity grid organization in Asia and quietly maintained access to the breached network for six months. These new findings come from Symantec, who found evidence of ShadowPad malware activity in the organization's network between February 28 and August 3, 2023, along with keyloggers and specialized file launchers.

Microsoft Teams Phishing Attack Pushes Darkgate Malware

A recent phishing scheme has exploited Microsoft Teams messages as a means to distribute harmful attachments that deploy the DarkGate Loader malware. This campaign commenced in late August 2023, as phishing messages originating from two compromised external Office 365 accounts were observed, targeting various organizations. These accounts were employed to deceive Microsoft Teams users into downloading and launching a ZIP file titled "Alterations to the holiday calendar."

'Evil Telegram' Android apps on Google Play infected 60K with spyware

Several malicious Telegram clones for Android on Google Play were installed over 60,000 times, infecting people with spyware that steals user messages, contacts lists, and other data. The apps appear to be tailored for Chinese-speaking users and the Uighur ethnic minority, suggesting possible ties to the well-documented state monitoring and repression mechanisms. The apps were discovered by Kaspersky, who reported them to Google.

Ragnar Locker Claims Attack on Israel's Mayanei Hayeshua Hospital

The Ragnar Locker ransomware gang has claimed responsibility for an attack on Israel's Mayanei Hayeshua hospital, threatening to leak 1 TB of data allegedly stolen during the cyberattack. The cyberattack on Mayanei Hayeshua occurred in early August, disrupting the hospital's record-keeping system and preventing new patients from receiving care.

Ransomware Attack Wipes Out Four Months of Sri Lankan Government Data

Sri Lanka's government cloud system, Lanka Government Cloud (LGC), has fallen victim to a massive ransomware attack that began on August 26, 2023. The attack resulted in the encryption of LGC services and backup systems, affecting approximately 5,000 email addresses using the "gov[dot]lk" domain, including those of the Cabinet Office.

UK and US Sanction 11 Members of the Russia-Based TrickBot Gang

The United States, in coordination with the United Kingdom, sanctioned eleven more individuals who are members of the Russia-based Trickbot cybercrime group. The sanctions were provided by the U.S. Department of the Treasury’s Office of Foreign Assets Control. The sanctioned TrickBot members worked as administrators, managers, developers, and coders, who have materially supported the operations of the group. The group has been tied to Russian intelligence services and has targeted the U.S. government, companies and hospitals.

Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware

A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called Atomic Stealer (or AMOS), indicating that it's being actively maintained by its author. An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer first came to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users.

Apple Discloses 2 New Zero-Days Exploited to Attack iPhones, Macs

Yesterday, Apple issued emergency security updates to address two zero-day flaws that were exploited in attacks targeting iPhone and Mac users. The vulnerabilities are being tracked as CVE-2023-41064 (discovered by Citizen Lab security researchers) and CVE-2023-41061 (discovered by Apple) and were found in the Image I/O and Wallet frameworks. CVE-2023-41064 relates to a validation issue in Wallet which can be exploite

Attackers Leverage Windows Advanced Installer to Drop Cryptocurrency Malware

Attackers operating from IP addresses in France, Luxembourg, and Germany have been utilizing the legitimate Windows tool, Advanced Installer, to create software packages that deliver cryptocurrency mining malware onto computers in various sectors. The malware payloads, as reported by Cisco Talos researchers on September 7, include the M3_Mini_RAT client stub. This remote access trojan enables the attackers to establish backdoors, download, and execute additional threats, including PhoenixMiner for Ethereum cryptocurrency mining and IOIMiner, a multi-coin mining threat.

Mirai Variant Infects Low-Cost Android TV Boxes for DDoS attacks

A variant of the Mirai malware botnet has been observed infecting affordable Android TV set-top boxes that are widely used for media streaming by millions of users. Dr. Web's antivirus team reports that this trojan represents a fresh iteration of the 'Pandora' backdoor, initially seen in 2015. The primary focus of this campaign is on economical Android TV boxes such as the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3.

September Android updates Fix Zero-Day Exploited in Attacks

As part of the September 2023 Android security updates, Google addressed 33 vulnerabilities, including a high-severity zero-day that is actively being exploited in the wild. Tracked as CVE-2023-35674, the zero-day flaw impacts the Android Framework and could allow threat actors to escalate privileges on vulnerable devices without requiring user interaction or additional execution privileges

US and UK Sanction 11 TrickBot and Conti Cybercrime Gang Members

The USA and the United Kingdom have sanctioned eleven Russian nationals associated with the TrickBot and Conti ransomware cybercrime operations. The TrickBot malware operation launched in 2015 and focused on stealing banking credentials. However, over time, it developed into a modular malware that provided initial access to corporate networks for other cybercrime operations, such as Ryuk and, later, Conti ransomware operations.

China, North Korea Pursue New Targets While Honing Cyber Capabilities

China has developed a new capability using artificial intelligence to automatically generate images for influence operations in the United States and other democracies. These images aim to mimic U.S. voters across the political spectrum and create controversy along racial, economic, and ideological lines. Microsoft's Threat Analysis Center (MTAC) has observed China-affiliated actors using AI-generated visual media in campaigns that focus on politically divisive topics and denigrate U.S. political figures and symbols.

New Python Variant of Chaes Malware Targets Banking and Logistics Industries

Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes. ‘It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol,’ Morphisec said in a new detailed technical write-up shared with The Hacker News.

New BLISTER Malware Update Fueling Stealthy Network Infiltration Summary:

An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic. ‘New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,’ Elastic Security Labs researchers Salim Bitam and Daniel Stepanic said in a technical report published late last month.

W3ll Phishing Kit Hijacks Thousands of Microsoft 365 Accounts, Bypasses MFA

An entity identified as W3LL created a phishing toolkit capable of evading multi-factor authentication and employed various tools to compromise over 8,000 corporate Microsoft 365 accounts. Over the course of ten months, security experts detected the utilization of W3LL's resources and infrastructure in the establishment of approximately 850 phishing campaigns, targeting login credentials for more than 56,000 Microsoft 365 accounts.

Smishing Triad Targeted USPS and US Citizens for Data Theft

The "Smishing Triad" cybercriminal group, believed to be Chinese-speaking, has been targeting individuals worldwide through a package tracking text scam sent via iMessage. Impersonating various postal services and government agencies, including the Royal Mail, New Zealand Postal Service, Correos, Postnord, Poste Italiane, and the Italian Revenue Service, the group aims to collect personal and payment information for identity theft and credit card fraud.

APT28 Cyberattack: Msedge as a Bootloader, TOR, and Mockbin[.]org/Website[.]hook Services as a Control Center

The government computer emergency response team of Ukraine, CERT-UA, recorded a targeted cyber attack against a critical energy infrastructure facility in Ukraine. To implement the malicious plan, an e-mail message with a fake sender address and a link to an archive, for example, "", was distributed. Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file "weblinks.cmd" to the victim's computer.

MITRE and CISA Release OT Attack Emulation Tool

A new open source tool designed to emulate cyber-attacks against operational technology (OT) has been released by MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA). The MITRE Calder for OT is now publicly available as an extension to the open-source Caldera platform on GitHub.

Exploit released for critical VMware SSH auth bypass vulnerability

Summoning Team’s Sina Kheirkhah recently published a proof-of-concept exploit code for a critical SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool. Tracked as CVE-2023-34039, the vulnerability can be exploited by remote attackers to bypass SSH authentication on unpatched appliances and access the tool’s command line interface.

German financial agency site disrupted by DDoS attack since Friday

The German Federal Financial Supervisory Authority (BaFin) announced today that an ongoing distributed denial-of-service (DDoS) attack has been impacting its website since Friday. BaFin is Germany’s financial regulatory authority, part of the Federal Ministry of Finance, responsible for supervising 2,700 banks, 800 financial, and 700 insurance service providers.

Hackers Exploit MinIO Storage System to Breach Corporate Networks

Two recent vulnerabilities in MinIO have been exploited by threat actors to breach object storage systems. This access allows the actors to view private information, execute arbitrary code, and potentially take over servers. MinIO is a open-source storage service that is compatible with various cloud containers including Amazon S3.

Okta: Hackers Target IT Help Desks to Gain Super Admin, Disable MFA

Researchers at Okta issued a warning regarding social engineering attacks directed at IT service desk agents serving U.S.-based clients. The aim of these attacks was to deceive these agents into resetting multi-factor authentication (MFA) for users with elevated privileges. The attackers' ultimate objective was to gain control of Okta Super Administrator accounts, which have extensive privileges. This access would enable them to exploit identity federation functionalities, permitting impersonation of users within the compromised organization.

North Korean Hackers Behind Malicious VMConnect PyPI Campaign

North Korean state-sponsored hackers are behind the VMConnect campaign that uploaded to the PyPI (Python Package Index) repository malicious packages, one of them mimicking the VMware vSphere connector module vConnector. The packages were uploaded at the beginning of August, with one named VMConnect targeting IT professionals seeking virtualization tools.

WordPress Migration Add-on Flaw Could Lead to Data Breaches

Researchers found a vulnerability in the widely-used plugin, All-in-One WP Migration, employed for migrating WordPress sites, and having an active user base of 5 million. This vulnerability involves unauthorized manipulation of access tokens, potentially granting attackers access to sensitive site data. All-in-One WP Migration is a user-friendly tool tailored for WordPress site migration.

Paramount Discloses Data Breach Following Security Incident

American entertainment giant Paramount Global disclosed a data breach after its systems got hacked and attackers gained access to personally identifiable information (PII). Paramount said in breach notification letters signed by Nickelodeon Animation Studio EVP Brian Keane sent to affected individuals that the attackers had access to its systems between May and June 2023.

Cisco VPNs with No MFA Enabled Hit by Ransomware Groups

Since March 2023 (and possibly even earlier), affiliates of the Akira and LockBit ransomware operators have been breaching organizations via Cisco ASA SSL VPN appliances, “In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups),” Rapid7 researchers said on Tuesday.

How to Prevent ChatGPT From Stealing Your Content & Traffic

ChatGPT and similar large language models (LLMs) have added further complexity to the ever-growing online threat landscape. Cybercriminals no longer need advanced coding skills to execute fraud and other damaging attacks against online businesses and customers, thanks to bots-as-a-service, residential proxies, CAPTCHA farms, and other easily accessible tools.

Easy-to-Exploit Skype Vulnerability Reveals Users’ IP Address

A vulnerability in Skype mobile apps can be exploited by attackers to discover a user’s IP address – a piece of information that may endanger individuals whose physical security depends on their general location remaining secret. The security vulnerability has been discovered by a security researcher named Yossi, who privately reported it to Microsoft and demonstrated its effective exploitation to journalist Joseph Cox.

Spain Warns of LockBit Locker Ransomware Phishing Attacks

The Spanish National Police has issued an alert about an active ransomware campaign known as 'LockBit Locker,' which is currently targeting architecture firms in the country using phishing emails. According to the translated police statement, a series of emails have been identified as being sent to architecture companies.

Four in Five Cyber-Attacks Powered by Just Three Malware Loaders

Researchers from ReliaQuest found that cybercriminals relied primarily on seven different malware loaders to carry out attacks in the first half of 2023. QakBot, SocGholish, and Raspberry Robin were the most commonly used loaders, accounting for roughly 80% of all intrusions. GootLoader, ChromeLoader, Guloader, and Ursnif were also commonly seen.

MalDoc in PDFs: Hiding Malicious Word Docs in PDF Files

Japan's computer emergency response team (JPCERT) is sharing a new 'MalDoc in PDF' attack detected in July 2023 that bypasses detection by embedding malicious Word files into PDFs. The file sampled by JPCERT is a polyglot recognized by most scanning engines and tools as a PDF, yet office applications can open it as a regular Word document (.doc). Polyglots are files that contain two distinct file formats that can be interpreted and executed as more than one file type, depending on the application reading/opening them.

Microsoft: Stealthy Flax Typhoon Hackers Use Lolbins to Evade Detection

Microsoft has detected a new hacking collective referred to as Flax Typhoon. This group focuses on government bodies, educational institutions, vital manufacturing units, and IT organizations, presumably with the aim of espionage. The attackers avoid heavy usage of malware for infiltrating and controlling victim networks. Instead, they opt for utilizing existing components within the operating system, often referred to as living-off-the-land binaries (LOLBins), along with legitimate software.

KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities

An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. ‘The binary now includes support for Telnet scanning and support for more CPU architectures,’ Akamai security researcher Larry W. Cashdollar said in an analysis published this month. The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors.

Rhysida Claims Ransomware Attack On Prospect Medical, Threatens to Sell Data

The Rhysida ransomware group recently claimed responsibility for a cyberattack targeting Prospect Medical Holdings, a US healthcare company operating 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island and a network of 166 outpatient clinics and centers. The attack allegedly took place on August 3rd, with employees finding ransom notes on their systems stating that their network was hacked and devices had been encrypted. Due to the attack, the hospitals were forced to shut down their IT networks to mitigate the impact, causing employees to use paper charts.

Poland’s Authorities Investigate a Hacking Attack on Country’s Railways

Poland's Internal Security Agency (ABW) and national police are investigating a hacking attack on the country's state railway network. The attack disrupted railway traffic overnight and triggered an emergency status that stopped trains near the city of Szczecin. The attack is suspected to be part of broader destabilization efforts by Russia, possibly in conjunction with Belarus.

New Study Sheds Light on Adhubllka Ransomware Network

Cybersecurity experts have revealed an intricate network of interconnected ransomware types that all stem from a shared origin: the Adhubllka ransomware group. Netenrich, a cybersecurity firm, conducted a study exploring the lineage of various ransomware versions, such as LOLKEK, BIT, OBZ, U2K, and TZW. The researchers discovered significant resemblances in code, tactics, and infrastructure among these apparently distinct ransomware types. By tracking the evolution of these variants, the experts established a genealogical link connecting them to the original Adhubllka ransomware, which emerged in January 2020.

New Telegram Bot "Telekopye" Powering Large-scale Phishing Scams from Russia

A new financially motivated operation is leveraging a malicious Telegram bot to help threat actors scam their victims. Dubbed Telekopye, a portmanteau of Telegram and kopye (meaning "spear" in Russian), the toolkit functions as an automated means to create a phishing web page from a premade template and send the URL to potential victims, codenamed Mammoths by the criminals.

Jupiter X Core WordPress plugin could let hackers hijack sites

WordPress security company Patchstack discovered two critical vulnerabilities affecting Jupiter X Core, a premium visual editor plugin for setting up Wordpress and WooCommerce websites. The first flaw tracked as CVE-2023-38388, allows unauthenticated threat actors to upload files, which could lead to arbitrary code execution on the server.

Whiffy Recon Malware: New Threat Analysis and Insights

Researchers from Secureworks Counter Threat Unit (CTU) have identified a new Wi-Fi scanning malware named Whiffy Recon, which has been dropped by the Smoke Loader botnet. This malicious code employs nearby Wi-Fi access points as reference points for Google's geolocation API to triangulate the positions of infected systems.

Ransomware Hackers' Dwell Time Drops to 5 Days, RDP Still Widely Used

Ransomware threat actors are reducing the time they spend within compromised networks before being detected by security solutions. In the first half of this year, the median dwell time for these hackers decreased to five days from nine days in 2022. However, the overall median dwell time for all cyberattacks dropped to eight days from ten in 2022, indicating a general trend of quicker detection. Ransomware attacks constituted nearly 69% of all recorded cyberattacks during this period.

FBI Identifies Wallets Holding Cryptocurrency Funds Stolen by North Korea Summary:

The FBI in the United States issued a cautionary notice regarding the potential efforts of threat actors associated with North Korea to convert pilfered cryptocurrency, totaling over $40 million in value. In a disclosure, the Federal Bureau of Investigation outlined the actions of six cryptocurrency wallets operated by entities connected to North Korea. These wallets possess approximately 1,580 Bitcoin, equivalent to around $41 million based on current valuations. Authorities suspect these funds are connected to the recent heist of a substantial sum of cryptocurrency, amounting to hundreds of millions of dollars.

Russian Toolkit Aims to Make Online Scamming Easy for Anyone

A toolkit possibly developed by Russian individuals, known as Telekopye to security experts, aims to let fraudsters focus on refining their social engineering skills, freeing them from the technical aspects of online scams. Eset researchers uncovered a tool they named Telekopye, derived from the combination of "Telegram" and "kopye," the Russian word for spear.

Over 3,000 Openfire Servers Vulnerable to Takover Attacks

Thousands of Openfire servers remain vulnerable to CVE-2023-32315, an actively exploited and path traversal vulnerability that allows an unauthenticated user to create new admin accounts. Openfire is a widely used Java-based open-source chat (XMPP) server downloaded 9 million times. On May 23, 2023, it was disclosed that the software was impacted by an authentication bypass issue that affected version 3.10.0, released in April 2015, until that point.

Hosting Firm Says it Lost All Customer Data After Ransomware Attack

Danish hosting firms CloudNordic and AzeroCloud recently disclosed that they suffered from a ransomware attack, causing the firms to lose a majority of customer data and shut down all systems, including websites, emails, and customer sites. Since the attack took place last Friday, IT teams have only managed to restore some of the servers without any data, with CloudNordic stating that the restoration process isn’t going smoothly and that many of their customers’ data seems irrecoverable.

FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective

The Barracuda Email Security Gateway (ESG) vulnerability, identified as CVE-2023-2868, has been exploited by a Chinese state-sponsored cyberespionage group named UNC4841. This vulnerability affects Barracuda ESG versions to, enabling attackers to perform command injections via specially crafted TAR file attachments in emails. Despite Barracuda's patch release in May 2023, the FBI has found that the patches are ineffective, and the vulnerability remains actively exploited.

A North Korean State-Backed Hacking Group Leveraged Zoho's ManageEngine ServiceDesk for Compromrise

The North Korean state-backed hacker group Lazarus has been exploiting a critical vulnerability (CVE-2022-47966) in Zoho's ManageEngine ServiceDesk software to compromise an internet backbone infrastructure provider and healthcare organizations. This campaign began in early 2023, targeting entities in the U.S. and U.K. The attackers employed the QuiteRAT malware and a newly identified remote access trojan (RAT) named CollectionRAT. The latter was discovered through the analysis of the group's infrastructure.

Scarab Ransomware Deployed Worldwide Via Spacecolon Toolset

ESET researchers found the Spacecolon toolkit spreading Scarab ransomware across global organizations. It exploits weak web servers or RDP credentials for entry, with Turkish elements hinting at a Turkish-speaking developer. Spacecolon dates back to May 2020, with ongoing campaigns and a recent May 2023 build. ESET hasn’t linked it to any known group naming it “CosmicBeetle”.

Akira Ransomware Targets Cisco VPNs to Breach Organizations Summary:

There's mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data. Akira ransomware is a relatively new ransomware operation launched in March 2023, with the group later adding a Linux encryptor to target VMware ESXi virtual machines.

WinRAR Zero-Day Exploited Since April to Hack Trading Accounts

According to Group-IB a WInRaR zero-day vulnerability was actively exploited to install malware when clicking on harmless files in an archive, allowing hackers to breach online cryptocurrency trading accounts. Tracked as CVE-2023-38831, the vulnerability is triggered by creating specially crafted archives with a slightly modified structure compared to safe files, which causes WinRAR's ShellExecute function to receive an incorrect parameter when it attempts to open the decoy file.

Scraped data of 2.6 million Duolingo users released on hacking forum

The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information. Duolingo is one of the largest language learning sites in the world, with over 74 million monthly users worldwide. In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500. This data includes a mixture of public login and real names, and non-public information, including email addresses and internal information related to the DuoLingo service.

Ivanti Warns of New Actively Exploited MobileIron Zero-Day Bug

US based software company Ivanti has issued a warning to its customers about an ongoing exploitation of a critical Sentry API authentication bypass vulnerability. The vulnerability affects Ivanti Sentry, which serves as a gatekeeper for enterprise ActiveSync and Sharepoint servers, as well as a Kerberos Key Distribution Center Proxy server. The cybersecurity firm Mnemonic discovered the vulnerability (CVE-2023-38035), allowing unauthorized attackers to access sensitive admin portal configuration APIs through port 8443 used by Mobile Iron Configuration Service (MICS).

Carderbee Hacking Group Hits Hong Kong Orgs in Supply Chain Attack

An undisclosed Advanced Persistent Threat (APT) hacking collective known as 'Carderbee' has been detected launching assaults on various institutions situated in Hong Kong and other parts of Asia. This group employs authentic software to infiltrate victims' machines with the PlugX malware. According to findings from Symantec, the legitimate software involved in this supply chain breach is Cobra DocGuard, designed by the Chinese developer 'EsafeNet.' This software is typically employed in security applications for tasks like data encryption and decryption.

Sneaky Amazon Google ad leads to Microsoft support scam

A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser. Today, BleepingComputer was alerted to what appeared to be a valid advertisement for Amazon in the Google search results. The advertisement shows Amazon's legitimate URL, just like in the company's typical search result.

New Variant of XLoader macOS Malware Disguised as 'OfficeNote' Productivity App

A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called ‘OfficeNote.’ ‘The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg, SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis.

Cuba Ransomware Uses Veeam Exploit Against Critical U.S. Organizations

The Cuba ransomware group has been observed launching attacks against critical infrastructure organizations in the US and IT firms in Latin America. They utilize a mix of both old and new tools. In early June 2023, Blackberry’s Threat Research and Intelligence Team identified this recent campaign. They have noted that Cuba now uses CVE-2023-27543 to extract credentials from configuration files.

HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack

The threat actors behind the HiatusRAT malware have returned from their hiatus with a new wave of reconnaissance and targeting activity aimed at Taiwan-based organizations and a U.S. military procurement system. Besides recompiling malware samples for different architectures, the artifacts are said to have been hosted on new virtual private servers (VPSs), Lumen Black Lotus Labs said in a report published last week.

Interpol Arrests 14 Suspected Cybercriminals For Stealing $40 Million

An international law enforcement operation led by Interpol has led to the arrest of 14 suspected cybercriminals in an operation codenamed 'Africa Cyber Surge II,' launched in April 2023. The four-month operation spanned 25 African countries and disrupted over 20,000 cybercrime networks engaged in extortion, phishing, BEC, and online scams, responsible for financial losses of over $40,000,000.

Alarming Lack of Cybersecurity Practices on World’s Most Popular Websites

The Cybernews research team delved into an often overlooked aspect of website security—HTTP security headers. These headers guide browsers in interacting with web pages, defending against cyber threats. They studied the top 100 sites, including Pinterest, IMDB, and Facebook. Results revealed many popular websites lacking crucial security measures, raising concerns for both site owners and users.

Google Chrome's New Feature Alerts Users About Auto-Removal of Malicious Extensions

Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to alert users when an extension they have installed has been removed from the Chrome Web Store. The feature, set for release alongside Chrome 117, allows users to be notified when an add-on has been unpublished by a developer, taken down for violating Chrome Web Store policy, or marked as malware.

New Wave of Attack Campaign Targeting Zimbra Email Users for Credential Theft

A new "mass-spreading" social engineering campaign is targeting users of the Zimbra Collaboration email server with an aim to collect their login credentials for use in follow-on operations. The activity, active since April 2023 and still ongoing, targets a wide range of small and medium businesses and governmental entities, most of which are located in Poland, Ecuador, Mexico, Italy, and Russia.

Monti Ransomware Targets VMware ESXi Servers With New Linux Locker

The Monti ransomware gang has returned, after a two-month break from publishing victims on their data leak site, using a new Linux locker to target VMware ESXi servers, legal, and government organizations. Researchers at Trend Micro analyzing the new encryption tool from Monti found that it has ‘significant deviations from its other Linux-based predecessors.

Credentials for Cybercrime Forums Found on Roughly 120K Computers Infected with Info Stealers

Hudson Rock, a threat intelligence firm, uncovered cybercrime forum credentials on about 120,000 computers infected with various info-stealer malware. These compromised computers, spanning from 2018 to 2023, were largely owned by threat actors themselves. The analysis of over 14.5 million infected computers revealed hackers' identities through additional credentials, autofill data, and system info.

Almost 2,000 Citrix NetScaler servers backdoored in hacking campaign

As part of a joint effort with Dutch Institute of Vulnerability Disclosure (DIVD), researchers at cybersecurity company Fox-IT (NCC Group) have uncovered a large-scale campaign that planted webshells on Citrix Netscaler servers vulnerable to CVE-2023-3519, a critical remote code execution flaw that was patched on July 18. By scanning the internet, they uncovered 2491 webshells across 1952 distinct NetScaler servers, which made up 6% of all Netscalers (31,127) vulnerable to CVE-2023-3519, on a global scale, as of July 21, 2023.

Major U.S. Energy Org Targeted in QR Code Phishing Attack

A phishing campaign was observed predominantly targeting a notable energy company in the US, employing QR codes to slip malicious emails into inboxes and bypass security. Roughly one-third (29%) of the 1,000 emails attributed to this campaign targeted a large US energy company, while the remaining attempts were made against firms in manufacturing (15%), insurance (9%), technology (7%), and financial services (6%). According to Cofense, who spotted this campaign, this is the first time that QR codes have been used at this scale, indicating that more phishing actors may be testing their effectiveness as an attack vector.

LinkedIn Accounts Hacked in Widespread Hijacking Campaign

Linkedin is facing a surge of account breaches, leading to numerous accounts being either locked for security concerns or seized by malicious actors. According to a recent report from Cyberint, numerous LinkedIn users have expressed frustration over compromised accounts or access issues, with attempts to address these problems through LinkedIn support. Although, LinkedIn’s support response time has lengthened, no official statement has been made yet.

File Sharing Site Anonfiles Shuts Down Due to Overwhelming Abuse

Anonfiles, a popular service for sharing files anonymously, has shut down after saying it can no longer deal with the overwhelming abuse by its users. Anonfiles is an anonymous file-sharing site that allows people to share files anonymously without their activity being logged. However, it soon became one of the most popular file-sharing services used by threat actors to share samples of stolen data, stolen credentials, and copyrighted material. F

Cleaning Products Manufacturer Clorox Company Took Some Systems Offline After a Cyberattack

The Clorox Company, a prominent multinational consumer goods firm known for its household and professional cleaning, health, and personal care products, recently faced a cybersecurity breach that compelled them to take specific systems offline. Detecting unauthorized activity on their Information Technology (IT) systems, Clorox swiftly initiated measures to halt and rectify the situation, including offline system shutdowns, as stated in an 8-K filing.

Raccoon Stealer Malware Returns With New Stealthier Version

The resurgence of the Raccoon Stealer malware is marked by the release of version 2.3.0 after a 6-month hiatus. Raccoon Stealer is a well-known information-stealing malware that has been active since 2019, offered to threat actors through a subscription model at $200 per month. The malware targets over 60 applications to collect sensitive data such as login credentials, credit card details, browsing history, cookies, and cryptocurrency wallets.

Massive 400,000 Proxy Botnet Built With Stealthy Malware Infections

Researchers have discovered a widespread operation that distributed proxy server applications to over 400,000 Windows systems. These devices function as residential exit nodes without obtaining users’ permission, and a company is making money by charging for the proxy traffic that passes through these machines. Threat actors find residential proxies useful for carrying out extensive credential stuffing attacks using new IP addresses.

QwixxRAT: A New Windows RAT Emerges in the Threat Landscape

The Uptycs Threat Research team discovered the QwixxRAT (aka Telegram RAT) in early August 2023 while it was advertised through Telegram and Discord platforms. According to the experts, QwixxRAT is meticulously designed to steal a broad range of information, including data from browser histories, credit card details, screenshots, and keystrokes.

Multiple Flaws Uncovered in Data Center Systems

Multiple vulnerabilities have been discovered in data center power management systems and supply technologies, enabling unauthorized access and remote code injection by threat actors. These vulnerabilities can be exploited to gain full access to data center systems, perform remote code injection, and create backdoors, potentially compromising connected devices and the broader network. The vulnerabilities were found in CyberPower's PowerPanel Enterprise Data Center Infrastructure Management platform and Dataprobe's iBoot Power Distribution Unit.

Threat Actors Use Beta Apps to Bypass Mobile App Store Security

The FBI has raised an alert about a new strategy employed by cybercriminals. They are now pushing harmful “beta” editions of cryptocurrency investment applications on widely used mobile app stores. These apps are subsequently exploited to pilfer cryptocurrency. The perpetrators introduce these harmful apps to the mobile app stores under the guise of “beta” versions.

Ongoing Xurum Attacks on E-commerce Sites Exploiting Critical Magento 2 Vulnerability

E-commerce sites using Adobe's Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023. The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution. ‘The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days,’ Akamai researchers said in an analysis published last week, attributing the campaign to actors of Russian origin.

Almost All VPNs Are Vulnerable to Traffic-Leaking TunnelCrack Attacks

Researchers from New York University, New York University Abu Dhabi, and KU Leuven University have discovered several vulnerabilities affecting most VPN products that can be exploited by attackers to read user traffic, steal user information, or attack user devices. The attacks, known as TunnelCrack attacks, are independent of the VPN protocol being used and can reveal which websites a user is visiting, posing a significant privacy risk even if the user is using additional encryption such as HTTPS.

MaginotDNS Attacks Exploit Weak Checks for DNS Cache Poisoning

Researchers from UC Irvine and Tsinghua University have introduced a cache poisoning attack named 'MaginotDNS' that targets Conditional DNS (CDNS) resolvers, potentially compromising entire top-level domains (TLDs). This attack capitalizes on security inconsistencies in various DNS software and server modes, rendering around one-third of CDNS servers vulnerable.

Count of Organizations Affected by MOVEit Attacks Hits 637

A cyberattack on MOVEit file-transfer servers since late May has affected over 637 organizations. German cybersecurity company KonBriefing reported this number. It includes groups directly hacked through their MOVEit servers and others connected to users of Progress Software's file-transfer tool. The Clop ransomware group, thought to be Russian, is behind the attacks. They've taken data with personal details of about 41 million people.

New SystemBC Malware Variant Targets Southern African Power Company

An unknown threat actor has been linked to a cyber attack on a power generation company in southern Africa with a new variant of the SystemBC malware called DroxiDat as a precursor to a suspected ransomware attack. ‘The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation's critical infrastructure,’ Kurt Baumgartner, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT), said.

New Statc Stealer Malware Emerges: Your Sensitive Data at Risk

Researchers at Zscaler recently disclosed details of a new information-stealing malware dubbed Statc Stealer that has been observed infecting Windows devices. Written in the C++ programming language, Statc Stealer is capable of performing filename discrepancy checks to prevent sandbox detection and reverse engineering analysis by security professionals.

Lapsus$ Hackers Took SIM-swapping Attacks to the Next Level

The U.S. government released a report after analyzing simple techniques, e.g. SIM swapping, used by the Lapsus$ extortion group to breach dozens of organizations with a strong security posture. Reviewing the group’s operations started in December last year following a long trail of incidents attributed to or claimed by Lapsus$ after leaking proprietary data from alleged victims.

Rhysida Ransomware Analysis Reveals Vice Society Connection

The newly surfaced Rhysida ransomware faction has swiftly become a concerning addition to the growing threat landscape. Its involvement in a series of impactful assaults since its emergence in May of this year has been linked to the well-known Vice Society ransomware group, which has been operating since 2021. Among the entities targeted by Rhysida are the Chilean Army and Prospect Medical Holdings. In a recent incident, the group’s attack had a far reaching impact, affecting 17 hospitals and 166 clinics across the United States.

Missouri Warns That Health Info Was Stolen in IBM MOVEit Data Breach

This week, the Missouri Department of Social Services (DSS) disclosed that Medicaid healthcare information was potentially exposed after IBM suffered a data breach. The attack was carried out by the Clop ransomware gang, which has been hacking vulnerable MOVEit Transfer servers worldwide by exploiting a SQL injection vulnerability (CVE-2023-34362) in the file transfer solution.

NIST Expands Cybersecurity Framework with New Pillar

The US National Institute of Standards and Technology (NIST) has released a new draft version of its popular best practice security framework, designed to expand its scope and provide more guidance on implementation. The NIST Cybersecurity Framework (CSF) 2.0 is the first refresh since it was launched in 2014. It is designed to help organizations “understand, reduce and communicate about cybersecurity risk,” the standards body said.

Evilproxy Phishing Campaign Targets 120,000 Microsoft 365 Users

EvilProxy has emerged as a widely used phishing platform for attacking MFA-secured accounts. According to Proofpoint’s recent findings, over 120,000 phishing emails have been sent to more than a hundred organizations in an attempt to compromise Microsoft 365 accounts. Proofpoint’s research highlights a significant increase in successful cloud account takeovers, especially affecting top-level executives, over the last five months.

Microsoft August 2023 Patch Tuesday Warns of 2 Zero-Days, 87 Flaws Summary:

As part of the August Patch Tuesday, Microsoft patched 87 flaws, two of which were actively exploited zero-days. In total, the tech giant released fixes for 18 Elevation of Privilege vulnerabilities, 3 Security Feature Bypass vulnerabilities, 23 Remote Code Execution vulnerabilities, 10 Information Disclosure vulnerabilities, 8 Denial of Service vulnerabilities, and 12 Spoofing vulnerabilities.

Notorious Phishing-as-a-Service Platform Shuttered

A phishing-as-a-service (PaaS) platform which may have been responsible for over 150,000 phishing domains has been taken offline after an Interpol-led operation, the policing group said. Interpol teamed up with investigators in Indonesia, Japan and the US and industry partners the Cyber Defense Institute, Group-IB, Palo Alto Networks Unit 42, Trend Micro and Cybertoolbelt to make the arrests.

LockBit Threatens to Leak Medical Data of Cancer Patients Stolen from Varian Medical Systems

The LockBit ransomware group has claimed responsibility for hacking Varian Medical Systems, a healthcare company that designs and manufactures medical devices and software for cancer treatment. The group threatens to leak medical data belonging to cancer patients. Varian Medical Systems operates globally and is owned by Siemens Healthineers, generating significant revenue.

Google Play Apps With 2.5M Installs Load Ads When Screen's Off

The Google Play store was infiltrated by 43 Android applications with 2.5 million installs that secretly displayed advertisements while a phone's screen was off, running down a device's battery. McAfee's Mobile Research Team discovered the malicious Android apps and reported them to Google as they violated Google Play Store's policies.

North Korean Hackers ‘Scarcruft’ Breached Russian Missile Maker

The cyberattack on the IT systems and email server of NPO Mashinostroyeniya, a Russian organization specializing in space rocket design and intercontinental ballistic missile engineering, has been attributed to the North Korean state sponsored hacking group ScarCruft. This group has a history of engaging in cyber activities with links to various targets.

Researchers Uncover New High-Severity Vulnerability in PaperCut Software

Horizon3 researchers recently disclosed a new high-severity vulnerability in PaperCut print management software for Windows that could result in remote code execution in certain configurations. Tracked as CVE-2023-39143, the flaw impacts PaperCut NG/MF prior to version 22.1.3. A successful exploit of CVE-2023-39143 could potentially allow unauthenticated attackers to read, delete, and upload arbitrary files to the PaperCut MF/NG application server.

Colorado Department of Higher Education Warns of Massive Data Breach

The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in June. In a 'Notice of Data Incident' published on the CDHE website, the Department says they suffered a ransomware attack on June 19th, 2023. When ransomware gangs breach an organization, they quietly spread through a network while stealing sensitive data and files from computers and servers.

Clop Ransomware Now Uses Torrents to Leak Data and Evade Takedowns

The Clop ransomware gang has changed their extortion approach once more, now employing torrents to release the data they stole during MOVEit attacks. The ransomware gang started extorting victims on June 14 by gradually adding names to their Tor data leak site and eventually making the files public. However, the slow download speed on Tor sites limited the potential damage.

Russian Hacktivists Overwhelm Spanish Sites With DDoS

A leading Spanish research institute has become the latest organization in the country to come under cyber-attack from Russia, after a weeks-long DDoS campaign that appears to be geopolitically motivated. Local reports claimed that prolific hacktivist group NoName057 is responsible for the DDoS blitz, which impacted at least 72 websites between July 19 and 30.

New Acoustic Attack Steals Data from Keystrokes with 95% Accuracy

A team of researchers from British universities has developed a deep learning model called 'CoAtNet' that can perform acoustic attacks by stealing data from keyboard keystrokes recorded using a microphone. The model achieved an alarming accuracy of 95% in predicting the keystrokes, showcasing the potential danger of sound-based side-channel attacks. The study reveals that even when using platforms like Zoom for training, the prediction accuracy only dropped slightly to 93%, which is still a significant threat.

OT/IoT Malware Surges Tenfold in First Half of the Year

Malware-related cyber-threats in operational technology (OT) and Internet of Things (IoT) environments jumped tenfold year-on-year in the first six months of 2023, according to Nozomi Networks. In their latest “OT & IoT Security Report” the researchers shared ICS vulnerabilities, data from IoT honeypots and attack statistics from OT environments. “Specific to malware, denial-of-service (DoS) activity remains one of the most prevalent attacks against OT systems,” the vendor explained in a blog post announcing the report.

Hackers Use New Malware to Breach Air-gapped Devices in Eastern Europe

Chinese state-sponsored hackers have been targeting industrial organizations with new malware that can steal data from air-gapped systems. Air-gapped systems typically fulfill critical roles and are isolated from the enterprise network and the public internet either physically or through software and network devices. Researchers at cybersecurity company Kaspersky discovered the new malware and attributed it to the cyber-espionage group APT31, a.k.a. Zirconium.

Ransomware Attacks on Industrial Organizations Doubled in Past Year: Report

The number of ransomware attacks targeting industrial organizations and infrastructure has doubled since the second quarter of 2022, according to data from industrial cybersecurity firm Dragos. In a report analyzing data from the second quarter of 2023, Dragos said it saw 253 ransomware incidents, up 18% from the first quarter of 2023, when it observed 214 attacks.

Hackers Steal Signal, WhatsApp User Data With Fake Android Chat App

Hackers are using a fake Android app named 'SafeChat' to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones. The Android spyware is suspected to be a variant of "Coverlm," which steals data from communication apps such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger. CYFIRMA researchers say the Indian APT hacking group 'Bahamut' is behind the campaign, with their latest attacks conducted mainly through spear phishing messages on WhatsApp that send the malicious payloads directly to the victim.

Experts Discovered a Previously Undocumented Initial Access Vector Used by P2PInfect Worm

In July, researchers from Palo Alto Networks Unit 42 discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers on Linux and Windows systems. P2PInfect is written in Rust and exploits the CVE-2022-0543 vulnerability to gain initial access. It establishes P2P communication to the network and has been found on over 307,000 unique public Redis systems in the past two weeks, with 934 possibly vulnerable. The worm's goal and the threat actors behind it remain unclear.

Cybercriminals Train AI Chatbots for Phishing, Malware Attacks

In the wake of WormGPT, a ChatGPT clone trained on malware-focused data, a new generative artificial intelligence hacking tool called FraudGPT has emerged, and at least another one is under development that is allegedly based on Google's AI experiment, Bard. Both AI-powered bots are the work of the same individual, who appears to be deep in the game of providing chatbots trained specifically for malicious purposes ranging from phishing and social engineering, to exploiting vulnerabilities and creating malware.

Experts Warn Attackers Started Exploiting Citrix ShareFile RCE Flaw CVE-2023-24489

Citrix ShareFile is a widely used cloud-based file-sharing application, which is affected by the critical remote code execution (RCE) tracked as CVE-2023-24489 (CVSS score of 9.1). The flaw impacts the customer-managed ShareFile storage zones controller, an unauthenticated, remote attacker can trigger the flaw to compromise the controller by uploading arbitrary file or executing arbitrary code.

CISA: New Submarine Malware Found on Hacked Barracuda ESG Appliances

In May, Network and email security firm Barracuda disclosed that a recently patched remote command injection zero-day vulnerability had been exploited since October 2022 to gain access to a subset of its Email Security Gateway appliances. The flaw tracked as CVE-2023-2868, was further exploited to deploy previously unknown malware dubbed Saltwater and SeaSpy as well as a malicious tool called SeaSide to establish reverse shells for easy remote access. In light of the attacks, Barracuda offered replacement devices to all affected customers at no charge.

Linux Version of Abyss Locker Ransomware Targets VMware ESXi Servers

The Abyss Locker operation is the latest to develop a Linux encryptor to target VMware's ESXi virtual machines platform in attacks on the enterprise. As the enterprise shifts from individual servers to virtual machines for better resource management, performance, and disaster recovery, ransomware gangs create encryptors focused on targeting the platform.

Experts Link AVRecon Bot to the Malware Proxy Service SocksEscort

In early July, researchers from Lumen Black Lotus Labs discovered the AVRecon botnet, which targeted small office/home office (SOHO) routers and infected over 70,000 devices across 20 countries. The threat actors behind the campaign aimed to build a botnet for various criminal activities, including password spraying and digital advertising fraud.

Microsoft Fixes WSUS Servers Not Pushing Windows 11 22H2 Updates

Microsoft fixed a known issue impacting WSUS (Windows Server Update Services) servers upgraded to Windows Server 2022, causing them not to push Windows 11 22H2 updates to enterprise endpoints. While the updates would successfully download to the WSUS server, they failed to propagate further to client devices. The root cause stems from the accidental removal of .msu and .wim MIME types during the upgrade process to Windows Server 2022.

BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities

The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat. The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in a new report published Thursday.

Zimbra Patches Zero-Day Vulnerability Exploited in XSS Attacks

Zimbra recently addressed a zero-day vulnerability that was exploited in attacks targeting Zimbra Collaboration Suite email servers. Tracked as CVE-2023-38750, the flaw relates to a case of reflected Cross-Site Scripting impacting Zimbra Collaboration Suite Version 8.8.15, which could enable threat actors to steal sensitive information or execute arbitrary code on vulnerable systems. The flaw was uncovered by security researcher Clément Lecigne of Google Threat Analysis Group and was initially disclosed to the public two weeks ago.

High Severity Vulnerabilities Discovered in Ninja Forms Plugin

Multiple critical vulnerabilities have been detected in Ninja Forms. a widely used WordPress forms builder plugin with more than 900,000 active installations. The plugin, created by Saturday Drive, enables users to generate a wide range of forms such as contact forms, event registration, file uploads, and payments. Security researchers from Patchstack published a new advisory revealing the presence of the first vulnerability which is a reflected cross site scripting flaw based on POST requests.

BreachForums Database and Private Chats for Sale in Hacker Data Breach

While consumers are usually the ones worried about their information being exposed in data breaches, it's now the hacker's turn, as the notorious Breached cybercrime forum's database is up for sale and member data has been shared with Have I Been Pwned. Yesterday, the Have I Been Pwned data breach notification service announced that visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.

Australia and US Issue Warning About Web App Threats

The Australian and US governments have issued a joint advisory about the growing cyber-threats to web applications and application programming interfaces (APIs). The guidance, Preventing Web Application Access Control Abuse was released by the Australian Cyber Security Centre (ACSC), US Cybersecurity and Infrastructure Security Agency (CISA), and US National Security Agency (NSA) on July 27, 2023/

Repeatable VEC Attacks Target Critical Infrastructure

The incidence of vendor email compromise attacks has surged, as recent data reveals a significant uptick in these cyber threats. A new report released yesterday by Abonormal Security, a cybersecurity firm, highlight the growing risk posed by VEC attacks, which are a variant of business email compromise.

New Nitrogen Malware Pushed via Google Ads For Ransomware Attacks

A new 'Nitrogen' initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. The goal of the Nitrogen malware is to provide the threat actors initial access to corporate networks, allowing them to conduct data-theft, cyberespionage, and ultimately deploying the BlackCat/ALPHV ransomware.

NATO Investigates Alleged Data Theft by SiegedSec Hackers

NATO has confirmed that its IT team is investigating claims about an alleged data-theft hack on the Communities of Interest (COI) Cooperation Portal by a hacking group known as SiegedSec. The COI Cooperation Portal ( is the military alliance's unclassified information-sharing and collaboration environment, dedicated to supporting NATO organizations and member nations. Yesterday, the hacking group 'SiegedSec' posted on Telegram what they claimed to be hundreds of documents stolen from the COI Cooperation Portal.

FraudGPT, A New Malicious Generative AI Tool Appears in the Threat Landscape

Generative AI models are becoming very attractive for crooks, Netenrich researchers recently spotted a new platform dubbed FraudGPT which is advertised on multiple marketplaces and the Telegram Channel since July 22, 2023. According to Netenrich, this generative AI bot was trained for offensive purposes, such as creating spear phishing emails, conducting BEC attacks, cracking tools, and carding.

Microsoft Previews Defender for IoT Firmware Analysis Service

Microsoft announced a new Defender for IoT feature that will allow analyzing the firmware of embedded Linux devices like routers for security vulnerabilities and common weaknesses. Dubbed Firmware Analysis and now available in Public Preview, the new capability can detect a wide range of weaknesses, from hardcoded user accounts and outdated or vulnerable open-source packages to the use of a manufacturer's private cryptographic signing key.

ALPHV Ransomware Adds Data Leak API in New Extortion Strategy

ALPHV ransomware gang, aka BlackCat, is now providing an API for their leak site to increase visibility for their attacks. Earlier this week, several researchers spotted a new page within the BlackCat leak site with instructions for using their API to collect timely updates about new victims. APIs, or Application Programming Interfaces, are typically used to enable communication between two software components based on agreed definitions and protocols .

VMware fixes bug exposing CF API admin credentials in Audit Logs

VMware recently fixed an information disclosure bug impacting its VMware Tanzu Application service for VMs (TAS for VMs) and Isolation Segment. “TAS for VMs helps enterprises automate the deployment of applications across on-premises or public and private clouds (e.g., vSphere, AWS, Azure, GCP, OpenStack). Tracked as CVE-2023-20891, the issue seems to be caused by credentials being logged and exposed via system audit logs.

Critical Vulnerabilities Found in Radio Encryption System

Security experts have discovered numerous vulnerabilities in a widely employed radio communication system, which is extensively used by law enforcement and critical infrastructure for transmitting data. These vulnerabilities could potentially enable remote decryption of cryptographically protected communications. Five vulnerabilities in Terrestrial Trunked Radio, a European radio communication standard have been identified by researchers from the Dutch security firm Midnight Blue.

Super Admin Elevation Bug Puts 900,000 MikroTik Devices at Risk

A critical severity 'Super Admin' privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected. The flaw, CVE-2023-30799, allows remote attackers with an existing admin account to elevate their privileges to "super-admin" via the device's Winbox or HTTP interface.

Over 400,000 Corporate Credentials Stolen by Info-stealing Malware

The analysis of nearly 20 million information-stealing malware logs sold on the dark web and Telegram channels revealed that they had achieved significant infiltration into business environments. Information stealers are malware that steals data stored in applications such as web browsers, email clients, instant messengers, cryptocurrency wallets, FTP clients, and gaming services. The stolen information is packaged into archives called 'logs,' which are then uploaded back to the threat actor for use in attacks or sold on cybercrime marketplaces.

Biden-Harris Administration Secures AI Commitments For Safety

The Biden-Harris Administration has taken a new step towards ensuring the responsible development of artificial intelligence (AI) technology by securing voluntary commitments from leading AI companies. As part of the new initiative, Amazon, Anthropic, Google, Inflection, Meta, Microsoft and OpenAI have pledged to prioritize safety, security and trust in their AI systems.

Norway Says Ivanti Zero-Day Was Used to Hack Govt IT Systems

The Norwegian National Security Authority (NSM) has confirmed that attackers used a zero-day vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) solution to breach a software platform used by 12 ministries in the country. The Norwegian Security and Service Organization (DSS) said on Monday that the cyberattack did not affect Norway's Prime Minister's Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs.

Lazarus Hackers Hijack Microsoft IIS Servers to Spread Malware

The Lazarus hacking group, sponsored by the North Korean state, is currently involved in breaching Windows Internet Information Service (IIS) web servers with the intention of taking control of these servers for distributing malware. IIS is a web server solution developed by Microsoft, commonly used to host websites or application services, including Microsoft Exchange’s Outlook on the web.

Clop Now Leaks Data Stolen in MoveIT Attacks on Clearweb Sites

The Clop ransomware group is emulating the tactics of the ALPHV ransomware gang by constructing dedicated internet accessible websites for individual victims. “To overcome these obstacles, last year, the ALPHV ransomware operation, also known as BlackCat, introduced a new extortion tactic of creating clearweb websites to leak stolen data that were promoted as a way for employees to check if their data was leaked.

New Variant of AsyncRAT Malware Spreading Through Pirated Software

According to researchers at Avast, a new variant of AsyncRAT is being distributed via free, pirated versions of popular software and utilities such as video games, image and sound editing software, and Microsoft Office. Dubbed HotRat, the remote access trojan has been seen in the wild since October 2022, with majority of the infections being located in Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa, and India. The attack chain disclosed by Avast entails bundling cracked software available online via torrent sites with a malicious AutoHotKey (AHK script).

New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection

Qualys Threat Research Unit recently uncovered a remote code execution vulnerability impacting OpenSSH’s forwarded ssh-agent, a background program that maintains users' keys in memory and facilitates remote logins to a server without having to enter their passphrase again. Tracked as CVE-2023-38408, the vulnerability impacts OpenSSH before 9.3p2 and can be exploited to execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. A successful exploit requires certain libraries to be present on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system.

Experts Warn of OSS Supply Chain Attacks Against the Banking Sector

In the first half of 2023, Checkmarx researchers detected multiple open-source software supply chain attacks aimed at the banking sector. These attacks targeted specific components in web assets used by banks, according to the experts the attackers used advanced techniques. A threat actor leverage the NPM platform to upload malicious packages that included malicious objects upon installation.

Critical AMI MegaRAC Bugs Can Let Hackers Brick Vulnerable Servers

Recently, American Megatrends International, a hardware and software company, identified two critical severity vulnerabilities in their MegaRAC Baseboard Management Controller software. The MegaRac BMC software is designed to offer administrators “out of band” and “lights out” remote system management capabilities. This functionality allows administrators to troubleshoot servers as if they were physically present in front of the devices, even when operating remotely.

VirusTotal Apologizes For Data Leak Affecting 5,600 Customers

VirusTotal apologized on Friday for leaking the information of over 5,600 customers after an employee mistakenly uploaded a CSV file containing their info to the platform last month. The data leak impacted only Premium account customers, with the uploaded file containing their names and corporate email addresses. Emiliano Martines, the online malware scanning service's head of product management, also assured impacted customers that the incident was caused by human error and was not the result of a cyber-attack or any vulnerability with VirusTotal.

DDoS Botnets Hijacking Zyxel Devices to Launch Devastating Attacks

Researchers at FortiGuard Labs have observed several distributed denial-of-service botnets exploiting a critical flaw in Zyxel devices to gain remote control of vulnerable systems. Tracked as CVE-2023-28771, the vulnerability is related to a command injection bug affecting multiple firewall models that could enable an unauthorized actor to execute arbitrary code via specially crafted packets sent to the targeted appliance.

Chinese APT41 Linked to WyrmSpy and DragonEgg Surveillanceware

Researchers at Lookout released a report on July 19, 2023, revealing that the Chinese espionage group APT41 is associated with the advanced Android surveillanceware known as WyrmSpy and DragonEgg. The report emphasized APT41’s well documented past of conducting espionage and seeking financial advantages by targeting government institutions and private companies.

Adobe Emergency Patch Fixes New ColdFusion Zero-Day Used in Attacks

Adobe recently published an emergency ColdFusion security update that addressed several vulnerabilities, including a new zero-day that was exploited in attacks in the wild. The zero-day tracked as CVE-2023-38205 is being described as an instance of improper access control that could result in a security bypass. Two other flaws were addressed, one of which was rated critical in severity while the other was rated medium in severity.

JumpCloud Breach Traced Back to North Korean State Hackers

US-based enterprise software company JumpCloud was breached by North Korean Lazarus Group hackers, according to security researchers at SentinelOne and CrowdStrike. In a report published on Thursday, SentinelOne Senior Threat Researcher Tom Hegel linked the North Korean threat group to the JumpCloud hack based on multiple indicators of compromise shared by the company in a recent incident report.

drIBAN Fraud Operations Target Corporate Banking Customers

Threats actors have extensively employed an advanced web-inject kit known as drlBAN to orchestrate fraudulent assaults on corporate banking institutions and their customers. As stated in a recent advisory from Cleafy security researchers, drlBAN was initially discovered in 2019. It utilizes customized JavaScript code to specifically target different entities within the corporate banking sector. Functioning as part of a Man-in-the-Browser attack, these web injects enable cyber criminals to manipulate the content of legitimate web pages in real time, circumventing the TLS protocol.

Ukraine Takes Down Massive Bot Farm, Seizes 150,000 SIM Cards

Ukraine’s Cyber Police Department has dismantled another massive bot farm linked to more than 100 individuals after researching nearly two dozen locations. The bots were allegedly used to promote Russian propaganda, justifying Russia’s invasion of Ukraine. The bots were also leveraged to spread illegal content and personal information and conduct other fraudulent activities.

Cybersecurity Firm Sophos Impersonated by New SophosEncrypt Ransomware

Cybersecurity researcher MalwareHunterTeam recently uncovered a new ransomware as a service (RaaS) dubbed SophosEncrypt which is allegedly impersonating Sophos. MalwareHunterTeam Initially thought SophosEncrypt to be part of a red team exercise by Sophos, however, Sophos followed up on Twitter stating that they did not create the encryptor and are conducting an investigation. Taking a closer look at the sample uncovered by MalwareHunterTeam, the encryptor is written in the Rust programming language.

Security Alert: Social Engineering Campaign Targets Technology Industry Employees

GitHub has identified a low-volume social engineering campaign targeting personal accounts of employees in technology firms. The attackers use GitHub repository invitations and malicious npm package dependencies. The targets are often associated with blockchain, cryptocurrency, online gambling, or cybersecurity sectors. The threat actor behind this campaign is likely linked to North Korean objectives and has been identified as Jade Sleet or TraderTraitor.

U.S. Preparing Cyber Trust Mark for More Secure Smart Devices

A new cybersecurity certification and labeling program called U.S. Cyber Trust Mark is being shaped to help U.S. consumers choose connected devices that are more secure and resilient to hacker attacks. A proposal from the Federal Communications Commission, the program is expected to roll out next year with smart device vendors committing to it voluntarily.

Hackers Exploiting Critical WordPress Woocommerce Payments Bug

A critical vulnerability in the widely used WooCommerce Payments plugin is being exploited by hackers, enabling them to gain unauthorized privileges of any user, including administrators, on vulnerable WordPress installations. WooCommerce Payments is a highly popular WordPress plugin that facilitates credit and debit card payments in WooCommerce stores, with over 600,000 active installations as, reported by WordPress.

Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware

An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad, a successor to the PlugX backdoor that's commonly associated with Chinese hacking crews. Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022.

Meet NoEscape: Avaddon ransomware gang's likely successor

The new NoEscape ransomware operation is believed to be a rebrand of Avaddon, a ransomware gang that shut down and released its decryption keys in 2021. NoEscape launched in June 2023 when it began targeting the enterprise in double-extortion attacks. As part of these attacks, the threat actors steal data and encrypt files on Windows, Linux, and VMware ESXi servers. The threat actors then threaten to publicly release stolen data if a ransom is not paid. BleepingComputer is aware of NoEscape ransomware demands ranging between hundreds of thousands of dollars to over $10 million. Like other ransomware gangs, NoEscape does not allow its members to target CIS (ex-Soviet Union) countries, with victims from those countries receiving free decryptors and information on how they were breached.

Google Cloud Build Bug Lets Hackers Launch Supply Chain Attacks

A critical design flaw in Google Cloud Build has been discovered by cloud security firm Orca Security, allowing hackers to launch supply chain attacks. The flaw, named Bad.Build, enables attackers to escalate privileges and gain unauthorized access to Google Artifact Registry code repositories. By impersonating the service account for Google Cloud Build, threat actors can run API calls against the artifact registry, inject malicious code into applications, and potentially compromise the entire supply chain.

FIN8 Deploys ALPHV Ransomware Using Sardonic Malware Variant

A financially motivated cybercrime gang has been observed deploying BlackCat ransomware payloads on networks backdoored using a revamped Sardonic malware version. Tracked as FIN8 (aka Syssphinx), this threat actor has been actively operating since at least January 2016, focusing on targeting industries such as retail, restaurants, hospitality, healthcare, and entertainment.

CERT-UA Uncovers Gamaredon's Rapid Data Exfiltration Tactics Following Initial Compromise

Last week, the computer emergency response team of Ukraine (CERT-UA) released an article disclosing details about a Russian-linked threat actor known as Gamaredon (Aka Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010). Active since at least 2013, Gamaredon is a state-sponsored actor with ties to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014.

AI Tool WormGPT Enables Convincing Fake Emails For BEC Attacks

New research conducted by security firm SlashNext reveals that cyber-criminals are utilizing a potent tool called WormGPT, a generative AI system, for carrying out business email compromise (BEC) attacks. Security expert Daniel Kelley, observed a worrisome trend in online forums where cyber-criminals are offering “jailbreaks” for interfaces like ChatGPT. These jailbreaks are specialized prompts that aim to exploit ChatGPT by manipulating it to generate outputs involving sensitive information disclosure, inappropriate content generation, or even the execution of harmful code.

JumpCloud Discloses Breach by State-Backed APT Hacking Group

US-based enterprise software firm JumpCloud has disclosed a breach by a state-backed hacking group that occurred almost one month ago. The attack was highly targeted and focused on a limited set of customers. The breach was discovered on June 27 after the attackers gained access through a spear-phishing attack. Although no evidence of customer impact was found initially, JumpCloud decided to rotate credentials and rebuild compromised infrastructure.

A Deep Dive into the Packet Reflection Vulnerability Allowing Attackers to Plague Private 5G Network

5G technology has bolstered productivity in modern-day factories, allowing multiple devices to be connected simultaneously, but 5G networks are not immune to cyberattacks. In our recent joint research effort with CTOne and the Telecom Technology Center (TTC), the official advisory group to Taiwan's National Communications Commission and Ministry of Digital Affairs, Trend Micro looked into ZDI-CAN-18522, a packet reflection vulnerability in the UPF of 5G cores (5GC).

Colorado State University says data breach impacts students, staff

Colorado State University (CSU) has confirmed that the Clop ransomware operation stole sensitive personal information of current and former students and employees during the recent MOVEit Transfer data-theft attacks. Colorado State University is a public research university with nearly 28,000 students and 6,000 academic and administrative staff members, operating on an endowment of $558,000,000.

New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries

A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries. Lumen Black Lotus Labs has dubbed the malware AVrecon, making it the third such strain to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year.

Cisco SD-WAN vManage Impacted by Unauthenticated REST API Access

The Cisco SD-WAN vManage management software is impacted by a flaw that allows an unauthenticated, remote attacker to gain read or limited write permissions to the configuration of the affected instance. Cisco SD-WAN vManage is a cloud-based solution allowing organizations to design, deploy, and manage distributed networks across multiple locations.

Popular WordPress Security Plugin Caught Logging Plaintext Passwords

A popular WordPress plugin dubbed All-In-One Security (AIOS) was found to log plaintext passwords from login attempts. With over one million installs on WordPress sites, AIOS is a security and firewall plugin designed to log user activity and prevent cyberattacks such as brute-force attempts by warning admins when the default admin username is used for login. Approximately two weeks ago, user reports started coming in about an insecure design flaw in the plugin.

Russian State Hackers Lure Western Diplomats With BMW Car Ads

The Russian state-backed hacking collective known as APT29 has been employing unique tactics such as offering car listings to attract diplomats in Ukraine into clicking on harmful links, which ultimately distribute malware. APT29 is affiliated with Russia’s Foreign Intelligence Service (SVR), and it has gained notoriety for executing multiple cyber-espionage operations aimed at influential individuals worldwide.

Fortinet Warns of Critical RCE flaw in FortiOS, FortiProxy Devices

Fortinet recently disclosed a critical severity flaw impacting FortiOS and FortiProxy that could enable remote attackers to execute arbitrary code on vulnerable devices. Tracked as CVE-2023-33308, the flaw was uncovered to disclosed to Fortinet by cybersecurity firm Watchtowr. According to Fortinet, CVE-2023-33308 relates to a stack-based overflow vulnerability and could allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.

Microsoft July 2023 Patch Tuesday Warns of 6 Zero-Days, 132 Flaws

As part of the July Patch Tuesday, Microsoft addressed 132 vulnerabilities, six of which were actively exploited zero-days. In total, there were 33 Elevation of Privilege Vulnerabilities, 13 Security Feature Bypass Vulnerabilities, 37 Remote Code Execution Vulnerabilities, 19 Information Disclosure Vulnerabilities, 22 Denial of Service Vulnerabilities, and 7 Spoofing Vulnerabilities. Out of the 132 flaws addressed, nine have been rated critical in severity.

Ransomware Payments on Record-Breaking Trajectory for 2023

Data from the first half of the year indicates that ransomware activity is on track to break previous records, seeing a rise in the number of payments, both big and small. According to a report by blockchain analysis firm Chainalysis, ransomware is the only cryptocurrency crime category seeing a rise this year, with all others, including hacks, scams, malware, abuse material sales, fraud shops, and darknet market revenue, recording a steep decline, "In fact, ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June."

Experts Released PoC exploit for Ubiquiti EdgeRouter Flaw

A Proof-of-Concept (PoC) exploit for the CVE-2023-31998 vulnerability in the Ubiquiti EdgeRouter has been publicly released. The CVE-2023-31998 flaw (CVSS v3 5.9) is a heap overflow issue impacting Ubiquiti EdgeRouters and Aircubes, an attacker can exploit it to potentially execute arbitrary code and interrupt UPnP service to a vulnerable device.

Owncast, EaseProbe Security Vulnerabilities Revealed

Oxeye has uncovered two critical security vulnerabilities and recommends immediate action to mitigate risk. The vulnerabilities were discovered in Owncast (CVE-2023-3188) and EaseProbe (CVE-2023-33967), two open-source platforms written in Go. The first vulnerability was discovered in Owncast, an open-source, self-hosted, decentralized, single-user live video streaming and chat server written in Go.

VMware Warns of Exploit Available for Critical vRealize RCE Bug

VMware warned customers today that exploit code is now available for a critical vulnerability in the VMware Aria Operations for Logs analysis tool, which helps admins manage terabytes worth of app and infrastructure logs in large-scale environments. The flaw (CVE-2023-20864) is a deserialization weakness patched in April, and it allows unauthenticated attackers to gain remote execution on unpatched appliances.

RomCom RAT Targeting NATO and Ukraine Support Groups

The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad. The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023.

New TOITOIN Banking Trojan Targeting Latin American Businesses

Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023. ‘This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage,’ Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week.

Charming Kitten Hackers Use New ‘NokNok’ Malware for macOS

Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems. The campaign started in May and relies on a different infection chain than previously observed, with LNK files deploying the payloads instead of the typical malicious Word documents seen in past attacks from the group.

Apps with 1.5M installs on Google Play send your data to China

Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond what's needed to offer the promised functionality. The apps, both from the same publisher, can launch without any interaction from the user to steal sensitive data and send it to servers in China.

Google Releases Android Patch Update for 3 Actively Exploited Vulnerabilities

or the month of June, Google released 46 new software vulnerabilities, some of which were actively exploited in attacks in the wild. Among the vulnerabilities addressed is a memory leak flaw impacting the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips. Tracked as CVE-2023-26083, the bug was exploited in a previous attack that enabled spyware infiltration on Samsung devices in December 2022. Another serious vulnerability addressed is CVE-2021-29256 which relates to a high-severity issue impacting specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers.

Iranian Hacking Group Impersonating Nuclear Experts to Gain Intel From Western Think Tanks

Researchers at Proofpoint have revealed that a cyber espionage group associated with the Iranian government has been engaging in phishing attacks targeting Middle Eastern nuclear weapons experts by impersonating employees of think tanks. The group, known by various names such as TA453, Charming Kitten, or APT35, has a history of targeting government officials, politicians, think tanks, and critical infrastructure entities in the United States and Europe.

MOVEit Transfer Customers Warned to Patch New Critical Flaw

MOVEit Transfer, the software at the center of the recent massive spree of Clop ransomware breaches, has received an update that fixes a critical-severity SQL injection bug and two other less severe vulnerabilities. SQL injection vulnerabilities allow attackers to craft special queries to gain access to a database or tamper with it by executing code. For these attacks to be possible, the target application must suffer from a lack of appropriate input/output data sensitization.

International Police Arrest Head of Opera1er Cybercrime Gang

International law enforcement agencies have announced the arrest of the leader of a cybercriminal syndicate called Opera1er, responsible for over 30 successful cyberattacks targeting financial institutions, banks, mobile banking services, and telecommunications companies. The group, also known as Desktop-Group and NXSMS, was involved in various scams, including malware, phishing, and business email compromise, resulting in an estimated $30 million in stolen funds. Interpol, along with AFRIPOL, Group-IB, Direction de L'information et des Traces Technologiques, and the Orange CERT Coordination Center, led the operation named Nervone. The arrest took place in early June in Abidjan, Côte d'Ivoire, Mali. Group-IB, who had been tracking the Opera1er group since 2018, provided crucial intelligence that helped identify the leader's identity and potential location.

Over 130,000 Solar Energy Monitoring Systems Exposed Online

Researchers are raising concerns about the vulnerability of over 130,000 photovoltaic monitoring and diagnostic systems accessible through the public internet. This accessibility exposes them to potential attacks from hackers. These systems play a crucial role in remote performance monitoring, troubleshooting, optimizing system efficiency, and enabling the remote management of renewable energy production units.

Researchers Uncover New Linux Kernel 'StackRot' Privilege Escalation Vulnerability

Researchers at Peking University recently disclosed details of a new flaw in the Linux Kernel that could enable a threat actor to elevate privileges on a targeted host. Dubbed StackRot, the flaw is being tracked as CVE-2023-3269 and impacts Linux versions 6.1 through 6.4. According to security researcher Ruihan Li, “As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger…However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging.”

Cisco Warns of Bug That Lets Attackers Break Traffic Encryption

Yesterday, Cisco released an advisory warning its customers of an unpatched vulnerability in the Cisco ACI Multi-Site CloudSec encryption feature of Cisco Nexus 9000 Series Fabric Switches in ACI mode that could be exploited by an unauthenticated remote attack to read or modify intersite encrypted traffic. Tracked as CVE-2023-20185, the flaw received a CVSS score of 7.4, indicating a high level of severity. According to Cisco, the vulnerability is due to an issue with the implementation of the ciphers that are used by the CloudSec encryption feature on affected switches.

Microsoft Investigates Bug Breaking Email Search

Microsoft is investigating an ongoing issue preventing Outlook[.]com users from searching their emails and triggering 401 exception errors. When searching, users see an error saying, "Sorry, something went wrong. Please try again later." "Our initial review of Outlook[.]com server logs, in parallel with HTTP Archive format (HAR) logs captured during an internal reproduction of impact, indicates 401 errors are occurring due to an exception when users attempt to perform the search," Microsoft says on the service health portal.

RedEnergy Stealer-as-a-Ransomware Employed in Attacks in the Wild

Zscaler ThreatLabz researchers discovered a new Stealer-as-a-Ransomware named RedEnergy used in attacks against energy utilities, oil, gas, telecom, and machinery sectors. The malware has the capabilities to steal information from various Internet browsers, but can also support ransomware activities. In this recent campaign, threat actors are masquerading as fake web browser updates to lure victims into installing the malware.

Hackers Target European Government Entities in SmugX Campaign

Since December 2022, a Chinese threat actor has been conducting a phishing campaign referred to as SmugX, which specifically targets embassies and foreign affairs ministries in the UK, France, Sweden Czech Republic, Hungary, and Slovakia. Security researchers at Check Point, a cybersecurity company, conducted analysis of the attacks and identified similarities with previous activities carried out by APT groups known as Mustang Panda and RedDelta.

New Tool Exploits Microsoft Teams Bug to Send Malware to Users

A member of U.S. Navy's red team has published a tool called TeamsPhisher that leverages an unresolved security issue in Microsoft Teams to bypass restrictions for incoming files from users outside of a targeted organization, the so-called external tenants. The tool exploits a problem highlighted last month by Max Corbridge and Tom Ellson of UK-based security services company Jumpsec, who explained how an attacker could easily go around Microsoft Teams' file-sending restraints to deliver malware from an external account.

Mexico-Based Hacker Targets Global Banks with Android Malware

An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023. The activity is being attributed to an actor codenamed Neo_Net, according to security researcher Pol Thill.

Japan’s largest Port Stops Operations After Ransomware Attack

The Port of Nagoya, the largest and busiest port in Japan, has been targeted in a ransomware attack that currently impacts the operation of container terminals. The port accounts for roughly 10% of Japan's total trade volume. It operates 21 piers and 290 berths. It handles over two million containers and cargo tonnage of 165 million every year. The port is also used by the Toyota Motor Corporation, one of the world’s largest automakers, to export most of its cars.

BlackCat Uses Malvertising to Push Backdoor

The BlackCat ransomware-as-a-service group is developing a threat activity cluster by deploying malicious malware using chosen keywords on webpages of legitimate organizations. They engage in unauthorized activities within company networks using cloned webpages of legitimate applications like WinSCP and SpyBoy. These cybercriminals hijack keywords to display malicious ads and lure unsuspecting users into downloading malware, a technique known as malvertising.

Blackcat Ransomware Pushes Cobalt Strike via WinSCP Search Ads

The ALPHV ransomware group, also known as the BlackCat, is engaging in malvertising activities to trick individuals into visiting counterfeit websites that closely resemble the legitimate WinSCP file-transfer application for Windows. However, these deceptive pages distribute installers infected with malicious software. WinSCP, a widely-used application for secure file transfer on Windows, is an open-source client and file manager supporting SFTP, FTP, S3, and SCP protocols. It boasts a significant user base, with approximately 400,000 weekly downloads from SourceForge alone. The BlackCat group is leveraging the WinSCP program as bait to potentially infiltrate the computers of system administrators, web administrators, and IT professionals, aiming to gain initial entry into valuable corporate networks.

New Windows Meduza Stealer Targets Tens of Crypto Wallets and Password Managers

A newly discovered information-stealing malware known as Meduza Stealer has been identified by researchers. The creators of this malware utilize advanced marketing tactics to promote its distribution. Meduza Stealer is designed to extract various browser-related data, such as login credentials, browsing history, and bookmarks, thereby compromising the victim’s browsing activities. Additionally, the malware targets specific extensions related to cryptocurrency wallets, password managers, and two-factor authentication (2FA). The authors of Meduza Stealer actively work on developing the malware in order to evade detection. However, no specific attacks have been attributed to this malware as of now.

TSMC Denies LockBit Hack as Ransomware Gang Demands $70 Million

Chipmaking giant TSMC (Taiwan Semiconductor Manufacturing Company) denied being hacked after the LockBit ransomware gang demanded $70 million not to release stolen data. TSMC is one of the world's largest semiconductor manufacturers, with its products used in a wide variety of devices, including smartphones, high performance computing, IoT devices, automotive, and digital consumer electronics/

300,000+ Fortinet Firewalls Vulnerable to Critical FortiOS RCE Bug

Hundreds of thousands of FortiGate firewalls are vulnerable to a critical security issue identified as CVE-2023-27997, almost a month after Fortinet released an update that addresses the problem. The vulnerability is a remote code execution with a severity score of 9.8 out of 10 resulting from a heap-based buffer overflow problem in FortiOS, the operating system that connects all Fortinet networking components to integrate them in the vendor's Security Fabric platform.

Experts Detected a New Variant of North Korea-Linked RUSTBUCKET macOS Malware

Researchers from Elastic Security Labs have discovered a new variant of the RustBucket Apple macOS malware. In April, the security firm Jamf observed the North Korea-linked BlueNoroff APT group using this new malware. BlueNoroff operates under the control of the notorious Lazarus APT group, also linked to North Korea. The RustBucket malware enables the operators to download and execute different payloads. The attribution to BlueNoroff APT is based on similarities found in Kaspersky's analysis.

MITRE Unveils Top 25 Most Dangerous Software Weaknesses of 2023: Are You at Risk?

MITRE recently published its list of the top 25 most dangerous software weaknesses for 2023. Every year, this list is calculated by analyzing public vulnerability data in the National Vulnerability Database for root cause mappings to CWE weaknesses for the previous two years. In total, 43,996 CVE entries were examined, with a score being assigned to each entry based on the prevalence and severity of the flaw.

Cybercriminals Hijacking Vulnerable SSH Servers in New Proxyjacking Campaign

An active financially motivated campaign is targeting vulnerable SSH servers to covertly ensnare them into a proxy network. ‘This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain,’ Akamai researcher Allen West said in a Thursday report. Unlike cryptojacking, in which a compromised system's resources are used to illicitly mine cryptocurrency, proxyjacking offers the ability for threat actors to leverage the victim's unused bandwidth to covertly run different services as a P2P node.

New EarlyRAT Malware Linked to North Korean Andariel Hacking Group

Security analysts have discovered a previously undocumented remote access trojan (RAT) named 'EarlyRAT,' used by Andariel, a sub-group of the Lazarus North Korean state-sponsored hacking group. Andariel (aka Stonefly) is believed to be part of the Lazarus hacking group known for employing the DTrack modular backdoor to collect information from compromised systems, such as browsing history, typed data (keylogging), screenshots, running processes, and more

Clop's MOVEit Campaign Affects Over 16 Million Individuals

The victims of the Clop ransomware group's supply chain attack include a wide range of organizations, such as healthcare software firm Vitality Group International, Talcott Resolution Life Insurance Company, and several universities including Georgia, Johns Hopkins, Missouri, Rochester, and Southern Illinois. Government departments like the U.S. Department of Energy, Department of Agriculture, and Office of Personnel Management were also targeted.

Manifest Confusion Threat Undermines Trust in Entire NPM Registry

The lack of metadata validation in the npm registry, which is widely used by developers to download Javascript code, has raised concerns about potential cyber threats. Despite being the largest software registry globally, with 17 million developers relying on it, the registry fails to perform checks on package metadata.

Critical Security Flaw in Social Login Plugin for WordPress Exposes Users' Accounts

Wordfence recently disclosed a critical flaw in miniOrange's Social Login and Register plugin for WordPress, which could be leveraged by a malicious threat actor to access any account on websites running the vulnerable plugin. Tracked as CVE-2023-2982 (CVSS score: 9.8), the flaw has been described as an authentication bypass flaw and impacts all versions of the plugin, including and prior to 7.6.4.

Linux version of Akira ransomware targets VMware ESXi servers

Operators behind the Akira Ransomware have released a new Linux variant that is capable of encrypting VMware ESXi virtual machines. The Linux variant was discovered by malware analyst rivitna, who shared a sample of the new encryptor on VirusTotal last week. According to analysts, Linux encryptor shows it has a project name of 'Esxi_Build_Esxi6,’ indicating that is specially designed to target VMware ESXi servers.

Microsoft Fixes Windows Bug Causing File Explorer Freezes

Microsoft has resolved a Windows bug that was causing freezes in the File Explorer application. The issue primarily affected non-consumer environments and was observed in Windows 11 21H2/22H2 and Windows Server 2022. Users experienced freezes in File Explorer after installing Windows updates released since May 9th, 2023. Microsoft released an optional cumulative update (KB5027303) this month to address the issue for Windows 11 22H2 users, with a plan to make it available to all affected Windows users in the July Patch Tuesday cumulative updates.

CISA and NSA Help Organizations Defend Their CI/CD Environments

The Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) published a joint Cybersecurity Information Sheet (CSI) titled, “Defending Continuous Integration/Continuous Delivery Environment,” which can help organizations improve their defenses in cloud implementations of development, security, and operations (DevSecOps). Specifically, this joint guide explains how to integrate security best practices into typical software development and operations (DevOps) CI/CD environments, without regard for the specific tools being adapted.

CryptosLabs Scam Ring Targets French-Speaking Investors, Rakes in €480 Million

Group-IB recently uncovered the operations of a scam ring dubbed CryptoLabs that has allegedly made €480 million in illegal profits by targeting users in French-speaking individuals in France, Belgium, and Luxembourg since April 2018. The syndicate is known for impersonating well-known banks, fin-techs, asset management firms, and crypto platforms, setting up scam infrastructure spanning over 350 domains hosted on more than 80 servers. According to researchers, the threat actors have been experimenting with different landing pages, since 2015, ultimately launching their campaign around June 2018.

8Base Ransomware Spikes in Activity, Threatens U.S. and Brazilian Businesses

A ransomware threat called **8Base** that has been operating under the radar for over a year has been attributed to a ‘massive spike in activity’ in May and June 2023. ‘The group utilizes encryption paired with 'name-and-shame' techniques to compel their victims to pay their ransoms,’ VMware Carbon Black researchers Deborah Snyder and Fae Carlisle [said]( in a report. ‘8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries.’

EncroChat Bust Leads to 6,558 Criminals' Arrests and €900 Million Seizure

On Tuesday, Europol announced that the takedown of EncroChat in July 2020 led to 6,558 arrests worldwide and the seizure of €900 million in illicit criminal proceeds. The operation was carried out by French and Dutch authorities which intercepted and analyzed over 115 million conversations made between approximately 60,000 users using the encrypted messaging platform.

Newly Surfaced ThirdEye Infostealer Targeting Windows Devices

Researchers have recently detected a new info stealer known as ThirdEye, which exhibits various variants, all designed to target and steal victims’ data. During a preliminary analysis, FortiGuard Labs came across this highly malicious yet, relatively unsophisticated info stealer while examining suspicious files. The researchers, became suspicious after encountering a Russian archive file translated to “time sheet” in English.

Hundreds of Devices Found Violating New CISA Federal Agency Directive

Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive. An analysis of the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations led to the discovery of more than 13,000 individual hosts exposed to Internet access, distributed across over 100 systems linked to FCEB agencies.

Anatsa Android Trojan Now Steals Banking Info From Users in US, UK

Researchers at ThreatFabric recently disclosed details of a new mobile campaign that has been pushing Anatsa, an Android banking trojan, to online banking customers in the U.S., the U.K., Germany, Austria, and Switzerland since March 2023. The malware is being distributed via the Play Store by masquerading as PDF viewer and editor apps and office suites, having over 30,000 installations in the last couple of months. Although ThreatFabric reported the malicious applications to Google, which ended up removing them altogether from the play store, the attackers were observed uploading new malware samples soon after under the guise of other applications.

New PindOS Javascript Dropper Deploys Bumblebee, Icedid Malware

Researchers have identified a novel malicious tool reffered to as PindOS. This tool acts as a delivery mechanism for the Bumblebee and IcedID malware, which are commonly associated with ransomware attacks. PindOS operates as a JavaScript malware dropper, seemingly designed with the sole purpose of retrieving subsequent-stage payloads that ultimately deliver the perpetrators’ final malicious payload.

CISA Releases Cloud Services Guidance and Resources

The Secure Cloud Business Applications (SCuBA) project provides guidance and capabilities to secure agencies’ cloud business application environments and protect federal information that is created, accessed, shared and stored in those environments. SCuBA will help secure federal civilian executive branch (FCEB) information assets stored within cloud environments through consistent, effective, modern, and manageable security configurations.

New Mockingjay Process Injection Technique Evades EDR Detection

A new process injection technique called "Mockingjay" has been discovered by researchers at cybersecurity firm Security Joes. This technique allows threat actors to bypass EDR (Endpoint Detection and Response) systems and execute malicious code on compromised systems without detection. Unlike traditional process injection methods, Mockingjay does not rely on commonly abused Windows API calls, special permissions, or memory allocation, making it more difficult to detect.

American Airlines, Southwest Airlines Disclose Data Breaches Affecting Pilots

American Airlines and Southwest Airlines, two of the largest airlines in the world, recently experienced data breaches caused by the hack of a third-party vendor called Pilot Credentials. The breach occurred on April 30, and both airlines were informed on May 3. The unauthorized individual gained access to Pilot Credentials' systems and stole documents containing information provided by pilot and cadet applicants. American Airlines reported that the breach affected 5,745 pilots and applicants, while Southwest reported a total of 3,009. The stolen information included personal details such as names, Social Security numbers, driver's license numbers, passport numbers, and more. Both airlines have terminated their relationship with the vendor and are directing applicants to self-managed internal portals. They have also notified law enforcement and are cooperating with investigations.

MOVEIt Breach Impacts Genworth, Calpers as Data for 3.2 Million Exposed

PBI Research Services has experienced a data breach, resulting in the disclosure of sensitive information for approximately 4.75 million individuals. This breach occured during the recent series of data-theft attacks targeting MOVEit Transfer. The attacks, initiated by the Clop ransomware gang, commenced on May 27th, 2023. Exploiting a previously unknown vulnerability in MOVEit Transfer, the gang proceeded to extract data from nemerious companies, including PBI and its three clients. In recent days, the Clop gang has adopted an extortion strategy gradually revealing the names of affected organizations on their data leak site. The tactic aims to exert pressure on victims, compelling them to meet the gang's ransom demands.

Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers

In a series of Twitter posts last week, Microsoft stated that it has observed an uptick in credential-stealing attacks from Midnight Blizzard (aka Nobelium, APT29, Cozy Bear, Iron Hemlock, and The Dukes), a notorious Russian state-affiliated hacker group that was behind the 2020 SolarWinds attack. The latest intrusions are using a variety of password spray, brute force, and token theft techniques, with the group also conducting session replay attacks to gain initial access to cloud resources leveraging stolen sessions. Targets highlighted by Microsoft include governments, IT service providers, NGOs, the defense industry, and critical manufacturing.

China-linked APT Group VANGUARD PANDA Uses a New Tradecraft in Recent Attacks

CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks. The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

Suncor Energy Cyberattack Impacts Petro-Canada Gas Stations

Over the weekend, Suncor, one of Canada’s largest synthetic crude producers, disclosed it suffered from a cyberattack, stating that it is working on resolving the incident and that some transactions with customers and suppliers may have been impacted. Although no additional details were reported in Suncor’s notice, Petro-Canada, a subsidiary of Suncor that operates 1,500 gas stations across Canada, stated it is facing technical issues, preventing customers from paying with credit cards or rewards points. According to a post on Twitter, the company warned customers that they cannot currently log in to their accounts via the app or website and apologized for the inconvenience caused. This outage also prevents earning points when refueling at the company's gas stations.

China-linked APT Group VANGUARD PANDA Uses a New Tradecraft in Recent Attacks

CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel tradecraft to gain initial access to target networks. The Volt Typhoon group has been active since at least mid-2021 it carried out cyber operations against critical infrastructure. In the most recent campaign, the group targeted organizations in the communications, manufacturing, utility, transportation, construction, maritime, government, information technology, and education sectors.

Mirai Botnet Targets 22 Flaws in D-Link, Zyxel, Netgear Devices

Researchers from Palo Alto Networks’ Unit 42 have detected a modified version of the Mirai botnet, which is actively exploiting nearly 20 vulnerabilities. The primary objective of this botnet is to compromise devices manufactured by D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek. These compromised devices are then utilized to launch distributed of denial of service attacks (DDoS) attacks.

Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware

Cybersecurity firm Deep Instinct has uncovered a new JavaScript dropper, dubbed PindOS, that is being used to deliver next-stage payloads like BumbleBee and IceID, both of which are loaders that have also been leveraged to deploy other malware on hosts, including ransomware. “Bumblebee, notably, is a replacement for another loader called BazarLoader, which has been attributed to the now-defunct TrickBot and Conti groups. A report from Secureworks in April 2022 found evidence of collaboration between several actors in the Russian cybercrime ecosystem, including that of Conti, Emotet, and IcedID.

IDOR in Microsoft Teams Allows for External Tenants to Introduce Malware

Security researchers from Jumpsec have discovered a vulnerability in Microsoft Teams that enables attackers to deliver malware directly to employees' inboxes. The bug allows external users to send malicious payloads that appear as downloadable files. By combining this vulnerability with social engineering tactics, attackers can increase the success rate of their attacks. This method bypasses anti-phishing security controls and takes advantage of the trust employees have in messages received through Microsoft Teams. This vulnerability affects every organization using Teams in the default configuration.

RedEyes Group Wiretapping Individuals

“RedEyes, a state-sponsored APT group also known as APT37, ScarCruft, and Reaper, has been identified as targeting individuals such as North Korean defectors, human rights activists, and university professors. Their objective is to monitor the lives of specific individuals. In May 2023, AhnLab Security Emergency response Center (ASEC) discovered RedEyes distributing and utilizing an Infostealer with wiretapping capabilities and a GoLang-based backdoor that exploits the Ably platform. The backdoor allowed the threat actor to send commands through the Ably service, with the API key value required for communication stored in a GitHub repository. This key value allowed anyone with knowledge of it to subscribe to the threat actor's channel”

404 TDS Phishing Campaign: Truebot, FlawedGrace, and Cobalt Strike Intrusion Revealed

During the DFIR investigation conducted in May 2023, a significant intrusion was observed, involving the deployment of Truebot, Cobalt Strike, FlawedGrace (also known as GraceWire & BARBWIRE), and the subsequent deployment of the MBR Killer wiper. The threat actors executed their attack swiftly, successfully exfiltrating data and rendering numerous systems inoperable with the wiper within a span of 29 hours after gaining initial access.

Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites

A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites. ‘This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met,’ Defiant's Wordfence said in an advisory. Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system.

UPS Discloses Data Breach After Exposed Customer Info Used in SMS Phishing

Multinational company UPS is notifying customers in Canada that certain personal details could have been compromised through its online package tracking tools, potentially leading to their misuse in phishing attempts. The communication sent by UPS Canada titled “An Update from UPS: Combatting Phishing and Smishing,” appears to be initially aimed at cautioning customers about the risk associated with phishing. However, the communication is, in fact, a notification of a data breach. UPS Canada discreetly includes a disclosure within the message, revealing that they have been receiving reports of SMS phishing messages containing recipients’ names and address information.

Apple Fixes Zero-Days Used to Deploy Triangulation Spyware Via iMessage

Apple recently addressed three zero-day vulnerabilities that were exploited in attacks to install spyware on iPhones via iMessage zero-click exploits. Below is a list of the CVEs:

  • CVE-2023-32434: A kernel integer overflow was addressed with improved input validation
  • CVE-2023-32435: A memory corruption issue in Apple WebKit was addressed with improved state management.
  • CVE-2023-32439: A type confusion issue in WebKit was addressed with improved checks.

    The first two flaws were uncovered by researchers at Kaspersky, Georgy Kucherin, Leonid Bezvershenko, and Boris Larin. According to Kaspersky, the vulnerabilities have been exploited in an ongoing campaign dubbed Operation Triangulation, which has been active since 2019.

  • APT37 Hackers Deploy New FadeStealer Eavesdropping Malware

    The North Korean APT37 hacking group, also known as StarCruft, Reaper, or RedEyes, has recently deployed a new information-stealing malware called "FadeStealer." This malware includes a wiretapping feature, allowing the threat actors to eavesdrop and record from victims' microphones. APT37 has a history of conducting cyber espionage attacks aligned with North Korean interests, targeting North Korean defectors, educational institutions, and EU-based organizations.

    Exploit Released for Cisco AnyConnect Bug Giving SYSTEM Privileges

    A proof-of-concept exploit code has been released for a high-severity vulnerability in Cisco Secure Client Software for Windows, previously known as AnyConnect Secure Mobility Client. This flaw, tracked as CVE-2023-20178, allows authenticated attackers to escalate privileges to the SYSTEM account, which is used by the Windows operating system. The vulnerability can be exploited without user interaction and takes advantage of a specific function in the Windows installer process.

    New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks

    A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel called Condi Network to advertise their warez. ‘The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code,’ security researchers Joie Salvio and Roy Tay said.

    Zyxel Warns of Critical Command Injection Flaw in NAS Devices

    Zxyel recently published security updates to address a critical command injection vulnerability impacting its Network Attached Storage (NAS) devices, warning customers to update their firmware. Tracked as CVE-2023-27992, the vulnerability is due to a pre-authentication command injection problem that could enable an unauthenticated attacker to execute operating system commands on the impacted device via specially crafted HTTP requests.

    Hackers Infect Linux SSH Servers With Tsunami Botnet Malware

    An unidentified malicious entity is employing brute-force techniques to gain unauthorized access to Linux SSH servers, enabling the installation of various forms of malicious software. The malware includes the Tsunami DDoS bot, ShellBot, log cleaners, tools for privilege escalation, and an XMRig coin miner designed to mine Monero. SSH (Secure Socket Shell) is a secure and encrypted network communication protocol used for remote administration of Linux devices. It facilitates activities such as executing commands, modifying configurations, updating software, and resolving issues for network administrators.

    3CX Data Exposed, Third-Party to Blame

    3CX, a popular Voice over Internet Protocol (VoIP) comms provider, was exposed due to the negligence of a third-party vendor. The vendor's open server left instances of Elasticsearch and Kibana vulnerable, leading to the discovery of the exposed data on May 15th. This discovery came to light nearly two months after the initial cyberattacks on 3CX, which had previously been targeted by North Korean hackers. The exposed data included call metadata, license keys, and encoded database strings, posing significant risks.

    Clop Ransomware and the MOVEit Cyberattack: What to Know

    The recent Clop ransomware attack targeted the MOVEit Transfer file-transfer platform, resulting in compromised networks worldwide. The attack exploited a vulnerability in the Managed File Transfer (MFT) application using a structured query language (SQL) attack vector. The compromised platforms contained sensitive data, potentially exposing a wide range of sensitive customer information from various industries and geographies. Affected entities included U.S. government agencies, airlines, media companies, an oil giant, health services, and international consulting firms.

    New RDStealer Malware Steals From Drives Shared Over Remote Desktop

    Bitdefender Labs has discovered a cyberespionage and hacking campaign called 'RedClouds' that utilizes custom malware known as 'RDStealer' to automatically steal data from drives shared through Remote Desktop connections. The campaign has been active since at least 2020, primarily targeting systems in East Asia. While the specific threat actors behind RedClouds have not been identified, Bitdefender suggests that their interests align with China and that they possess the sophistication of a state-sponsored Advanced Persistent Threat (APT) group.

    Chinese APT15 Hackers Resurface with New Graphican Malware

    Today, the Threat Hunter Team at Symantec, part of Broadcom, reports that APT15's latest campaign targets foreign affairs ministries in Central and South American countries. The researchers report that the new Graphican backdoor is an evolution of an older malware used by the hackers rather than a tool created from scratch. It is notable for using Microsoft Graph API and OneDrive to stealthily obtain its command and control (C2) infrastructure addresses in encrypted form, giving it versatility and resistance against take-downs.

    Iowa’s Largest School District Confirms Ransomware Attack, Data Theft

    Des Moines Public Schools, Iowa's largest school district, confirmed today that a ransomware attack was behind an incident that forced it to take all networked systems offline on January 9, 2023. While the school district also received a ransom demand following the attack from an unnamed ransomware group, the ransom has not been paid. Almost 6,700 individuals whose data was affected in the resulting data breach will be contacted this week with details regarding what personal information was exposed.

    Russian APT28 Hackers Breach Ukrainian Govt Email Servers

    A cyber-espionage group known as APT28, which is associated with Russia's General Staff Main Intelligence Directorate (GRU), has successfully infiltrated Roundcube email servers belonging to various Ukrainian organizations, including government entities. This threat group, also identified as BlueDelta, Fancy Bear, Sednit, and Sofacy, took advantage of the ongoing Russia-Ukraine conflict to deceive recipients.

    ASUS Urges Customers to Patch Critical Router Vulnerabilities

    Yesterday, ASUS released firmware updates to address vulnerabilities impacting several of its router models, warning customers to update their devices or restrict WAN access until they’re secure. In total, 9 vulnerabilities were addressed, some of which have been rated high and critical in severity. Most severe of the flaws include CVE-2022-26376 and CVE-2018-1160, which have both received a 9.8 score out of 10 on the CVSS scale. CVE-2022-26376 relates to a critical memory corruption weakness in the Asuswrt firmware used in Asus routers. Successful exploitation of this flaw could enable a threat actor to trigger a denial of service or gain code execution.

    Vidar Malware Using New Tactics to Evade Detection and Anonymize Activities

    The threat actors behind the Vidar malware have made changes to their backend infrastructure, indicating attempts to retool and conceal their online trail in response to public disclosures about their modus operandi. ‘Vidar threat actors continue to rotate their backend IP infrastructure, favoring providers in Moldova and Russia,’ cybersecurity company Team Cymru said in a new analysis shared with The Hacker News. Vidar is a commercial information stealer that's known to be active since late 2018. It's also a fork of another stealer malware called Arkei and is offered for sale between $130 and $750 depending on the subscription tier. Typically delivered through phishing campaigns and sites advertising cracked software, the malware comes with a wide range of capabilities to harvest sensitive information from infected hosts.

    MOVEit Transfer Customers Warned of New Flaw as PoC Info Surfaces

    On Thursday, Progress software disclosed yet another vulnerability in its MOVEit Transfer application, making this the third vulnerability the company has addressed since May 2023. Similar to the previous flaws (CVE-2023-34362 (May 31, 2023) & CVE-2023-35036 (June 9, 2023)), the latest vulnerability (CVE-2023-35708 (June 15, 2023)) also relates to a case of SQLi injection and could allow threat actors to escalate privileges and potentially gain unauthorized access to MOVEit Transfer’s database.

    Rhysida Ransomware Leaks Documents Stolen From Chilean Army

    The group responsible for a recent ransomware operation named Rhysida has released online a set of documents they claim were stolen from the network of the Chilean Army (Ejército de Chile). After confirming a security incident on May 29, where their systems were compromised over the weekend of May 27, the Chilean Army took immediate action by isolating the network. Military security experts have begun the process of restoring the affected systems. The incident was promptly reported to Chile's Computer Security Incident Response Team (CSIRT), which operates under the Joint Chiefs of Staff and the Ministry of National Defense. Shortly after the disclosure of the attack, local media reported the arrest and charges filed against an Army corporal in connection with the ransomware attack.

    CISA and NSA Publish BMC Hardening Guidelines

    The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have released joint guidance on hardening Baseboard Management Controllers (BMCs). Published this week, the document aims to address the overlooked vulnerabilities in BMCs, which can serve as potential entry points for malicious actors seeking to compromise critical infrastructure systems.

    Suspected LockBit Ransomware Affiliate Arrested, Charged in US

    Ruslan Magomedovich Astamirov, a 20-year-old Russian national from the Chechen Republic, has been arrested in Arizona and charged by the U.S. Justice Department for his alleged involvement in deploying LockBit ransomware on the networks of victims in the United States and abroad. According to the criminal complaint, Astamirov participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud, intentionally damage protected computers, and make ransom demands through the use of ransomware.

    Barracuda ESG Zero-Day Attacks Linked to Suspected Chinese Hackers

    The hacking group UNC4841 has been connected to data theft incidents targeting Barracuda ESG appliances. These attacks exploited a zero-day vulnerability, CVE-2023-2868, which allowed remote command injection in Barracuda’s email attachment scanning module. The vendor became aware of the vulnerability on May 19th and promptly disclosed the exploitation. CISA issued an alert urging the U.S Federal agencies to apply the necessary security updates. Barracuda took the decision earlier this month to offer affected customers free device replacements instead of reimaging them with new firmware.

    Windows 11 KB5027231 Update Breaks Google Chrome For Malwarebytes Users

    As part of the June Patch Tuesday, Microsoft rolled out the Windows 11 22H2 KB5027231 update to fix several vulnerabilities. According to Malwarebytes, the patch is blocking Chrome from loading on updated systems running the vendor’s anti-exploit module. “On June 13, 2023, Microsoft's KB5027231 update installed on Windows 11 caused a conflict between Google Chrome and exploit protection, resulting in browser crashes, stated Malwarebytes in an advisory.

    GravityRAT Android Trojan Steals WhatsApp Backups and Deletes Files

    An updated version of an Android remote access trojan dubbed GravityRAT has been found masquerading as messaging apps BingeChat and Chatico as part of a narrowly targeted campaign since June 2022. ‘Notable in the newly discovered campaign, GravityRAT can exfiltrate WhatsApp backups and receive commands to delete files,’ ESET researcher Lukáš Štefanko said in a new report published today.

    LockBit Ransomware Extorted $91 Million in 1,700 U.S. Attacks

    In a joint advisory, U.S. and international cybersecurity authorities have revealed that the LockBit ransomware gang has extorted approximately $91 million from U.S. organizations through around 1,700 attacks since 2020. LockBit, a Ransomware-as-a-Service (RaaS) operation, emerged as the leading global ransomware threat in 2022, with the highest number of victims reported on their data leak site.

    Russian Hackers Use PowerShell USB Malware to Drop Backdoors

    The Russian state-sponsored hacking group Gamaredon (aka Armageddon or Shuckworm) continues to target critical organizations in Ukraine's military and security intelligence sectors, employing a refreshed toolset and new infection tactics. Previously, the Russian hackers, who have been linked to the FSB, were observed using information-stealers against Ukrainian state organizations, employing new variants of their "Pteranodon" malware, and also using a default Word template hijacker for new infections. Symantec's threat research team, part of Broadcom, reports today that the threat actors have recently begun using USB malware to propagate to additional systems inside infected networks.

    Unveiling the Balada Injector: A Malware Epidemic in WordPress

    In April 2023, credible sources such as Bleeping Computer and TechRadar began disseminating alarming accounts of cybercriminals who ingeniously breached WordPress websites. Exploiting the vulnerabilities of the widely-admired plugins, Elementor Pro Premium (webpage builder) and WooCommerce (online storefront), these malicious actors gained unauthorized access with devastating consequences.

    Microsoft June 2023 Patch Tuesday fixes 78 flaws, 38 RCE bugs

    As part of the June Patch Tuesday, Microsoft addressed 78 flaws which include 17 Elevation of Privilege Vulnerabilities, 3 Security Feature Bypass Vulnerabilities, 32 Remote Code Execution Vulnerabilities, 5 Information Disclosure Vulnerabilities, 10 Denial of Service Vulnerabilities, 10 Spoofing Vulnerabilities, and 1 Edge - Chromium Vulnerability. Out of the 78 flaws fixed, 6 have been rated critical in severity, 63 rated Important, 2 rated moderate, and 1 rated low in severity.

    Fake Zero-Day PoC Exploits on GitHub Push Windows, Linux malware

    Hackers are impersonating cybersecurity researchers on Twitter and GitHub to publish fake proof-of-concept exploits for zero-day vulnerabilities that infect Windows and Linux with malware. These malicious exploits are promoted by alleged researchers at a fake cybersecurity company named 'High Sierra Cyber Security,' who promote the GitHub repositories on Twitter, likely to target cybersecurity researchers and firms involved in vulnerability research. The repositories appear legitimate, and the users who maintain them impersonate real security researchers from Rapid7, and other security firms, even using their headshots.

    Gozi Host 'Virus' Sentenced to 3 Years in US Prison

    Mihai Ionut Paunescu, a 39-year-old Romanian national, has been sentenced to 36 months in a U.S. federal prison for his role in hosting the digital infrastructure used for banking Trojans that led to the theft of tens of millions of dollars. He pleaded guilty to conspiring to commit computer intrusion with the intent to defraud. Paunescu, also known as "Virus," played a critical role in providing the necessary IT infrastructure, which involved renting IP addresses and relocating customer data to different networks and IP addresses to avoid detection by law enforcement.

    Researchers Uncover XSS Vulnerabilities in Azure Services

    Cybersecurity experts at Orca Security have identified two critical cross-site scripting (XSS) vulnerabilities in Microsoft Azure services. The vulnerabilities are related to an identified weakness in the postMessage iframe. Abusing this flaw could expose Azure users to potential security breaches. These vulnerabilities were found in both Azure Bastion and the Azure Container Registry, which are two commonly used services in the Azure ecosystem.

    UK Communications Regulator Ofcom Hacked With a Moveit File Transfer Zero-Day

    The UK’s communication regulator, Ofcom, revealed a data breach caused by a Clop ransomware attack. Exploiting a zero-day vulnerability in the MOveit file transfer system, the attackers successfully infiltrated Ofcom’s infrastructure. A representative from Ofcom stated “A limited amount of information about certain companies we regulate – some of it confidential – along with personal data of 412 Ofcom employees, was downloaded during the attack,” the spokesperson told The Record.

    Massive Phishing Campaign Uses 6,000 Sites to Impersonate 100 Brands

    A widespread brand impersonation campaign targeting over a hundred popular apparel, footwear, and clothing brands has been underway since June 2022, tricking people into entering their account credentials and financial information on fake websites. The brands impersonated by the phony sites include Nike, Puma, Asics, Vans, Adidas, Columbia, Superdry Converse, Casio, Timberland, Salomon, Crocs, Sketchers, The North Face, UGG, Guess, Caterpillar, New Balance, Fila, Doc Martens, Reebok, Tommy Hilfiger, and others. According to Bolster's threat research team, who discovered the campaign, it relies on at least 3,000 domains and roughly 6,000 sites, including inactive ones.

    Microsoft: Azure Portal Outage Was Caused by Traffic "Spike”

    Microsoft revealed in an update to the Azure status page that the preliminary root cause behind an outage that impacted the Azure Portal worldwide on Friday was what it described as a traffic "spike." Customers who wanted to access the Azure Portal on Friday afternoon at[.]com reported issues connecting and seeing a warning saying,

    RDP Honeypot Targeted 3.5 Million Times in Brute-force Attacks

    Researchers using a Remote Desktop Protocol honeypot found that exposed connections are so attractive to attackers that they were targeted around 37,000 times a day from various IP addresses. The attacks are completely automated, but once the right access credentials were found via brute-forcing, hackers will manually begin looking for important or sensitive files.

    Microsoft Warns of Multi-Stage AiTM Phishing and BEC Attacks

    Microsoft researchers have issued a warning about a new form of cyber attack known as "adversary-in-the-middle" (AiTM) phishing and business email compromise (BEC), specifically targeting banking and financial institutions. These attacks involve threat actors creating a proxy server that sits between a user and their desired website. The proxy server, controlled by the attackers, intercepts and captures the user's password and session cookie, allowing the attackers to gain unauthorized access to sensitive information.

    Ukrainian Hackers Take Down Service Provider for Russian Banks

    A group of Ukrainian hackers known as the Cyber.Anarchy.Squad claimed an attack that took down Russian telecom provider Infotel JSC on Thursday evening. Among other things, Moscow-based Infotel provides connectivity services between the Russian Central Bank and other Russian banks, online stores, and credit institutions.

    Xplain Data Breach Also Impacted the National Swiss Railway FSS

    The Play ransomware attack suffered by the IT services provider Xplain has proven to be worse than initially estimated. The incident has also impacted the national railway company of Switzerland (FSS) and the canton of Aargau. In early June, Swiss police initiated an investigation into the cyber attack that targeted Xplain, a Bernese IT company providing services to various federal and cantonal government departments, the army, customs, and the Federal Office of Police (Fedpol).

    Nova Scotia Health Says 100,000 Affected by MOVEit Hack

    The personal information of approximately 100,000 Nova Scotia Health employees was unlawfully obtained by hackers who exploited a zero-day vulnerability in Progress Software's MOVEit managed file transfer application. The recent disclosure made by the women's and children's health center is a sign that other healthcare organizations may also announce data breaches caused by ransomware hackers who exploited a previously fixed vulnerability in the software.

    Kimsuky Targets Think Tanks and News Media with Social Engineering Attacks

    Researchers at SentinelOne have uncovered a new Kimsuky-backed social-engineering campaign targeting experts in North Korean affairs to steal Google and subscription credentials for NK news, an American-based news website that provides analysis and news focusing on North Korea. In the latest campaign, the group was observed sending emails impersonating Chad O’Carroll, the founder of NK News. The emails request victims to review a draft article analyzing the nuclear threat posed by North Korea. If the victim replies to the email, a follow up email is sent by Kimsuky which contains a spoofed URL to a Google document, designed to redirect the target to a malicious website crafted to capture Google credentials.

    Researchers Published PoC Exploit Code for Actively Exploited Windows Elevation of Privilege Issue

    The Microsoft Windows vulnerability CVE-2023-29336 (CVSS score 7.8) is an elevation of privilege issue that resides in the Win32k component. Win32k.sys is a system driver file in the Windows operating system. The driver is responsible for providing the interface between user-mode applications and the Windows graphical subsystem. The vulnerability is actively exploited in attacks. The issue can be chained with a code execution bug to spread malware. The vulnerability was reported by researchers Jan Vojtěšek, Milánek, and Luigino Camastra from Avast Antivirus firm. The researchers believe this flaw was used as part of an exploit chain to deliver malware.

    Clop Ransomware Likely Testing MOVEit Zero-day Since 2021

    he Clop ransomware gang has been looking for ways to exploit a now-patched zero-day in the MOVEit Transfer managed file transfer (MFT) solution since 2021, according to Kroll security experts. While analyzing logs on some clients' compromised networks during the investigation of recent Clop data theft attacks targeting vulnerable MOVEit Transfer instances, they found malicious activity matching the method used by the gang to deploy the newly discovered LemurLoot web shell.

    Hacking Group Seen Mixing Cybercrime and Cyberespionage

    Researchers suggest that a hacking collective, believed to have connections to the Belarusian government, is engaging in a fusion of illicit cyber activities involving both criminal endeavors and espionage in the digital realm. There is evidence to suggest that a hacking organization linked to the Belarusian government is blending cybercrime activities with cyberespionage. Referred to as Asylum Ambuscade, this group has been identified as "a cybercrime group that engages in some cyberespionage activities on the side" since 2020, as stated in a recent report by cybersecurity firm ESET, authored by malware researcher Matthieu Faou.

    Royal Ransomware Gang Adds BlackSuit Encryptor to Their Arsenal

    The Royal ransomware gang has begun testing a new encryptor called BlackSuit that shares many similarities with the operation's usual encryptor. Since late April, there have been rumbles that the Royal ransomware operation was getting ready to rebrand under a new name. This escalated further after they began to feel pressure from law enforcement after they attacked the City of Dallas, Texas. A new BlackSuit ransomware operation was discovered in May that used its own branded encryptor and Tor negotiation sites.

    Cisco Fixes AnyConnect Bug Giving Windows SYSTEM Privileges

    Cisco recently addressed a high-severity flaw in its Cisco Secure Client software that could allow threat actors to escalate privileges to the SYSTEM account used by the operating system. “Cisco Secure Client enables employees to work from anywhere via a secure Virtual Private Network (VPN) and provides admins with endpoint management and telemetry features.

    Barracuda Says Hacked ESG Appliances Must be Replaced Immediately

    Email and network security company Barracuda warns customers they must replace Email Security Gateway (ESG) appliances hacked in attacks targeting a now-patched zero-day vulnerability. "Impacted ESG appliances must be immediately replaced regardless of patch version level," the company warned in a Tuesday update to the initial advisory. "Barracuda's remediation recommendation at this time is full replacement of the impacted ESG.

    Researchers Spot a Different Kind of Magecart Card-Skimming Campaign

    A cybercriminal affiliated with the Magecart group has successfully infected an undisclosed number of e-commerce websites across the United States, United Kingdom, and five other countries with malware designed to skim credit card numbers and personally identifiable information (PII) from unsuspecting individuals who engage in online purchases on these platforms. However, a novel twist in this malicious campaign involves the exploitation of the same compromised websites as hosts for distributing the card-skimming malware to other targeted sites.

    Outlook Hit By Outages as Hacktivists Claim DDoS Attacks is suffering a series of outages today after being down multiple times yesterday, with hacktivists known as Anonymous Sudan claiming to perform DDoS attacks on the service. This outage follows two major outages yesterday, creating widespread disruptions for global Outlook users, preventing users worldwide from reliably accessing or sending email and using the mobile Outlook app.

    NASA Website Flaw Jeopardizes Astrobiology Fans

    The open redirect vulnerability plaguing NASA's Astrobiology website was independently discovered by the Cybernews research team. Upon finding the flaw, it was revealed that a researcher from an open bug bounty program had already identified it a few months earlier on January 14th, 2023. However, the agency failed to address and fix the vulnerability, exposing global users to risks until May 2023. Attackers could have exploited the flaw to redirect unsuspecting users to malicious websites, luring them into providing sensitive data such as login credentials and credit card numbers.

    New ChatGPT Attack Technique Spreads Malicious Packages

    A new cyber-attack technique using the OpenAI language model ChatGPT has emerged, allowing attackers to spread malicious packages in developers' environments. Vulcan Cyber's Voyager18 research team described the discovery in an advisory published today. "We've seen ChatGPT generate URLs, references and even code libraries and functions that do not actually exist. These large language model (LLM) hallucinations have been reported before and may be the result of old training data," explains the technical write-up by researcher Bar Lanyado and contributors Ortal Keizman and Yair Divinsky.

    New ‘Powerdrop’ Powershell Malware Targets U.S. Aerospace Industry

    A new PowerShell malware called "PowerDrop" specifically targets the U.S. aerospace defense industry. The cybersecurity firm Adlumin, found a sample of this malware in the network of a defense contractor in the U.S. PowerDrop utilizes PowerShell and Windows Management Instrumentation (WMI) to establish a persistent remote access trojan (RAT) within the compromised networks. The tactics employed by the malware fall somewhere between "off-the-shelf" malware and sophisticated advanced persistent threat (APT) techniques. Based on the timing and targets of the attacks, it is highly probable that the perpetrator behind the malware is a state-sponsored entity.

    Cyclops Ransomware Gang Offers Go-Based Info Stealer to Cybercriminals

    Threat actors associated with the Cyclops ransomware have been observed offering an information stealer malware that's designed to capture sensitive data from infected hosts. ‘The threat actor behind this [ransomware-as-a-service] promotes its offering on forums," Uptycs said in a new report.' ‘There it requests a share of profits from those engaging in malicious activities using its malware.’ The Go-based stealer, for its part, is designed to target Windows and Linux systems, capturing details such as operating system information, computer name, number of processes, and files of interest matching specific extensions.

    Google Fixes New Chrome Zero-Day Flaw With Exploit in the Wild

    Yesterday, Google released security updates to address a zero-day flaw in its Chrome web browser. Tracked as CVE-2023-3079, the bug has been assessed as a high-severity issue and is related to a type confusion bug in the Chrome V8 JavaScript engine. “Type confusion bugs arise when the engine misinterprets the type of an object during runtime, potentially leading to malicious memory manipulation and arbitrary code execution.

    Iowa Reports Third Big Vendor Breach This Year

    The state government of Iowa has recently reported its third major health data breach since April, all involving third-party vendors. The most recent breach occurred at dental health insurer MCNA Insurance Co., with the Iowa Department of Health and Human Services disclosing that hackers compromised the protected health information of nearly 234,000 Iowa residents.

    Alarming Surge in TrueBot Activity Revealed with New Delivery Vectors

    VMware’s Carbon Black Managed Detection and Response (MDR) team saw a surge in TrueBot activity in May 2023. TrueBot is a botnet that has been active since 2017 and is linked to the Silence group, a cybercriminal group that is known for targeting banks and financial institutions, in addition to the educator sector. According to VMware’s MDR team, TrueBot has been under active development by Silence, with the latest versions now leveraging a Netwrix vulnerability (CVE-2022-31199, CVSS score: 9.8) as a delivery vector.

    Microsoft Links Clop Ransomware Gang to MOVEit Data-Theft Attacks

    On Sunday night, Microsoft's Threat Intelligence team tweeted that they have linked the recent attacks that exploit a zero-day vulnerability in the MOVEit Transfer platform to the Clop ransomware gang, which is also known as Lace Tempest. This particular gang has gained a reputation for conducting ransomware operations and managing the Clop extortion site. BleepingComputer was the first to report last Thursday that threat actors have been exploiting a previously unknown vulnerability in MOVEit Transfer servers to illicitly obtain data from targeted organizations.

    Zyxel Shares Tips on Protecting Firewalls From Ongoing Attacks.

    Zyxel has published a security advisory containing guidance on protecting firewall and VPN devices from ongoing attacks and detecting signs of exploitation. This warning comes in response to multiple reports of widespread exploitation of the CVE-2023-28771 and the exploitability and severity of CVE-2023-33009 and CVE-2023-33010, all impacting Zyxel VPN and firewall devices.

    New Linux Ransomware BlackSuit is Similar to Royal Ransomware

    Royal ransomware is one of the most notable ransomware families of 2022, it made the headlines in early May 2023 with the attack against the IT systems in Dallas, Texas. The human-operated Royal ransomware first appeared on the threat landscape in September 2022, it has demanded ransoms up to millions of dollars.

    Toyota Admits to Yet Another Cloud Leak

    Toyota, the automobile manufacturer, apologized for leaking customer records online due to a misconfigured cloud environment. This is the second time Toyota has apologized for a cloud leak in recent weeks. The company said the leak was caused by "insufficient dissemination and enforcement of data handling rules." Toyota said there is no evidence that the data has been misused.

    Camaro Dragon Strikes with New TinyNote Backdoor for Intelligence Gathering

    The Chinese nation-stage group known as Camaro Dragon has been linked to yet another backdoor that's designed to meet its intelligence-gathering goals. Israeli cybersecurity firm Check Point, which dubbed the Go-based malware TinyNote, said it functions as a first-stage payload capable of ‘basic machine enumeration and command execution via PowerShell or Goroutines.’ What the malware lacks in terms of sophistication, it makes up for it when it comes to establishing redundant methods to retain access to the compromised host by means of multiple persistency tasks and varied methods to communicate with different servers.

    Malicious Chrome Extensions With 75M Installs Removed From Web Store

    Google has removed from the Chrome Web Store 32 malicious extensions that could alter search results and push spam or unwanted ads. Collectively, they come with a download count of 75 million. The extensions featured legitimate functionality to keep users unaware of the malicious behavior that came in obfuscated code to deliver the payloads. Cybersecurity researcher Wladimir Palant analyzed the PDF Toolbox extension (2 million downloads) available from Chrome Web Store and found that it included code that was disguised as a legitimate extension API wrapper.

    New Horabot Campaign Takes Over Victim’s Gmail, Outlook Accounts

    A previously unknown campaign involving the Hotabot botnet malware has targeted Spanish-speaking users in Latin America since at least November 2020, infecting them with a banking trojan and spam tool. The malware enables the operators to take control of the victim's Gmail, Outlook, Hotmail, or Yahoo email accounts, steal email data and 2FA codes arriving in the inbox, and send phishing emails from the compromised accounts. The new Horabot operation was discovered by analysts at Cisco Talos, who report that the threat actor behind it is likely based in Brazil. The multi-stage infection chain begins with a tax-themed phishing email sent to the target, with an HTML attachment that is supposedly a payment receipt. Opening the HTML launches a URL redirection chain that lands the victim on an HTML page hosted on an attacker-controlled AWS instance.

    Top 3 API Security Risks and How to Mitigate Them

    The application programming interface (API) is an unsung hero of the digital revolution. It provides the glue that sticks together diverse software components in order to create new user experiences. But in providing a direct path to back-end databases, APIs are also an attractive target for threat actors. It doesn’t help that they have exploded in number over recent years, leading many deployments to go undocumented and unsecured. According to one recent study, 94% of global organizations have experienced API security problems in production over the past year with nearly a fifth (17%) suffering an API-related breach. It’s time to gain visibility and control of these digital building blocks.

    New MOVEit Transfer Zero-Day Mass-Exploited in Data Theft Attacks

    Cybercriminals are taking advantage of a zero-day vulnerability in the MOVEit Transfer software. This vulnerability allows them to illicitly obtain data from targeted organizations. MOVEit Transfer is a managed file transfer (MFT) software designed by Ipswitch, a subsidiary of Progress Software Corporation based in the United States. It facilitates secure file transfers between enterprises, business partners, and customers using protocols like SFTP, SCP, and HTTP-based uploads.

    SpinOk Trojan Compromises 421 Million Android Devices

    Security researchers have recently detected a novel Android Trojan that has the potential to compromise a staggering 421 million devices. In a recently released advisory on Monday, the Doctor Web team revealed details about this Trojan, referred to as Android[.]Spy.SpinOk. Android[.]Spy.SpinOk possesses numerous spyware capabilities, such as gathering files and capturing clipboard content. This Trojan spreads by being concealed within other applications, thereby infecting a vast number of devices.

    Experts Warn of Backdoor-like Behavior Within Gigabyte Systems

    This should be treated as Critical if you are a user of Gigabyte systems. We may upgrade this to High severity should reports of active exploitation occur.

    Researchers from firmware security firm Eclypsium have discovered a suspected backdoor-like behavior within Gigabyte systems. The experts discovered that the firmware in Gigabyte systems drops and executes a Windows native executable during the system startup process. The executable is utilized for insecure downloading and execution of additional payloads. The experts pointed out that this is the same behavior observed for other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) and firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK,.

    Hackers Exploit Critical Zyxel Firewall Flaw in Ongoing Attacks

    A critical command injection flaw in Zyxel networking devices is being exploited by hackers in widespread attackers to install malware. Tracked as CVE-2023-28771, the flaw resides in the default configuration of impacted firewall and VPN devices and can be abused to perform unauthenticated remote code execution via a specially crafted IKEv2 packet to UDP port 500 on the impacted device.

    Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics

    The threat actors behind BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth in an attempt to bypass security guardrails and achieve their goals. The new version, dubbed Sphynx and announced in February 2023, packs a ‘number of updated capabilities that strengthen the group's efforts to evade detection,’ IBM Security X-Force said in a new analysis. The ‘product’ update was first highlighted by vx-underground in April 2023. Trend Micro, last month, detailed a Linux version of Sphynx that's ‘focused primarily on its encryption routine.

    Dark Pink Hackers Continue to Target Govt and Military Organizations

    In 2023, the Dark Pink APT hacking group remains highly active, focusing its attacks on government, military, and education organizations in Indonesia, Brunei, and Vietnam. This threat group has been operational since around mid-2021, primarily concentrating its efforts on targets in the Asia-Pacific region. However, it was only in January 2023 that the group gained public attention following a report by Group-IB. According to the researchers, a thorough analysis of the group's past activities has revealed further instances of breaches.

    Microsoft Details Critical Apple macOS Vulnerability Allowing SIP Protection Bypass

    Researchers at Microsoft, Jonathan Bar Or, Michael Pearse, and Anurag Bohra, recently disclosed details of a now-patched flaw in Apple macOS that could be exploited by threat actors with root access to bypass security enforcements and perform arbitrary actions on unpatched devices. Tracked as CVE-2023-32369 (aka ‘Migraine’), the flaw could permit actors to bypass a security feature dubbed System Integrity Protection (SIP) which is designed to limit the actions a root user can perform on protected files and folders. By abusing this flaw, “an attacker can create files that are protected by SIP and therefore undeletable by ordinary means.

    Human Error Fuels Industrial APT Attacks, Kaspersky Reports

    Cybersecurity firm Kaspersky has identified the primary factors contributing to advanced persistent threat (APT) attacks in industrial sectors. The first of them, discussed in a new report published today, is the absence of isolation in operational technology (OT) networks” (Info Security Magazine, 2023). Kaspersky observed engineering workstations being connected to both the IT and OT networks. Previously air-gapped OT/ICS environments are being more commonly connected to the Internet.

    Gouda Hacker: Charges Tie to Ransomware Hit Affecting Cheese

    Mikhail Matveev, 31, the Russian national whom prosecutors accused of wielding not one but three strains of ransomware. Two federal indictments unsealed this month accuse Matveev - aka Wazawaka, m1x, Boriselcin, Uhodiransomwar - of operating as an affiliate for the LockBit, Babuk and Hive ransomware groups. Security experts say the indictments are notable because they don't target ransomware-as-a-service group chiefs but rather a foot soldier who was directly responsible for hacking into victims' networks and using the ransomware to extort them.

    Beware of the New Phishing Technique “File Archiver in the Browser” That Exploits Zip Domains

    Phishers have devised a novel phishing technique known as "file archiver in the browser" that capitalizes on victims visiting a .ZIP domain. This method involves emulating a file archiver software within a web browser, as revealed by security researcher mr.d0x. Recently, Google introduced eight additional top-level domains (TLDs), including .zip and .mov. However, cybersecurity professionals are cautioning about potential malicious activities associated with these domains.

    New Hacking Forum Leaks Data of 478,000 RaidForums Members

    A database for the notorious RaidForums hacking forums has been leaked online, allowing threat actors and security researchers insight into the people who frequented the forum. RaidForums was a very popular and notorious hacking and data leak forum known for hosting, leaking, and selling data stolen from breached organizations. Threat actors who frequented the forum would hack into websites or access exposed database servers to steal customer information.

    Invoice and CEO Scams Dominate Fraud Impacting Businesses

    Losses to fraud reported by the organization's more than 300 member firms, which provide credit, banking, markets and payment services in the U.K., declined 8% from 2021, although still involved 3 million cases of fraud. "These numbers are big but slightly down on where we were in 2021, both in terms of the number of cases and the value of losses," said Lee Hopley, director of economic insight and research at UK Finance. The industry reported preventing about $1.5 billion worth of fraud in 2022, although she said the actual amount is likely higher, given the challenges of measuring fraud prevention.

    Lazarus Hackers Target Windows IIS Web Servers for Initial Access

    The notorious North Korean state-backed hackers, known as the Lazarus Group, are now targeting vulnerable Windows Internet Information Services (IIS) web servers to gain initial access to corporate networks. Lazarus is primarily financially motivated, with many analysts believing that the hackers' malicious activities help fund North Korea's weapons development programs. However, the group has also been involved in several espionage operations. The latest tactic of targeting Windows IIS servers was discovered by South Korean researchers at the AhnLab Security Emergency Response Center (ASEC).

    New OT Malware Possibly Related To Russian Emergency Response Exercises

    COSMICENERGY’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident, which issued IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have made use of an MSSQL server as a conduit system to access OT. Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption. COSMICENERGY accomplishes this via its two derivative components, which we track as PIEHOP and LIGHTWORK. PIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user-supplied remote MSSQL server for uploading files and issuing remote commands to a RTU. PIEHOP utilizes LIGHTWORK to issue the IEC-104 commands "ON" or "OFF" to the remote system and then immediately deletes the executable after issuing the command.

    BlackByte Ransomware Claims City of Augusta Cyberattack

    The City of Augusta in Georgia, USA, has verified that the recent disruption to its IT system was a result of unauthorized intrusion into its network. While the administration has not revealed specific details about the nature of the cyberattack, the BlackByte ransomware group has publicly acknowledged the city of Augusta as one of its targeted victims.

    Microsoft 365 Phishing Attacks Use Encrypted RPMSG Messages

    Attackers are now using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways. RPMSG files (also known as restricted permission message files) are encrypted email message attachments created using Microsoft's Rights Management Services (RMS) and offer an extra layer of protection to sensitive info by restricting access to authorized recipients. To access and read the encrypted contents of RPMSG attachments, recipients are required to either authenticate using their Microsoft account or acquire a one-time passcode for decryption.

    New Buhti Ransomware Uses Leaked Payloads and Public Exploits

    A relatively new ransomware operation calling itself Buhti appears to be eschewing developing its own payload and is instead utilizing variants of the leaked LockBit and Babuk ransomware families to attack Windows and Linux systems. While the group doesn’t develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types. Buhti, which first came to public attention in February 2023, was initially reported to be attacking Linux computers. However, Symantec’s Threat Hunter Team has also uncovered attempts to attack Windows computers on compromised networks.

    ‘Operation Magalenha’ Targets Credentials of 30 Portuguese Banks

    A report from Sentinel Labs has revealed the details of this campaign, shedding light on the tools utilized by the threat actor, the different methods of infection employed, and the techniques employed to distribute their malware. The analyst obtained information regarding the origin and tactics of the threat actor through the discovery of a server misconfiguration that inadvertently exposed files, directories, internal correspondence, and other sensitive data.

    North Korea-Linked Lazarus APT Targets Microsoft IIS Servers to Deploy Malware

    Researchers at AnhLab Security Emergency Response Center (ASEC) have revealed that the Lazarus APT Group, a cybercriminal organization associated with North Korea, has been focusing its attention on exploiting vulnerable Microsoft IIS servers. Through the use of DLL side-loading, the attackers deploy a malicious Dll file named msvcr100[.]dll, which is strategically placed in the same directory as a legitimate application called Wordconv[.]exe. By exploiting the Windows ISS web server process the malicious library is executed to carry out their nefarious activities.

    Chinese Hackers Breach US Critical Infrastructure in Stealthy Attacks:

    This advisory highlights the recent state-sponsored cyber activity by the People's Republic of China (PRC) and provides crucial information for network defenders to identify and mitigate this activity. The advisory focuses on network and host artifacts, particularly command lines used by the cyber actor, and includes indicators of compromise (IOCs) for reference. However, defenders should exercise caution and evaluate matches to determine their significance, considering the possibility of false positive indicators resulting from benign activity.

    New PowerExchange Malware Backdoors Microsoft Exchange Servers

    FortiEDR research lab has identified a targeted attack against a government entity in the United Arab Emirates, involving a custom PowerShell-based backdoor called PowerExchange. The backdoor utilizes the victim's Microsoft Exchange server as its command and control (C2) server, operating through an email-based C2 protocol. The investigation revealed multiple implants and a unique web shell named ExchangeLeech, capable of credential harvesting. The indicators point to an Iranian threat actor as the perpetrator of these attacks. The attack chain starts with email phishing and the execution of a malicious .NET executable. The backdoor establishes communication with the Exchange server, sends and receives commands through mailboxes, and executes malicious payloads.

    North Korean APT Group Kimsuky Shifting Attack Tactics

    North Korean hackers belonging to the Kimsuky group are employing custom-built malware to carry out information exfiltration campaigns against organizations supporting human rights activists and North Korean defectors. The cybersecurity firm SentinelOne discovered a new variant of the RandomQuery malware, which is commonly used by the Pyongyang threat actor. Kimsuky specializes in targeting think tanks and journalists. The distribution of the malware is facilitated through compiled HTML files, a tactic frequently utilized by North Korean hackers. The objective of this particular campaign is file enumeration and information exfiltration, “The variation of RandomQuery in this campaign has the "single objective of file enumeration and information exfiltration," in contrast to recently observed North Korean use of the malware to support a wider array of functions such as keylogging and the execution of additional malware.

    GoldenJackal State Hackers Silently Attacking Govts Since 2019

    Kaspersky recently disclosed the activities of a lesser-known advanced persistent threat group called GoldenJackal. This group has been engaged in espionage against government and diplomatic organizations in Asia since 2019. To maintain a cover presence, the threat actors have been cautious in their operations. They carefully choose their targets and limit the frequency of their attacks, aiming to minimize the risk of detection. Kaspersky, which has been monitoring GoldenJackal since 2020, has revealed that the group is active in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey.

    SuperMailer Abuse Bypasses Email Security for Super-Sized Credential Theft

    A large-scale operation focused on harvesting credentials has emerged, utilizing a legitimate email newsletter program called SuperMailer to distribute a substantial volume of phishing emails. The intention behind this campaign is to bypass secure email gateway protections. Recent findings from Cofense, as of May 23, reveal that SuperMailer-generated emails account for a significant portion of all credential phishing attempts, constituting approximately 5% of the firm's telemetry for May.

    IT Employee Piggybacked on Cyberattack for Personal Gain

    A former IT employee of an Oxford-based company has been convicted of blackmailing his employer and unauthorized access to a computer for personal gain. After a cyber security incident at the company, the employee took advantage of the breach by accessing a board member's private emails, altering the original blackmail email, and changing the payment address.

    State-Aligned Actors Targeting SMBs Globally

    Proofpoint researchers have discovered that advanced persistent threat (APT) actors are increasingly targeting small and medium-sized businesses (SMBs), governments, militaries, and major corporations through compromised SMB infrastructure in phishing campaigns. These threat actors are also launching financially motivated attacks against SMB financial services firms and carrying out supply chain attacks affecting SMBs. Proofpoint emphasizes the tangible risk that APT actors pose to SMBs today through the compromise of their infrastructure.

    Barracuda Warns of Email Gateways Breached via Zero-Day Flaw

    Barracuda, a company specializing in email and network security solutions, informed its customers that some of their Email Security Gateway (ESG) appliances were breached due to a recently patched zero-day vulnerability. The vulnerability was discovered on May 19 and was promptly addressed with security patches on May 20 and 21. Barracuda confirmed unauthorized access to a subset of ESG appliances but assured customers that its other products were unaffected. Impacted organizations were notified, and Barracuda advised them to review their environments for any potential spread of the threat actors to other devices on the network. Details regarding the number of affected customers and potential data impact were not provided.

    A Deeper Insight Into the Cloudwizard APT’s Activity Revealed a Long-Running Activity

    Researchers warn of a threat actor known as CloudWizard APT, which is actively targeting organizations operating in the Russo-Ukraine conflict region. In March 2023, Kaspersky reearchers dicovered the new APT group, referred to as Bad Magic or Red Stinger, engaging in cyber attacks against entities in the same area. The attackers utilized PowerMagic and CommonMagic implants in their operations. During their investigation, the researchers discovered another set of highly advanced malicious activities linked to the same threat actor, demonstrating even greater sophistication.

    Food Distributor Sysco Says Cyberattack Exposed 126,000 Individuals

    A multinational company headquartered in Houston, Texas, Sysco is one of the largest distributors of food products, kitchen equipment, smallware, and tabletop products to restaurants, lodging establishments, healthcare and education organizations, and other entities” (Security Week, 2023). The company initially disclosed the incident in early May, in a Form 10-Q filing with the US Securities and Exchange Commission (SEC), when it revealed that the data breach was identified on March 5, 2023, but said that the attackers likely had unauthorized access to its systems starting January 14, 2023.

    Batloader Campaign Impersonates ChatGPT and Midjourney to Deliver Redline Stealer

    In the campaign observed by the researchers, threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer. In February 2023, eSentire reported another BatLoader campaign targeting users searching for AI tools.“Both AI services are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord). This vacuum has been exploited by threat actors looking to drive AI app-seekers to imposter web pages promoting fake apps.

    Vulnerability in Zyxel Firewalls May Soon Be Widely Exploited (CVE-2023-28771)

    Rapid7 researchers have issued a warning regarding a recently patched command injection vulnerability (CVE-2023-28771) in various Zyxel firewalls. They have published a technical analysis and a Proof of Concept (PoC) script that demonstrates the vulnerability, enabling the attacker to gain a reverse root shell. The affected devices include Zyxel APT, USG FLEX, and VPN firewalls running ZDL firmware versions v4.60 to v5.35, as well as Zyxel ZyWALL/USG gateways/firewalls running ZLD v4.60 to v4.73. These firewall devices perform network traffic monitoring and control, possess VPN and SSL inspection capabilities, and provide additional protection against malware and other threats.

    Phishing Vendor Sells IP Addresses to Duck Anomaly Detection

    A large-scale phishing-as-a-service operation is shifting tactics to allow attackers to avoid anomaly detection by using localized IP addresses, warns Microsoft. The computing giant discovered the provider in 2021 after detecting a phishing campaign that used more than 300,000 domains and unique subdomains in a single run. BulletProofLink, also referred to as BulletProftLink or Anthrax, sells access to phishing kits, email templates, hosting, and automated series "at a relatively low cost.”

    Shifting Tactics Fuel Surge in Business Email Compromise

    Business email fraud continues to rise, with the Federal Bureau of Investigation (FBI) reporting more than 21,000 complaints with adjusted losses over $2.7 billion. Microsoft has observed an increase in sophistication and tactics by threat actors specializing in business email compromise (BEC), including leveraging residential internet protocol (IP) addresses to make attack campaigns appear locally generated. This new tactic is helping criminals further monetize Cybercrime-as-a-Service (CaaS) and has caught federal law enforcement’s attention because it allows cybercriminals to evade “impossible travel” alerts used to identify and block anomalous login attempts and other suspicious account activity.

    CISA Warns of Samsung ASLR Bypass Flaw Exploited in Attacks

    CISA warned last Friday of a security vulnerability affecting Samsung devices which has been used in attacks to bypass Android address space layout randomization (ASLR) protection. ASLR is an Android security feature that randomizes the memory addresses where key app and OS components are loaded into the device's memory. This makes it more difficult for attackers to exploit memory-related vulnerabilities and successfully launch attacks like buffer overflow, return-oriented programming, or other memory-based exploits.

    Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict

    New findings reveal a significant increase in cyber espionage attacks targeting Taiwanese organizations, coinciding with recent political tensions. According to research by Trellix, the number of malicious phishing emails aimed at Taiwanese companies surged between April 7 to the 10th of this year. The most affected sectors were networking/IT, manufacturing, and logistics.

    LockBit Leaks 1.5TB of Data Stolen From Indonesia's BSI Bank

    The LockBit ransomware group has leaked 1.5 terabytes of personal and financial data from Bank Syariah Indonesia (BSI) after failed ransom negotiations. The stolen data includes information from approximately 15 million customers and employees of the country's largest Islamic bank. BSI has restored its key banking services under the supervision of Bank Indonesia. BSI initially experienced disruptions due to a cyberattack, but LockBit claims the bank misled customers by attributing the issues to technical maintenance.

    8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency

    The notorious cryptojacking group tracked as 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware. The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely. ‘This allows attackers to gain unauthorized access to sensitive data or compromise the entire system,’ Trend Micro researcher Sunil Bharti said in a report published this week. 8220 Gang, first documented by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control (C2) network communications.

    Hackers Target Vulnerable Wordpress Elementor Plugin After PoC Released

    Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month. The critical-severity flaw is tracked as CVE-2023-32243 and impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1, allowing unauthenticated attackers to arbitrarily reset the passwords of administrator accounts and assume control of the websites. The flaw that impacted over a million websites was discovered by PatchStack on May 8th, 2023, and fixed by the vendor on May 11th, with the release of the plugin's version 5.7.2.

    Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise

    Every day, numerous Android phone users worldwide unknowingly contribute to the financial gains of an organization known as the Lemon Group simply by owning their devices. What these users are unaware of is that the Lemon Group has pre-infected their phones even before they purchase them. As a result, the Lemon Group secretly exploits these devices, utilizing them to steal and sell SMS messages and one-time passwords (OTPs), display unwanted advertisements, create online messaging and social media accounts, and carry out various other activities.

    BianLian Skips Encryption On Way To Extortion

    The U.S. cybersecurity agency has warned that the BianLian ransomware group is shifting from malicious encryption to pure extortion. Instead of double extortion, the group now demands a ransom for keeping stolen data secret. The group's change in tactics is likely influenced by the release of a free decryptor by cybersecurity firm Avast. BianLian gains initial access to networks through compromised remote desktop protocol credentials, acquired from brokers or through phishing. They implant a customized backdoor and install remote management tools like TeamViewer.

    MalasLocker Ransomware Targets Zimbra Servers, Demands Charity Donation

    A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking. The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted.

    Cisco Warns of Critical Switch Bugs With Public Exploit Code

    Yesterday, Cisco published an advisory, warning customers of four critical remote code execution vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189) impacting several of its Small Business Series Switches. The four flaws received a CVSS score of 9.8 out of 10 and are due to an improper validation of requests sent to the targeted switches’ web interfaces. A successful exploit of the issues could enable unauthenticated actors to execute arbitrary code with root privileges on targeted devices.

    New ZIP Domains Spark Debate Among Cybersecurity Experts

    Cybersecurity researchers and IT admins have raised concerns over Google's new ZIP and MOV Internet domains, warning that threat actors could use them for phishing attacks and malware delivery. Earlier this month, Google introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses. The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs.

    FBI Confirms BianLian Ransomware Switch to Extortion Only Attacks

    A recent collaboration between government agencies in the United States and Australia, led by CISA, has resulted in a joint Cybersecurity Advisory. The advisory highlights the latest tactics, techniques, and procedures (TTPs) employed by the BianLian ransomware group, which has been actively targeting critical infrastructure in both countries since June 2022. As part of the broader #StopRansomware initiative, this advisory draws on investigations conducted by the FBI and the Australian Cyber Security Centre (ACSC) up until March 2023.

    State-Sponsored Sidewinder Hacker Group's Covert Attack Infrastructure Uncovered

    Group-IB recently uncovered a previously undocumented attack infrastructure utilized by the SideWinder, a prolific state-sponsored group, to target entities located in Pakistan and China. The infrastructure unearthed encompasses 55 domains and IP addresses which were identified by researchers as phishing domains mimicking various organizations in the news, government, telecommunications, and financial sectors.

    Feds Charge Russian, Chinese Nationals With Illegal Exports

    U.S. federal prosecutors have announced indictments and arrests related to illegal technology exports to Russia, China, and Iran. The cases involve individuals accused of smuggling military and dual-use technology, including tactical military antennas, lasers, pressure sensors, and other electronics. The Biden administration has vowed to crack down on export violations and has created the Disruptive Technology Strike Force. The cases highlight the efforts to prevent advanced technology from falling into the hands of foreign adversaries who may use them to threaten national security and democratic values.

    Hackers Infect TP-Link Router Firmware to Attack EU Entities

    A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organizations. The backdoor malware is deployed in a custom and malicious firmware designed specifically for TP-Link routers so that the hackers can launch attacks appearing to originate from residential networks.

    Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks

    During last week’s Black Hat Asia 2023 conference, Israeli industrial cybersecurity firm OTORIO disclosed several vulnerabilities in cloud management platforms associated with three industrial cellular router vendors that could expose OT networks to external attacks. In total 11 vulnerabilities were disclosed, which could enable threat actors to execute code remotely and take control over hundreds of thousands of devices and OT networks. In particular, the flaws impact cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks to remotely manage and operate devices.

    BEC Attackers Spoof CC'd Execs to Force Payment

    Security experts have discovered a fresh advancement in business email compromise tactics aimed at intensifying the recipient's urgency to settle a counterfeit invoice. Referred to as "VIP Invoice Authentication Fraud" by Armorblox, this strategy involves deceptive emails that imitate reputable vendors or familiar third parties regularly receiving payments from the targeted organization. The scammer initiates an invoice request targeting an individual, often in the finance team of the targeted organization. What sets this tactic apart from others is that the scammer also includes the recipient's boss in the email thread, using a fake email domain that closely resembles the boss's actual email address.

    New RA Group ransomware targets U.S. orgs in double-extortion attacks

    A new ransomware group named 'RA Group' is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea. The new ransomware operation started in April 2023, when they launched a data leak site on the dark web to publish victims' details and stolen data, engaging in the typical 'double-extortion' tactic used by most ransomware gangs.

    PharMerica Reports Breach Affecting Nearly 6 Million People

    PharMerica, an institutional pharmacy, suffered a significant data breach in March, affecting nearly 6 million current and deceased patients. Hackers, allegedly from the Money Message ransomware group, accessed personal information such as names, birthdates, Social Security numbers, medications, and health insurance details. The group leaked spreadsheets containing patient data on the dark web and also posted internal business documents,

    Open-source Cobalt Strike Port 'Geacon' Used in macOS Attacks

    Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices. Both Geacon and Cobalt Strike are utilities that legitimate organizations use to simulate attacks against their networks and improve defenses, but threat actors have also relied on them for attacks.

    CISA Warns of Critical Ruckus Bug Used to Infect Wi-Fi Access Points

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned last Friday of a critical remote code execution (RCE) flaw in the Ruckus Wireless Admin panel actively exploited by a recently discovered DDoS botnet. While this security bug (CVE-2023-25717) was addressed in early February, many owners are likely yet to patch their Wi-Fi access points. Furthermore, no patch is available for those who own end-of-life models affected by this issue.

    Enigmatic Hacking Group Operating in Ukraine

    A newly uncovered hacking group with a string of cyberespionage successes is targeting Ukrainian and pro-Russian targets alike, its motivations uncertain in a conflict that offers little to no middle ground. Malwarebytes in a Wednesday blog post dubs the threat actor "Red Stinger," saying the group is the same as the "Bad Magic" threat actor revealed by Kaspersky in March. Malwarebytes says it traced Red Stinger activities back to 2020, while Kaspersky says it spotted the group in October 2022 - the dates suggesting an investment in stealthy techniques and operational security.

    Discord Discloses Data Breach After Support Agent Got Hacked

    Discord, a popular communication platform, recently experienced a data breach after one of its support agents was hacked. The incident was reported by Discord on their official blog. The breach occurred due to unauthorized access to the support agent's account, which allowed the attacker to gain access to certain user data. Discord confirmed that the breach did not affect the entire user database and that only a small portion of users were impacted.

    Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign

    Symantec recently disclosed details of a year-long running campaign targeting government, aviation, education, and telecom sectors located in South and Southeast Asia. Dubbed Lancefly, the operation commenced in mid-2022 and continued until the first quarter of 2023. According to researchers, they observed the actors deploying a powerful backdoor dubbed Merdoor, which has been around since 2018.

    XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks

    Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. ‘The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new analysis.

    Multinational Tech Firm ABB Hit by Black Basta Ransomware Attack

    ABB, a leading provider of electrification and automation technology, has suffered a Black Basta ransomware attack that has reportedly impacted its business operations. The multinational company, headquartered in Zurich, Switzerland, employs approximately 105,000 workers and recorded $29.4 billion in revenue for 2022. ABB's services include the development of industrial control systems and SCADA systems for energy suppliers and manufacturing.

    Stealthier Version of Linux BPFDoor Malware Spotted in the Wild

    A new, stealthier variant of the Linux malware 'BPFDoor' has been discovered, featuring more robust encryption and reverse shell communications. BPFDoor is a stealthy backdoor malware that has been active since at least 2017 but was only discovered by security researchers around 12 months ago. The malware gets its name from the use of the 'Berkley Packet Filter' (BPF) for receiving instructions while bypassing incoming traffic firewall restrictions.

    Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability

    U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country. The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday.

    Fake In-Browser Windows Updates Push Aurora Info-Stealer Malware

    A malvertising campaign was recently detected using an in-browser Windows update simulation to deceive users and distribute the Aurora information-stealing malware. Aurora which is coded in Golang, has been advertised on hacker forums for over a year as a highly capable info stealer with low anti-virus detection rates. The campaign, as reported by Malwarebytes researchers, relies on popunder ads on adult content websites with high traffic to redirect unsuspecting users to a location where they are served malware.

    Feds Warn of Rise in Attacks Involving Veeam Software Flaw

    Federal authorities have issued a warning about an increase in cyberattacks targeting Veeam's backup application in the healthcare sector. The attacks exploit a high-severity vulnerability (CVE-2023-27532) in Veeam Backup & Replication, potentially leading to unauthorized access, data theft, or ransomware deployment. The vulnerability affects all versions of the software and poses a significant threat to healthcare environments that rely on Veeam for protecting and restoring files and applications.

    New Ransomware Decryptor Recovers Data From Partially Encrypted Files

    A new 'White Phoenix' ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption. Intermittent encryption is a strategy employed by several ransomware groups that alternates between encrypting and not encrypting chunks of data. This method allows a file to be encrypted much faster while still leaving the data unusable by the victim.

    Microsoft Fixes BlackLotus Vulnerability, Again

    Microsoft issued an optional patch Tuesday as part of its monthly dump of fixes that addresses for the second time a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware. In all, the Redmond giant pushed out 38 security fixes in its May patch cycle, addressing three zero-day flaws - two of which are under active exploitation, including the UEFI flaw - and six bugs rated critical. Security researchers earlier this year spotted the BlackLotus bootkit for sale on hacker forums for $5,000.

    Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft

    Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines. The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023. Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected, but pointed out Microsoft, Exchange servers with the March update omit the vulnerable feature. ‘An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server,’ Barnea said in a report shared with The Hacker News.

    Cybersecurity Firm Dragos Discloses Cybersecurity Incident, Extortion Attempt

    Industrial cybersecurity company Dragos today disclosed what it describes as a "cybersecurity event" after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices. While Dragos states that the threat actors did not breach its network or cybersecurity platform, they got access to the company's SharePoint cloud service and contract management system” (Bleeping Computer, 2023). "On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform," the company said.

    New ‘Greatness’ Service Simplifies Microsoft 365 Phishing Attacks

    The platform Greatness, which offers a phishing-as-a-Service, witnessed a surge in its activities as it focuses on targeting organizations that use Microsoft 365 in the United States, Canada, the U.K., Australia, and South Africa. As a widely cloud-based productivity platform, Microsoft 365 is highly coveted by cybercriminals who seek to pilfer data or login credentials for exploitation in network intrusions. According to a recent report from Cisco Talos, researchers have revealed that the Greatness phishing platform was established in the middle of 2022, with a significant upsurge in its operations in December 2022, and then again in March 2023.

    Critical Ruckus RCE Flaw Exploited By New DDoS Botnet Malware

    A new malware botnet named 'AndoryuBot' is targeting a critical-severity flaw in the Ruckus Wireless Admin panel to infect unpatched Wi-Fi access points for use in DDoS attacks. Tracked as CVE-2023-25717, the flaw impacts all Ruckus Wireless Admin panels version 10.4 and older, allowing remote attackers to perform code execution by sending unauthenticated HTTP GET requests to vulnerable devices. The flaw was discovered and fixed on February 8, 2023. Still, many have not applied the available security updates, while end-of-life models impacted by the security problem will not get a patch.

    Food Distribution Giant Sysco Warns of Data Breach After Cyberattack

    Sysco, a major global food distribution company, has confirmed that its network was breached earlier this year by attackers who stole sensitive information, including business, customer, and employee data. In an internal memo sent to employees on May 3rd and seen by BleepingComputer, the company revealed that customer and supplier data in the U.S. and Canada, as well as personal information belonging to U.S. employees, may have been impacted in the incident.

    Top 5 Password Cracking Techniques Used by Hackers

    Phishing is often stated as the most successful initial access method for both cybercriminals and more sophisticated nation state actors. Gaining access to valid accounts is one of the easiest and most powerful tools for a threat actors. Why spend the resources breaching powerful security tools, when you can simply trick an employee into clicking a bad link, or by cracking their password?

    Multiple Vulnerabilities in Aruba Products Could Allow for Arbitrary Code Execution.

    Multiple vulnerabilities have been discovered in Aruba Products, the most severe of which could allow for arbitrary code execution. Aruba Mobility Conductor is an advanced WLAN deployed as a virtual machine (VM) or installed on an x86-based hardware appliance. Aruba Mobility Controller is a WLAN hardware controller in a virtualized environment managing WLAN Gateways and SD-WAN Gateways that are managed by Aruba Central.

    BEC Campaign via Israel Spotted Targeting Large Multinational Companies

    Abnormal Security researchers have identified a threat group based in Israel that is responsible for a series of business email compromise (BEC) campaigns. The group's primary targets are large and multinational corporations with annual revenue exceeding $10 billion. Since February 2021, the group has launched approximately 350 BEC campaigns, with email attacks directed at employees in 61 countries spanning six continents. The attackers impersonate the targeted employee's CEO and subsequently redirect the communication to a second external persona, typically a mergers and acquisitions attorney who oversees the payment process. In certain cases, when the attack advances to the second state, the perpetrators may ask to switch from email communications to a WhatsApp voice call to expedite the attack and minimize the chances of leaving behind any traceable evidence.

    FBI Seizes 13 More Domains Linked to DDoS-For-Hire Services

    The U.S. Justice Department announced today the seizure of 13 more domains linked to DDoS-for-hire platforms, also known as 'booter' or 'stressor' services. This week's seizures are part of a coordinated international law enforcement effort (known as Operation PowerOFF) to disrupt online platforms allowing anyone to launch massive distributed denial-of-service (DDoS) attacks against any target for the right amount of money.

    Five Takeaways From the Russian Cyber-Attack on Viasat's Satellites

    The cyber-attack on US firm Viasat’s KA-SAT satellites in Ukraine on February 24, 2022, prompted one of the largest formal attributions of a cyber-attack to a nation-state in history. Nearly 20 countries accused Russia of being responsible, including a dozen EU member states and the Five Eyes countries (US, UK, Australia, New Zealand and Canada). This cyber intrusion, which preceded Russia’s invasion of its neighbor by just a few hours, was thoroughly discussed during the third edition of CYSAT, an event dedicated to cybersecurity in the space industry that took place in Paris, France on April 26-27, 2023.

    Western Digital Says Hackers Stole Customer Data in March Cyberattack

    Western Digital Co. has taken its store offline and sent customers data breach notifications after confirming that hackers stole sensitive personal information in a March cyberattack. The company emailed the data breach notifications late Friday afternoon, warning that customers' data was stored in a Western Digital database stolen during the attack.

    Fleckpe Trojan Infects 620K Devices via Google Play

    The Google Play store was found to have hosted Android malware disguised as legitimate applications, which have been downloaded over 620,000 times since 2022. The malicious apps were disguised as photo-editing apps, camera editors and smartphone wallpaper packs, and infected 11 legitimate applications before being taken down. Once downloaded, the malware executes a payload from the app asset, which sends the infected device's mobile code to a command-and-control server. The server then sends a paid subscription page, which the Trojan opens in an invisible web browser to subscribe the user.

    Meet Akira — A New Ransomware Operation Targeting the Enterprise

    The Akira ransomware operation is gradually expanding its list of victims by infiltrating corporate networks globally, encrypting files, and demanding ransoms amounting to millions of dollars. The operation began in March 2023 and has already targeted 16 companies in diverse industries such as finance, education, real estate, manufacturing, and consulting. Although there was ransomware named Akira released in 2017, there is no connection between these two operations.

    MSI’s Firmware, Intel Boot Guard Private Keys Leaked

    The cybercriminals who breached Taiwanese multinational MSI last month have apparently leaked the company’s private code signing keys on their dark web site. MSI (Micro-Star International) is a corporation that develops and sells computers (laptops, desktops, all-in-one PCs, servers, etc.) and computer hardware (motherboards, graphics cards, PC peripherals, etc.). The company confirmed in early April that it had been hacked. A ransomware group called Money Message claimed responsibility for the breach, said they grabbed (among other things) some of the company’s source code, and asked for $4 million to return/delete it.

    New Cactus Ransomware Encrypts Itself to Evade Antivirus

    Researchers at Kroll corporate investigation have uncovered a new ransomware operation dubbed Cactus which is exploiting known vulnerabilities in Fortinet VPN appliances to gain initial access to the networks of large commercial entities. What’s more is that this group employs an unusual tactic of evading defenses and scanning from antivirus solutions.

    Kimsuky Hackers Use New Recon Tool to Find Security Gaps

    The Kimusky hacking group, known by aliases such as Thalium and Velvet Chollima, has been using a new version of its reconnaissance malware called ReconShark to conduct a cyberespionage campaign on a global scale. According to Sentinel Labs, the group has broadened its target range to include government organizations, research centers, universities, and think tanks in the US, Europe, and Asia. South Korean and German authorities warned in March 2023 that Kimusky had distributed malicious Chrome extensions and Android spyware as a remote access trojan to target Gmail accounts. Kaspersky previously reported in August 2022 that the group had targeted politicians, diplomats, university professors, and journalists in South Korea using a multi-stage target validation scheme to ensure the successful infection of only valid targets.

    Microsoft Patches Serious Azure Cloud Security Flaws

    Microsoft has patched three vulnerabilities in its Azure cloud platform that could have allowed attackers to access sensitive info on a targeted service, deny access to the server, or scan the internal network to mount further attacks, researchers have found. Researchers from the Ermetic Research Team discovered the flaws in the Azure API Management Service, which allows organizations to create, manage, secure, and monitor APIs across all of their environments, they revealed in a blog post published Thursday.

    Russian Hackers Use WinRAR to Wipe Ukraine State Agency’s Data

    The Russian 'Sandworm' hacking group has been linked to an attack on Ukrainian state networks where WinRar was used to destroy data on government devices. In a new advisory, the Ukrainian Government Computer Emergency Response Team (CERT-UA) says the Russian hackers used compromised VPN accounts that weren't protected with multi-factor authentication to access critical systems in Ukrainian state networks. Once they gained access to the network, they employed scripts that wiped files on Windows and Linux machines using the WinRar archiving program.

    City of Dallas Hit by Royal Ransomware Attack Impacting It Services

    The City of Dallas, Texas, has suffered a Royal ransomware attack, causing it to shut down some of its IT systems to prevent the attack's spread. Dallas is the ninth largest city in the United States, with a population of approximately 2.6 million people, according to US census data. Local media reported that the City's police communications and IT systems were shut down Monday morning due to a suspected ransomware attack. This has led to 911 dispatchers having to write down received reports for officers rather than submit them via the computer-assisted dispatch system. The Dallas County Police Department's website was also offline for part of the day due to the security incident but has since been restored

    Hackers Start Using Double DLL Sideloading to Evade Detection

    A group of hackers, also known as Dragon Breath, Golden Eye Dog, or APT-Q-27, is utilizing multiple sophisticated versions of the traditional DLL sideloading technique to avoid detection. These attack variations start with an initial approach that uses legitimate applications, such as Telegram, to sideload a second-stage payload, which may also be legitimate, and in turn, loads a malicious malware loader DLL.

    Google Chrome Will Lose the “Lock” Icon for HTTPS-Secured Sites

    n September 2023, Google Chrome will stop showing the lock icon when a site loads over HTTPS, partly due to the now ubiquitous use of the protocol. It took many years, but the unceasing push by Google, other browser makers and Let’s Encrypt to make HTTPS the norm for accessing resources on the Web resulted in an unmitigated success; according to Google, over 95% of page loads in Chrome on Windows are now over an encrypted, secure channel using HTTPS.

    FBI Seizes 9 Crypto Exchanges Used to Launder Ransomware Payments

    In a recent announcement from the FBI, the agency stated it carried out an operation alongside with the Virtual Currency Response Team, the National Police of Urkaine, and legal prosecutors in the country to seize several cryptocurrency exchange sites that were being used by scammed and cybercriminals, including ransomware actors to launder money from victims.

    Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software

    Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. BGP is a gateway protocol that's designed to exchange routing and reachability information between autonomous systems. It's used to find the most efficient routes for delivering internet traffic. The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms.

    APT41 Subgroup Plows Through Asia-Pacific, Utilizing Layered Stealth Tactics

    APT41 is a well-known Chinese cyber threat that is made up of various subgroups. The group has previously used a variety of tactics over the years to carry out espionage attacks against government agencies, businesses, and individuals. The group's attacks against the US government have led to indictments of its members by US law enforcement. On May 2, Trend Micro researchers reported that Earth Longzhi, a suspected subgroup of APT41, has launched a new campaign after almost a year of inactivity with more advanced stealth tactics to carry out espionage campaigns against the same types of targets.

    T-Mobile Discloses Second Data Breach Since the Start of 2023

    T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023. Compared to previous data breaches reported by T-Mobile, the latest of which impacted 37 million people, this incident affected only 836 customers.

    Apple’s First Rapid Security Response Patch Fails to Install on iPhones

    Apple has launched the first Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices. As the company describes in a recently published support document, RSR patches are small-sized updates that target the iPhone, iPad, and Mac platforms and patch security issues between major software updates. Some of these out-of-band security updates may also be used to address vulnerabilities actively exploited in attacks.

    New LOBSHOT Malware Gives Hackers Hidden VNC Access to Windows Devices

    A newly discovered malware named 'LOBSHOT' can discreetly take control of Windows devices using hVNC and is being distributed through Google Ads. Cybersecurity researchers had earlier reported an increase in threat actors using Google ads to distribute malware through fake websites for popular applications such as 7-ZIP, VLC, OBS, Notepad ++, CCleaner, TradingView, Rufus, and others. These malicious sites pushed malware, including Gozi, RedlLine, Vidar, Cobalt Strike, SectoRAT, and the Royal Ransomware, instead of the intended applications.