The DOJ and FBI collaborated to dismantle the Qakbot malware and its botnet, successfully disrupting a long standing threat. However, concerns linger as Qakbot may still pose a risk, although in a reduced form. The takedown removed the malware from a significant number of devices, including 700,000 globally and 200,000 in the U.S. Yet, recent findings suggest Qakbot remains active but weakened.

Researchers from Google DeepMind, Cornell University, and other institutions found that the widely used generative AI chatbot, ChatGPT, is susceptible to data leaks. By prompting ChatGPT to repetitively say words like "poem," "company," and others, the researchers were able to make the chatbot regurgitate memorized portions of its training data.

On Thursday the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight North Korean agents for facilitating sanctions evasion including revenue generation and missile-related technology procurement that support the Democratic People’s Republic of Korea’s (DPRK) weapons of mass destruction programs.

Several vendors on VirusTotal have detected a new ransomware dubbed Turtle which is capable of not only targeting Windows and Linux systems but also macOS. Cybersecurity researcher Patrick Wardle who analyzed this new strain, says that Turtle Ransomware is currently not sophisticated. The malware was developed in the Go programming language.

Researchers from Satori Threat Intelligence discovered a new version of the ScrubCrypt obfuscation tool being used to target organizations with the RedLine stealer malware. This latest version of ScrubCrypt is for sale on dark web marketplaces, and is being used in account takeover and fraud attacks.

Researchers at Perception Point recently unveiled a sophisticated malware attack aimed at bypassing threat detection systems. The attack involves impersonating a financial services company via a fake invoice email. The email includes a button that leads to an unavailable website which urges users to visit a seemingly legitimate link for the invoice.

According to a new blog post by researchers at Artic Wolf, a set of known vulnerabilities in Qlik Sense, a cloud analytics and business intelligence platform, are being exploited to deploy ransomware. Tracked as CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365, the flaws are being chained together to achieve remote code execution on targeted systems.

Based on research conducted by Hornetsecurity, there has been an increasing trend of cybercriminals embedding malicious web links in emails to target victims. From an analysis of 45 billion emails, researchers concluded a 144% increase in this type of attack compared to 2022.

The Iran-backed Cyber Av3ngers, affiliated with the IRGC, has been actively exploiting Programmable Logic Controllers (PLCs) in Water and Wastewater treatment plants, targeting critical infrastructure installations in the U.S. The group, known for making false claims, initiated attacks on various water authorities, an aquarium, and a brewery. They focus on Unitronics PLCs, leveraging open source tools and exploiting vulnerabilities. The recent campaign expanded to target critical infrastructure globally, particularly those using equipment associated with Israel.

Last month, Okta disclosed that attackers breached its customer support system, gaining unauthorized access to files associated with 134 Okta customers, some of which were HAR files containing session tokens that could be used for session hijacking attacks. After re-examining the actions taken by the actors,

Researchers from Eurecom have developed six next attacks they have collectively named “BLUFFS.” These vulnerabilities can be used for device impersonation and man-in-the-middle (MitM) attacks. BLUFFS exploits two previously unknown flaws in Bluetooth, related to how session keys are derived to decrypt data in exchange.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is responding to a cyber attack on the Municipal Water Authority of Aliquippa, Pennsylvania. The attack involved the exploitation of Unitronics programmable logic controllers (PLCs) and has been attributed to the Iranian-backed hacktivist group Cyber Av3ngers.

CTS is a trusted provider of IT services to the legal sector in the UK. The company announced that it is investigating a cyber attack that caused a service outage. The incident impacted a portion of the services. The security incident potentially impacted hundreds of British law firms.

General Electric (GE) and the Defense Advanced Research Projects Agency (DARPA) are reported to have experienced security breaches, with stolen data allegedly available for sale on the Dark Web. The compromised information includes access credentials, DARPA-related military data, SQL files, and more. GE has acknowledged the breach and is actively investigating the matter. DARPA, known for collaborating with GE on various projects, may have classified information on weapons programs and artificial intelligence research in its data stores.

General Electric, an American multinational conglomerate that has several divisions including aerospace, power, and renewable energy, is investigating claims that a threat actor breached its development environment and leaked allegedly stolen data. The development comes after a threat actor named IntelBroker posted to a dark forum claiming to have access to General Electric’s development and software pipelines.

A joint operation carried out by Europol and law enforcement agencies has led to the arrest of 5 key suspects in Ukraine believed to be core members of various ransomware operations including LockerGoga, MegaCortex, Dharma, and the now defunct Hive ransomware. Since 2019, these individuals have targeted over 1,800 victims across 71 countries, compromising large corporations.

The Daixin Team, a group known for carrying out ransomware attacks, has listed the North Texas Municipal Water District (NTMWD) as a victim on their data leak site. The actors claim to have stolen large amounts of sensitive data from the company and are threatening to release it publicly. The information stolen is said to include board meeting minutes, internal project documentation, personnel details, audit reports, and more. The leak of the data puts the company at risk of frauds in the next months.

The Idaho National Laboratory (INL) announced this week that they suffered a cyberattack after SiegedSec hacktivists leaked stolen human resources data online. INL is a nuclear research center run by the U.S. Department of Energy that employs 5,700 specialists in atomic energy, integrated energy, and national security.

A critical vulnerability (CVE-2023-43177) in CrushFTP, allowing hackers to access files, execute code, and steal passwords. Although a fix was issued in version 10.5.2, a recent public exploit by Converge demands immediate updates for CrushFTP users. This exploit lets attackers read, delete files, and potentially gain total control over systems using specific web ports and functions in CrushFTP.

In a report released this week, Carbon Black shared details of a recent rise in infections related to the NetSupport RAT over the past few weeks. Specifically, the RAT was being deployed against targets in the education, government, and business services sectors.

A new variant of the Agent Tesla malware has been identified, employing a ZPAQ compression format lure file to extract data from multiple email clients and nearly 40 web browsers. ZPAQ, known for its superior compression ratio and journaling function, offers efficient file transfers but has limited software support.

According to Cybersecurity firm VMware Carbon Black, NetSupport RAT infections have been on the rise, with researchers detecting no less than 15 new infections in the last couple of weeks. NetSupport RAT is a remote access trojan that started off as a legitimate remote administration tool to provide users with technical support.

Last Friday, Cisco Talos published a blog post, highlighting that 8Base ransomware actors are using a variant of the Phobos ransomware to carry out financially motivated attacks. Although most Phobos variants have been distributed using SmokeLoader, a backdoor trojan, researchers note that in 8Base campaigns, the actors are embedding the ransomware component into encrypted payloads, which are then decrypted and loaded into the SmokeLoader process memory.

For years, a group based in New Delhi called Appin conducted hacking operations globally, targeting various individuals and organizations for clients such as private investigators, government agencies, and corporations. Their operations were sophisticated at times, but also unrefined showcasing a brazen approach to hacking.

APT29, a Russian state-sponsored actor has been leveraging WinRAR vulnerability CVE-2023-38831 in cyber attacks. Specifically, the group has been targeting embassy entities with BMW car sale lures. The vulnerability has been exploited by various groups as a zero-day since April, mostly going after cryptocurrency and stock trading forums.

Retailers like Amazon have promoted affordable Android devices for children, such as the Dragon Touch KidzPad Y88X 10 tablet. However, research by the Electronic Frontier Foundation (EFF) revealed malware and riskware on the device, leading to Amazon removing it from the platform. Other Y88X models remain available. This is not the first instance; in January 2023, Amazon sold a T95 Android TV box with preinstalled malware. Both instances involved the Corejava malware.

The ‘Ddostf’ malware botnet is attacking MySQL servers to turn them into a DDoS service. AnhLab Security Emergency Response Center (ASEC) discovered this while tracking threats against database servers. Ddostf infiltrates MySQL servers either through vulnerabilities in unpatched systems or by cracking weak administrator account passwords. These attackers search the web for exposed MySQL servers, trying to breach them through brute forcing administrator credentials.

Cybersecurity company Securonix has uncovered a new campaign dubbed SEO#LURKER, where actors are tricking WinSCP users into installing malware via SEO poisoning and bogus Google ads. In particular, the actors are using dynamic search ads which automatically generate ads based on a site's content to serve the malicious ads that take the victims to an infected site, which in this case is a compromised WordPress site (gameeweb[.]com). Researchers say this WordPress site will redirect the victim to a phishing site advertising a fake installation for WinSCP, in turn infecting the victim with malware.

A new joint advisory from CISA and the FBI has been issued detailing observed TTPs and IOCs to help organizations protect against Rhysida Ransomware. Rhysida is a fairly new ransomware that was first detected in May 2023. Like any other ransomware gang, the group engages in double extortion schemes where it will encrypt and exfiltrate victims’ files, threatening to publish the data online unless a ransom is paid.

FBI is warning of cybercriminals taking advantage of the war in Gaza to solicit funds from unsuspecting victims. According to alerts sent out by the agency, these fraudsters are using various schemes including emails, social media, cold calls, and websites masquerading as fundraisers and charities to convince end users to donate money, stating that the funds will go to victims of the ongoing conflict. These donations are requested in the form of gift cards, wire transfers, and cryptocurrency, making it difficult to trace back.

The hacking group known as DarkCasino was observed utilizing the recently disclosed security flaw in WinRAR as a zero day attack, redefining itself as an advanced persistent threat. This financially motivated actor, identified in 2021, possesses significant technical prowess and blends various APT attack technologies in their operations.

In May 2023, a two-phase cyber-attack targeted 22 Danish critical infrastructure companies. The attackers exploited Zyxel firewall vulnerabilities to gain control of the systems and carry out DDoS attacks.

Over the past five years, Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. They have also placed a strong emphasis on operational security and anonymity These changes have been influenced by both internal factors like military restructuring and changes in domestic regulations, as well as external factors including reporting by Western governments and the cybersecurity community.

About a month ago, Citrix fixed a critical information disclosure flaw (CVE-2023-4966), “Citrix Bleed,” impacting Citrix NetScaler ADC and NetScaler Gateway. As of writing thousands of internet-exposed endpoints are still running vulnerable appliances despite patches being released. As such threat actors are using this opportunity to launch attacks. One of these actors is the LockBit Ransomware group, which researchers say is using publicly available exploits for CVE-2023-4966 to breach the systems of large organizations, steal data, and encrypt files.

A new report from Sophos indicates that cyber-criminals are disabling or wiping out logs in 82% of incidents, making it difficult for organizations to backtrace and determine what happened on systems during a crisis. What’s more is that based on a case study conducted by Sophos, nearly a quarter of organizations investigated didn’t have the appropriate logging available in place for incident responders. Researchers say this was due to several factors, including insufficient retention, re-imaging, or a lack of configuration. “In an investigation, not only would this mean the data would be unavailable for examination, but the defenders would have to spend time figuring out why it wasn’t available” stated researchers in a recent blog post.

ALPHV/BlackCat ransomware threat actors have been seen using Google Ads to distribute malware. By masquerading as popular software products like Advanced IP Scanner and Slack, the group has been luring professionals to attacker controlled websites. The victims, thinking they are downloading legitimate software, are unknowingly installing a piece of malware called Nitrogen. Nitrogen serves as initial-access malware providing intruders with a foothold into the target organization’s IT environment.

In today's complex cybersecurity landscape, cyberattacks are inevitable. Organizations, regardless of size or industry, must establish detailed playbooks for effective response. Chief Information Security Officers (CISOs) play a crucial role in preparing for attacks by fostering relationships, educating leaders, and developing comprehensive frameworks.

International logistics firm DP World Australia announced that a cyber attack has severely disrupted it’s regular freight movement in multiple Australian ports. DP World specialized in cargo logistics, port terminal operations, maritime services, and free trade zones, they have an annual revenue of over $10 billion. In total, the firm operates 82 marine and inland terminals in 40 countries, handles 70 million containers annually carried by 70,000 vessels, and manages roughly 10% of all global container traffic. DP World has the largest presence in Australia, handling over 40% of the nation’s container trade.

Imperial Kitten, also known as Tortoiseshell, TA456, Crimson Sandstorm and Yellow Liderc, has launched a new campaign targeting transportation, logistics, and technology companies in the Middle East. Associated with the Iranian Revolutionary Guard Corps (IRGC), this threat actor, using the online persona Marcella Flores, has been active since at least 2017, conducting cyberattacks across sectors like defense technology, telecommunications, maritime, energy, and consulting.

Hunters International, a newly emerged ransomware group, has acquired the source code and infrastructure from the dismantled Hive operation, a once-prolific ransomware-as-a-service (RaaS) group. The Hive group's operations were halted as part of a coordinated law enforcement effort in January 2023. This move allowed Hunters International to start its own cyber threat activities with a mature toolkit.

The Kaspersky Cyber Threat Intelligence team has unveiled crucial insights into the tactics, techniques and procedures (TTPs) employed by Asian Advanced Persistent Threat (APT) groups. In a report published today, Kaspersky reveals TTPs found from their examination of one hundred global cybersecurity incidents.

Dragos recently highlighted the UK National Cyber Security Centre's Cyber Assessment Framework (CAF) in a report, emphasizing its global applicability. The CAF, designed to enhance government cybersecurity, outlines top-level outcomes for good cybersecurity. While initially aimed at the UK, its principles are valuable globally.

Microsoft says Cl0p ransomware operators have begun exploiting a zero-day vulnerability in the service management software SysAid to access corporate servers for data theft and to deploy ransomware. SysAid is an IT Service Management (ITSM) solutions that helps organizations manage IT services within their environment.

According to a report from cybersecurity company Group-IB, a threat actor known as 'farnetwork' has operated under various usernames like farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkitand. They actively sought affiliates for different ransomware operations on Russian-speaking hacker forums. In March, farnetwork started recruiting affiliates for their ransomware-as-a-service (RaaS) program based on the Nokoyawa locker.

According to a new report from Checkmarx, throughout 2023 threat actors have been distributing malicious Python packages disguised as legitimate obfuscation tools to execute BlazeStealer malware on targeted systems. Once executed, BlazeStealer will retrieve a malicious script from an external source and run a discord bot designed to enable the threat actor to gain complete control over the victim’s computer.

According to a new advisory from the FBI, the agency noted that ransomware actors continue to gain access through third-party vendors and services. Between 2022 and 2023, the FBI observed ransomware attacks compromising casinos through third-party gaming vendors. In particular, small and tribal casinos were targeted, with the threat actors encrypting the PII data of employees and patrons which would be held for ransom payments.

The growing use of digital technology makes cybersecurity more important than ever. Ethical hackers, who identify and prevent cyber threats, are increasingly using AI tools like ChatGPT. A report by Bugcrowd reveals that many hackers believe AI will change how they work in the coming years. While AI can't replace human creativity in security, it helps in tasks like data analysis and vulnerability detection.

The “Soldiers of Solomon” are a Pro-Palestinian hacking group. On their X (previously Twitter) page, the group announced that it had breached the infrastructure of Flour Mills Ltd, a multinational company engaged in the processing and marketing of flour and related food products.

In a recent statement from Okta security chief David Bradbury, Bradbury confirmed that from September 28, 2023, to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers. These files contained session tokens, which the threat actor was able to use to hijack the legitimate Okta sessions of 5 customers.

Last Tuesday, Atlassian released security updates to address a critical improper authorization vulnerability impacting all versions of Confluence Data Center and Server. Tracked as CVE-2023-22518, the vulnerability can be used in data destruction attacks targeting internet-exposed and unpatched instances. While initially, Atlassian noted that it is unaware of reports of active exploitation, the vendor updated its advisory on Friday, stating that threat actors are starting to exploit the flaw in attacks in the wild.

A report from Infosecurity magazine says that Cloud native development practices are creating dangerous new security blind spots for organizations in the US, UK, France and Germany. A study by Venafi polled 800 security and IT leaders from large organizations based in these four countries. It found that 59% of respondents have experienced security incidents in their Kubernetes or container environments.

Researchers from ThreatFabric have identified a new dropper-as-a-service (DaaS) operation which they have named SecuriDropper. The service uses a method to bypass the “Restricted Settings” feature in Android to install malware on devices and obtain access to Accessibility Services.

Researchers at Google have issued a warning about various threat actors using the google calendar service for command-and-control purposes. Additionally, there’s a public proof-of-concept exploit called “Google Calendar RAT” that relies on the calendar service for its command-and-control infrastructure.

The United States, Japan, and South Korea are set to establish a high-level consultative body designed to counter North Korea’s cyber activities. The development comes after the US Deputy National Security Adviser, Anne Neuberger engaged in discussions with her South Korean and Japanese counterparts in Washington last week.

According to a new report by Cybersecurity firm Bitsight, threat actors are using PrivateLoader and Amadey loaders to distribute a proxy botnet, dubbed Socks5Systemz. Socks5Systemz’s infrastructure is extensive and encompasses 53 proxy bot, backconnect, DNS, and address acquisition servers, which are distributed across France, Bulgaria, Netherlands, and Sweden.

MacPaw, a Ukrainian software company, faced the challenge of maintaining business continuity during the Russian invasion. Their CTO, Vira Tkachenko, explained how they prepared for wartime cyber resilience, including forming an emergency team, prioritizing employee safety and service delivery, fortifying their headquarters, ensuring power and connectivity options, building hardware reserves, setting up redundant communications, freezing code changes, and dealing with increased cyberattacks.

AOE servers that are not properly secured are susceptible to a security vulnerability that could potentially grant unauthorized access to the server via the AOE Server Admin user account. Such compromised servers are consequently vulnerable to ransomware attacks, posing a significant security risk.

MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers. The goal of MITRE ATT&CK is to catalog and categorize the known tactics, techniques, and procedures (TTPs) used by adversaries in real-world attacks.

FIRST, the Forum of Incident Response and Security Teams, will release this week version 4.0 of the Common Vulnerability Scoring System (CVSS). CVSS is an open framework that allows organizations and researchers to communicate specific characteristics and severities of software vulnerabilities.

President Joe Biden has signed an executive order aimed at regulating generative AI systems like ChatGPT, recognizing their transformative potential and potential risks. The order focuses on ensuring the safe and responsible development and use of AI. It directs various federal agencies and departments to create standards and regulations for AI in various areas, including criminal justice, education, health care, housing, and labor, with an emphasis on protecting civil rights and liberties.

Last week, Citrix warned that threat actors are actively exploiting a critical information disclosure vulnerability impacting Citrix NetScaler ADC and Gateway instances. Tracked as CVE-2023-4966, the vulnerability can be exploited by unauthenticated attackers to leak sensitive information from on-prem appliances that are configured as an AAA virtual server or gateway. In the past couple of days, security researchers have noticed an alarming increase in exploitation attempts, with several threat actors including ransomware groups, targeting vulnerable instances.

As part of the upcoming third annual meeting of the International Counter-Ransomware Initiative, the Biden administration and dozens of its foreign allies will pledge to stop paying ransomware gangs. Representatives from 48 countries, the European Union, and Interpol are expected to attend this week’s summit, which will focus on strategies to block funds used by ransomware gangs to fuel their operations.

A report by Infoblox uncovers a concerning trend involving a link-shortening service called "Prolific Puma." This service assists cyber attackers and scammers by providing them with top-level .us domains, enabling them to run phishing campaigns with reduced visibility. Over the past 18 months, Prolific Puma has generated up to 75,000 unique domain names, often sidestepping regulations to offer malicious actors .us URLs.

In a recent blog post, cybersecurity firm Proofpoint disclosed that it observed two campaigns on October 11 and 18, 2023, in which TA571, a sophisticated cybercriminal threat actor, delivered the Forked variant of IceID. The forked variant was observed being delivered via emails containing 404 TDS URLs that would lead to the download of a password-protected archive, with the password listed in the email. “The zip file contained a VBS script and a benign text file.

Researchers at Security Joes have uncovered a new Linux Wiper malware dubbed “BiBi-Linux Wiper,” being used by a pro-Hamas Hacktivist group to target Israeli entities in the ongoing Israeli-Hamas conflict. BiBi-Linux Wiper is an x64 ELF executable that is designed to render files unusable by overwriting their contents, further appending targeted files with an extension that uses the following structure “[RANDOM_NAME].BiBi[NUMBER].”

The significant rise in attacks on operational technology (OT) systems is primarily due to two key factors: increasing global threats from nation state actors and the involvement of profit-driven cybercriminals often backed by the former. The lack of success in defending against these attacks can be attributed to several factors, including the complexity of OT environments, the convergence of information technology and OT, insider attacks, supply chain vulnerabilities, and more.

The Russian government is developing its own malware scanning platform, similar to VirusTotal, to address concerns that the U.S. government might access data from the popular Google-owned service. This new platform, called "Multiscanner," is being created by Russia's National Technology Center for Digital Cryptography in collaboration with other organizations and private enterprises, including companies like Kaspersky, AVSoft, and Netoscope.

We wanted to let members know that CISA has introduced a valuable toolset designed to assist companies with their logging requirements. "Logging Made Easy (LME)," LME is a reimagined offering by CISA, that transforms a well-established log management solution into a reliable, centralized log management alternative.

Earlier this year, a software vendor fell victim to a Lazarus malware attack due to unpatched legitimate software. Despite previous warnings and patches from the vendor, vulnerabilities remained, allowing the threat actor to exploit them. Fortunately, proactive measures detected and thwarted an attack on another vendor. Further investigation revealed that the software vendor had been repeatedly targeted by Lazarus, indicating a persistent and determined threat actor likely seeking valuable source code or tampering with the software supply chain. The adversary used advanced techniques and introduced the SIGNBT malware for victim control.

Summary: Researchers at Microsoft released a comprehensive profile of Octo Tempest, a native English speaker known for advanced social engineering skills. Octo Tempest primarily focuses on data extortion and ransomware attacks against various companies. This threat actor’s tactics have been continuously evolving since early 2022, with expanded targeting encompassing organizations offering cable telecommunications, email, and tech services.

Google has announced that it's expanding its Vulnerability Rewards Program (VRP) to compensate researchers for finding attack scenarios tailored to generative artificial intelligence (AI) systems in an effort to bolster AI safety and security.

Cloudflare says the number of hyper-volumetric HTTP DDoS (distributed denial of service) attacks recorded in the third quarter of 2023 surpasses every previous year, indicating that the threat landscape has entered a new chapter” (Bleeping Computer, 2023). DDoS attacks are a type of cyber attack that sends large amounts of traffic towards hosting apps, websites, and online services in an attempt to overwhelm and make them unavailable to legitimate visitors.

A hacking group associated with Russia’s military intelligence agency has been spying on French universities, businesses, think tanks, and government agencies, according to a new report from France’s top cybersecurity agency ANSII” (The Record, 2023). According to the agency, APT28 (Fancy Bear) has been breaching French networks since the second half of 2021 looking for sensitive data. The group chose not to leverage backdoors and instead compromised devices like routers that aren’t as closely monitored.

Chile's telecommunications company, Grupo GTD, has experienced a cyberattack that affected its Infrastructure as a Service (IaaS) platform. The attack caused disruptions to various online services, including data centers, internet access, and Voice-over-IP (VoIP). The attack has been attributed to the Rorschach ransomware gang, which has led to the disconnection of their IaSS platform from the internet.

A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time. Kaspersky discovered the true nature of the malicious framework last year, finding evidence of its activity starting in 2017, with the malware wrongly classified as just a Monero cryptocurrency miner.

Researchers have exposed multiple cyber scams exploiting the Israeli-Hamas conflict. These scams involve more than 500 deceptive emails and fraudulent websites that take advantage of people’s desire to support those affected by the conflict. Many of these emails contain links to counterfeit websites claiming to provide information about the ongoing situation and encouraging individuals to donate using various cryptocurrency payment methods, as reported by Kaspersky researchers.

There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements.

A proof-of-concept (PoC) exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. CVE-2023-4966 is a critical-severity remotely exploitable information disclosure flaw Citrix fixed on October 10 without providing many details.

As per a report by ESET security, a well-known cybersecurity endpoint protection vendor, the threat actor identified as Winter Vivern, also known as TA473 and UAC-0114, has been detected exploiting a zero-day vulnerability in Roundcube webmail software on October 11, 2023, for the purpose of gathering email messages from victims' accounts. Telemetry data indicates that the campaign specifically aimed at Roundcube Webmail servers owned by governmental entities and a think tank, all located in Europe.

A recent TrendMicro report highlights that IT teams are currently grappling with a deluge of software patches, which are being released on a regular basis, ranging from monthly to daily. As per statistics, contemporary enterprises are burdened with managing an average of 1,061 applications, and due to the frequent issuance of patches by various software vendors, the need for strategic prioritization has become imperative.

Security flaws in the use of OAuth by Grammarly, Vidio, and Bukalapak could potentially put the financial and credential information of millions of users at risk. These issues also raise concerns that other online services may face similar problems, potentially leading to account takeovers, credential theft, and financial fraud for users across various websites. Salt Labs researchers found serious API misconfigurations on websites like Grammarly, Vidio, and Bukalapak, indicating that numerous other sites might be similarly affected.

Ransomware activity in September reached unprecedented levels following a relative lull in August that was still way above regular standards for summer months. According to NCC Group data, ransomware groups launched 514 attacks in September. This surpasses March 2023 activity, which counted 459 attacks, and was heavily skewed by Clop's MOVEit Transfer data theft attacks.

Cybersecurity firm WithSecure, has discovered a connection between recent DarkGate malware attacks targeting its clients and Vietnam-based threat actors engaged in a campaign to compromise Meta business accounts and pilfer sensitive data. WithSecure's Detection and Response Team (DRT) reported multiple DarkGate malware infection attempts against their clients' organizations in the UK, USA, and India on August 4, 2023. The attack methods closely resemble those seen in recent DuckTail infostealer campaigns, which WithSecure has been monitoring for over a year.

A new sophisticated threat tracked as ‘TetrisPhantom’ has been using compromised secure USB drives to target government systems in the Asia-Pacific region. Secure USB drives store files in an encrypted part of the device and are used to safely transfer data between systems, including those in an air-gapped environment. Access to the protected partition is possible through custom software that decrypts the contents based on a user-provided password. One such software is UTetris[.]exe, which is bundled on an unencrypted part of the USB drive.

In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities.

Google is set to introduce a new "IP Protection" feature in its Chrome browser to enhance user privacy by concealing their IP addresses through the use of proxy servers. This move aims to address privacy concerns related to IP addresses, which can be used for covert tracking, and marks Google's effort to strike a balance between user privacy and web functionality.

In a recent statement from Okta Security, they've reported the discovery of malicious activity involving the unauthorized use of a stolen credential to access Okta's support case management system. The threat actor was able to access files uploaded by specific Okta customers as part of recent support cases. It's essential to clarify that the support case system operates independently of the primary Okta service, which remains fully functional and unaffected. Notably, the Auth0/CIC case management system has not been impacted by this incident.

A hacktivist group supporting Israel, known as Predatory Sparrow, has resurfaced recently. Last week, the group broke its year-long silence by posting a tweet referencing the ongoing Gaza conflict, warning of its return and sharing a link to a report about the United States sending fighter planes and warships to aid Israel. Predatory Sparrow is recognized as a relatively advanced Israeli hacking operation, and it has a track record of conducting disruptive attacks in Iran, aimed at undermining the Iranian government.

In a report from Fortinet, they detail a new information-stealing malware named ExelaStealer that has recently emerged in the cybersecurity landscape. ExelaStealer is described as a low-cost, mostly open-source infostealer with the option for paid customizations. This affordability and openness make it accessible to a wide range of cybercriminals, from novices to more seasoned threat actors. The malware is predominantly coded in Python and offers support for JavaScript. It possesses the capability to exfiltrate a variety of sensitive data, including passwords, Discord tokens, credit card information, cookies, session data, keystrokes, screenshots, and clipboard content.

In a recent report from TrendMicro, researchers delve into critical vulnerabilities and risks associated with 5G and its infrastructure. They take a particular focus on the control plane and the susceptibility of the NGAP protocol to ASN.1-related issues. The first part of the report reveals how GTP-U tunnels can be exploited by user devices, potentially leading to core network crashes. In the second part, the report discusses how attackers can leverage these vulnerabilities by disguising control messages as user traffic, resulting in the transition from the user plane to the control plane.

North Korean hackers have notably increased their emphasis on the IT industry, by infiltrating companies involved in software development and organizations seeking IT professionals. On Wednesday, Microsoft disclosed that North Korean affiliated hacking groups Lazarus (Diamond Sleet) and Andariel (Onyx Sleet) have been exploiting a critical authentication bypass vulnerability (CVE-2023-42793) within JetBrains TeamCity server.

Hoxhunt released the results of their Hoxhunt Challenge, an exercise conducted in 38 organizations across nine industries and 125 countries. Their study revealed that 22% of phishing attacks in the first weeks of October 2023 used QR codes to deliver malicious payloads.

Sandu Diaconu, the operator of the E-Root marketplace, has been extradited to the U.S. to face a maximum imprisonment penalty of 20 years for selling access to compromised computers. The Moldovan defendant was arrested in the U.K. in May 2021 while attempting to flee the country following the authorities' seizure of E-Root's domains in late 2020. Last month, Diaconu consented to be extradited to the United States for wire fraud, money laundering, computer fraud, and access device fraud

The OilRig threat group, connected to Iran, conducted an eight-month-long cyber campaign against an unspecified Middle Eastern government from February to September 2023. This operation resulted in the theft of files and passwords, and at one point, they used a PowerShell backdoor called PowerExchange. The Symantec Threat Hunter Team refers to this operation as "Crambus." The attackers used the PowerExchange implant to monitor emails from an Exchange Server, execute commands, and send the results to themselves. They compromised at least 12 computers and installed backdoors and keyloggers on an additional dozen machines, indicating a significant breach.

In a recent report from Check Point, the focus is on escalating cyber activities during the Israel-Hamas conflict. The key points include a surge in cyberattacks targeting Israel, diverse cyber threats like DDoS attacks and hack-and-leak incidents, and the involvement of various hacktivist groups aligned with geopolitical interests. These developments are causing heightened risks and tensions in the cyber domain.

wo North Korean nation-state actors, Lazarus (or Zinc) and Plutonium (or Andariel), have been exploiting a known remote code execution vulnerability in the TeamCity continuous integration and continuous deployment tool. The vulnerability, CVE-2023-42793, was patched by JetBrains in version 2023.05.4. These actors have been targeting on-premises instances of TeamCity, deploying backdoors, stealing credentials, and more. Microsoft's threat intelligence group observed these attacks and noted that both groups may be opportunistically compromising vulnerable servers, but they have also used techniques that could provide persistent access to victim environments.

Marquis Hooper, a former U.S. Navy IT manager, has received a sentence of five years and five months in prison for illegally obtaining US citizens' personally identifiable information (PII) and selling it on the dark web. The man was indicted with his wife, Natasha Renee Chalk, in February 2021 and pleaded guilty to aggravated identity theft and conspiracy to commit wire fraud in March 2023.

A group of cyber activists under the Ukrainian Cyber Alliance (UAC) banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available. The Ukrainian Cyber Alliance fighters say they exfiltrated all of the data from the threat actor’s systems, including source code and database records, which may include decryption keys.

Taiwanese networking equipment manufacturer D-Link confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month. The attacker claims to have stolen source code for D-Link's D-View network management software, along with millions of entries containing personal information of customers and employees, including details on the company's CEO.

Last week, CISA warned organizations about critical and high-severity vulnerabilities in a human-machine interface (HMI) product made by Taiwan-based Weintek. According to CISA, the impacted product, the Weintek cMT HMI, is used worldwide, including in critical manufacturing organizations, which are considered part of critical infrastructure.

Amid the COVID-19 pandemic, as remote work became a necessity, IT teams had to rapidly implement protocols and software suites to maintain business continuity and efficiency. This involved enabling routing configurations and adjusting inbound and outbound policies on appliances that previously didn't support remote connections. This allowed networking appliances and software packages to be accessed and configured on-the-fly, enabling staff to access the necessary resources for their work from locations outside the traditional office spaces.

In a recent report from Cofense, the significance of using voice messages for communication was brought to the forefront. The report highlighted an ongoing phishing campaign where threat actors strategically included an access key in the email content, alluring users into accessing what appeared to be a genuine voice message intended for them.

The state-sponsored Russian hacking group tracked as 'Sandworm' has compromised eleven telecommunication service providers in Ukraine between May and September 2023. That is based on a new report by Ukraine's Computer Emergency Response Team (CERT-UA) citing 'public resources' and information retrieved from some breached providers.

Researchers from Sekoia have released details on a new campaign from the threat group behind SocGholish. This latest activity leverages compromised WordPress sites to push malicious fake browser updates. The campaign, which has been called ClearFake, injects Javascript into compromised WordPress websites so that it downloads another Javascript payload from an attacker controlled domain.

Colonial Pipeline has reported that there has been no disruption to its pipeline operations or systems following threats from a ransomware group known as Ransomed.vc. Colonial Pipeline is responsible for operating the largest pipeline system for refined oil products in the United States. The Ransomed.vc gang claimed that they had stolen data from Colonial Pipeline's systems.

In a recent report by SentinelOne, they've highlighted a noteworthy shift in the behavior of macOS malware. The trend we're observing is a move away from the concept of persistence, particularly in many malware families. Specifically, infostealers have taken center stage, aiming to accomplish their objectives in a single execution. This includes the theft of valuable data such as admin passwords, browsing history, and cookies, all achieved without relying on traditional methods of maintaining persistence.

A less detectable version of the RomCom backdoor was used to target attendees of the Women Political Leaders Summit in Brussels, which centers on gender equality and women in politics. The attackers created a fake website resembling the official WPL portal to lure individuals looking to participate or learn about the summit.

Like the Russia-Ukraine conflict, Hacktivism has appeared on the threat landscape as a result of the ongoing Israel-Hamas crisis. While early attacks were focused on DDoS and defacement, cybersecurity experts are now warning of signs that more impactful attacks are being attempted.

Microsoft says their Microsoft Defender for Endpoint helped block a large-scale hacking campaign carried out by the Akira ransomware group, which they track as Storm-1567. The attack which took place in early June was aimed at an industrial engineering organization.

The Environmental Protection Agency will no longer require cybersecurity audits of U.S. water utilities through sanitary surveys. “In a letter to state drinking water administrators on Thursday, the EPA said litigation from Republican states and trade associations, which raised questions about the long-term legal viability of the initiative to regulate the cybersecurity of water utilities, drove the decision to rescind a March memorandum implementing the rule.

Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks. As recently observed by Sophos X-Ops incident responders, threat actors self-described as the Reichsadler Cybercrime Group attempted, unsuccessfully, to deploy ransomware payloads created using a LockBit 3.0 builder stolen in September 2022.

The DarkGate malware is being spread through messaging platforms like Skype and Microsoft Teams. It disguises itself as a PDF document, but contains a harmful script that downloads and runs the malware. It’s uncertain how the attackers compromised the messaging app accounts, but it’s suspected to be due to leaked credentials or a previous compromise of the organization.

In a recent report from Check Point, it was observed that ransomware actors can rapidly incapacitate systems through partial encryption. You might be wondering, what is partial encryption and why is it effective? Generally, encryption, especially for large data volumes, can be a time-consuming process. Consequently, attackers are seeking more efficient and effective methods to make victims' data inaccessible until the ransom is paid.

According to recent reporting, the majority of organizations facing ransomware attacks are choosing to pay ransoms, with over half paying more than $100,000 to regain access to their systems and data. A Splunk study found that 96% of respondents had encountered a ransomware attack, and 52% described the impact on their business as significant.

North Korea’s state-sponsored hackers, under the direction of its ruling regime, are constantly improving their tactics for conducting cyber operations. This information comes from a recent report by Google’s Mandiant threat intelligence team. The report reveals how the Pyongyang-based regime, despite its small population of 25 million, utilizes cyber intrusions for both espionage and financial crimes, thereby bolstering its power and financing its cyber and kinetic capabilities.

Microsoft threat intelligence experts are seeing a trend of Chinese threat groups deploying less desktop malware and prioritizing in stealing passwords and tokens that can be used to access sensitive systems used by remote workers. Ever since the COVID-19 pandemic, work from home has become a norm with organizations granting employees remote access to sensitive systems and resources.

Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it.

On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.

Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it. Also, because Smart Link uses LinkedIn's domain followed by an eight-character code parameter, they appear to originate from a trustworthy source and bypass email protections” .

On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.

Microsoft says a Chinese-backed threat group tracked as 'Storm-0062' (aka DarkShadow or Oro0lxy) has been exploiting a critical privilege escalation zero-day in the Atlassian Confluence Data Center and Server since September 14, 2023.

The People’s Republic of China (PRC) is likely prioritizing disruptive cyber capabilities against five key U.S. critical infrastructure sectors: Energy, Water and Wastewater systems, Communications, Transportation systems, and Financial services.

Last week, researchers warned of a critical flaw in curl, the popular command line transfer tool. Curl project founder and lead developer Daniel Stenberg called it “probably the worst curl security flaw in a long time.” While details were initially withheld, a patch released today fixed two separate vulnerabilities tracked as CVE-2023-38545 and CVE-2023-38546.

Researchers from GitHub security lab have discovered a critical vulnerability in a library used within the GNOME desktop environment for Linux systems. GNOME is a popular open-source desktop environment found in distributions like Ubuntu and Fedora. The vulnerability, rated 8.8 out of 10, resides in a library called "libcue," which is used for parsing metadata related to CD or DVD track layouts.

Google says it mitigated a series of DDoS attacks reaching a peak of 398 million requests per second (rps), which is nearly 9 times bigger than the largest-recorded DDoS attack last year, peaking at 46 million rps. The latest set of attacks started in August and are still ongoing. According to Google, the attacks rely on a novel technique dubbed “Rapid Reset” which leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol.

Microsoft says it is in the works of removing VBScript (Visual Basic Script), a scripting language that was introduced by the tech giant approximately 30 years ago. Although VBScript was originally designed for Windows automation and administrative tasks, over the years, threat actors have misused it to create and distribute malicious payloads.

Security researchers have revealed evidence of a newly discovered APT group that primarily targeted Taiwanese organizations during a cyber-espionage campaign spanning at least four months. Known as "Grayling" according to Symantec, this group initiated their operations in February 2023 and persisted until at least May 2023.

As we approach the holiday season, we've remained vigilant in warning our members about the recent surge in phishing attacks targeting U.S. Postal Service (USPS) customers. These malicious campaigns are disseminated through SMS, email, and various other phishing methods. In these attacks, criminals impersonate USPS services with the intent to deceive individuals and pilfer personal and financial information.

According to Microsoft’s latest Digital Defense Report, Ukraine, the United States, and Israel were the most targeted countries based on state-sponsored threat activity observed by the tech giant against organizations in more than 120 countries. Based on intel gathered between July 2022 and June 2023, the majority of cyber attacks observed were fueled by nation-state spying and influence operations, with 40% of all observed attacks targeting critical infrastructure organizations.

The District of Columbia Board of Elections (DCBOE) is currently probing a data leak involving an unknown number of voter records following breach claims from a threat actor known as RansomedVC. DCBOE operates as an autonomous agency within the District of Columbia Government and is entrusted with overseeing elections, managing ballot access, and handling voter registration processes.

According to reports, several hacker groups have joined in on the Israel-Hamas conflict. State-sponsored threat actors have ramped up their cyber efforts, but so to have hacktivist groups supporting both sides of the war.

Hackers are conducting a large-scale campaign to exploit the recent CVE-2023-3519 flaw in Citrix NetScaler Gateways to steal user credentials. The flaw is a critical unauthenticated remote code execution bug discovered as a zero-day in July that impacts Citrix NetScaler ADC and NetScaler Gateway. By early August, the flaw had been leveraged to backdoor at least 640 Citrix servers, and the figure reached 2,000 by mid-August.

The UK's National Cyber Security Centre (NCSC) has released guidance to assist medium to large organizations in mapping their supply chains, with a focus on boosting confidence in managing vulnerabilities related to suppliers. Additionally, a report by Picus Security highlights the growing prevalence of multipurpose malware, which possesses multiple functionalities.

GitHub recently updated its secret scanning feature to extend validity checks to popular services including Amazon Web Services (AWS), Microsoft, Google, and Slack. The feature was introduced earlier this year to help alert users whether exposed tokens found by the secret scanning are active. While the feature was first enabled for GitHub tokens, the cloud-based code hosting and version control service is now including support for more tokens.

Sony Interactive Entertainment (Sony) has informed both current and former employees and their family members regarding a cybersecurity incident that resulted in the exposure of personal information. The company has dispatched data breach notifications to approximately 6,800 individuals, verifying that the breach transpired due to an unauthorized entity exploiting a zero-day vulnerability in the MOVEit Transfer platform.

A recent report highlights the growing presence of drones above sensitive maritime facilities, signaling a common occurrence. The report also criticizes the effectiveness of current federal counter-UAS legislation, citing a lack of authorities and capabilities to intercept suspicious drones. U.S. Coast Guard Capt. Andrew J. Meyers emphasized the importance of Area Maritime Security Committees (AMSCs) in safeguarding the nation's ports, praising their role in fostering relationships, collaborative planning, communication, and unity of effort.

Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Library's dynamic loader, allowing local attackers to gain root privileges on major Linux distributions. Dubbed 'Looney Tunables' and tracked as CVE-2023-4911, this security vulnerability is due to a buffer overflow weakness, and it affects default installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38.

Yesterday, Apple rolled out emergency security updates to fix a new zero-day flaw impacting iOS and iPadOS. Tracked as CVE-2023-42824, the bug stems from a weakness in the XNU kernel which could allow local attackers to escalate privileges on unpatched iPhones and iPads.

Atlassian has published security updates to fix an actively exploited zero-day vulnerability in its Confluence Data Center and Server software. Tracked as CVE-2023-22515, the flaw relates to a case of privilege escalation. Although Atlassian did not specify the root cause of this flaw, the vulnerability could allow a regular user account to elevate to admin.

In a recent report from Menlo Security, it was discovered that Indeed, a widely recognized global job search platform headquartered in the US, boasting over 350 million monthly visitors and a global workforce of more than 14,000 employees, has become the focus of a significant phishing campaign. This campaign underscores how threat actors can exploit the platform's credibility and popularity.

About 100,000 industrial control systems (ICS) were found on the public web, exposed to attackers probing them for vulnerabilities and at risk of unauthorized access. Among them are power grids, traffic light systems, security and water systems.

The commonality among "bank transfer request[.]lnk," "invoice OTP bank[.]pdf[.]lnk," and "URGENT-Invoice-27-August[.]docx[.]lnk" is that they are all names of Windows shortcut files found in Zip archives attached to phishing emails, as reported by Cisco Talos researchers.

A recently uncovered phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by abusing open redirects from the Indeed employment website for job listings. The threat actor is using the EvilProxy phishing service that can collect session cookies, which can be used to bypass multi-factor authentication (MFA) mechanisms.

Security researchers discovered a new malware-as-a-service (MaaS) named 'BunnyLoader' advertised on multiple hacker forums as a fileless loader that can steal and replace the contents of the system clipboard. The malware is under rapid development, with updates adding new features and bug fixes. It can currently download and execute payloads, log keys, steal sensitive data and cryptocurrency, and execute remote commands.

According to a recent report from Malwarebytes, it was found that ransomware attacks don't typically originate as a fresh problem for organizations; instead, they are the grim culmination of unresolved network compromises. Threat actors gain initial access through stolen login credentials, deployed malware, or established backdoors—akin to leaving an unlocked door for future visits.

Human Security has exposed a significant monetization method employed by a sophisticated cyber-criminal operation. This operation involved the sale of backdoored off-brand mobile and CTV (Connected TV) Android devices through major retailers, which had originated from repackaging factories in China.

The FBI issued a public service announcement warning of a significant increase in 'phantom hacker' scams targeting senior citizens across the United States. ‘This Phantom Hacker scam is an evolution of more general tech support scams, layering imposter tech support, financial institution, and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target,’ the FBI said.

Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains' TeamCity continuous integration and deployment server. The flaw (tracked as CVE-2023-42793 and tagged with a 9.8/10 severity score) allows unauthenticated attackers to gain remote code execution (RCE) after successfully exploiting an authentication bypass weakness in low-complexity attacks that don't require user interaction.

In a recent report from Forbes, the nation's cybersecurity was in a tight spot when Congress passed a bill to keep the government running for the next 45 days. A government shutdown could have caused problems for many government functions, including those responsible for protecting the country from cyberattacks. Depending on how long the shutdown lasted, it could have led to a crisis for companies and organizations across the country.

Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products. The first bug is a flaw tracked as CVE-2023-4863 and is caused by a heap buffer overflow weakness in the WebP code library (libwebp), whose impact ranges from crashes to arbitrary code execution.

In a recent report by SentinelOne, it's highlighted that Microsoft's security business has seen substantial growth, generating over $20 billion annually. The International Data Corporation (IDC) reported that Microsoft holds the largest market share in 2022, at 18.9%, with a 7.2% increase. Similarly, Gartner estimated that in 2021, Microsoft controlled 8.5% of the entire security software market, outperforming its competitors.

This report was filed under "Vendor Reports" because it was investigated by Microsoft (being the vendor) as a notable incident, "Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook[.]com by forging authentication tokens to access user email." Microsoft corrected the issue in its products by, "Revoking all valid MSA signing keys to prevent attackers from accessing other compromised keys."

An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing the malware. ‘Zanubis's main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device,’ Kaspersky said in an analysis published last week.

A critical zero-day vulnerability was disclosed in the Exim mail transfer agent (MTA) software, which if successfully exploited could enable an unauthenticated attacker to gain remote code execution on Internet-exposed servers. Tracked as CVE-2023-42115, the flaw resides in the SMTP service, which listens on TCP port 25 by default. According to Trend Micro’s Zero Day Initiative, which uncovered the flaw, CVE-2023-42115 results from a lack of proper validation of user-supplied data which could result in a write past the end of a buffer and further allow an attacker to execute code in the context of the service account.

Over the weekend, security researchers uncovered a critical vulnerability (CVE-2023-40044) in Progress Software's WS_FTP Server. They released a proof-of-concept (PoC) exploit along with technical details. The flaw stems from a .NET deserialization vulnerability in the Ad Hoc Transfer Module, allowing unauthenticated attackers to execute remote commands via a simple HTTP request. Assetnote researchers, who discovered the issue, expressed surprise at how long it remained unpatched.

Proof-of-concept exploit code has surfaced on GitHub for a critical authentication bypass vulnerability in Microsoft SharePoint Server, allowing privilege escalation. Tracked as CVE-2023-29357, the security flaw can let unauthenticated attackers gain administrator privileges following successful exploitation in low-complexity attacks that don't require user interaction.

The Lazarus APT, associated with North Korea, gained access to a Spanish aerospace company's network through a spearphishing campaign in which they posed as a Meta recruiter (the parent company of Facebook, Instagram, and WhatsApp). Their ultimate objective was cyberespionage.

Hackers targeted the European Telecommunications Standards Institute (ETSI), a nonprofit organization responsible for developing communication standards, and stole a user database. The motive behind the attack remains unclear, with suspicions ranging from financial gain to potential espionage. ETSI engaged France's cybersecurity agency ANSSI to investigate and enhance its information systems' security.

China-linked hackers breached Microsoft's email platform in May and stole tens of thousands of emails from U.S. State Department accounts, according to a Senate staffer. During a briefing by State Department IT officials, it was revealed that threat actors targeted around 60,000 emails from a total of 10 State Department accounts belonging to officials working in East Asia, the Pacific, and Europe.

A Chinese cyber-espionage group known as Budworm has recently been detected engaging in cyberattacks. They have specifically targeted a telecommunications company in the Middle East and a government organization in Asia. What's noteworthy is that they've deployed a new version of their customized 'SysUpdate' malware.

The Cybersecurity and Infrastructure Security Agency is preparing to furlough more than 80% of its workforce under a government shutdown, potentially leaving the lead U.S. cyber agency with a skeleton crew to initially respond to attacks on the networks of federal agencies and critical infrastructure.

Yesterday, Google released emergency security updates to address a zero-day flaw impacting its Chrome Browser. Tracked as CVE-2023-5217, the flaw relates to a heap buffer overflow weakness in the VP8 encoding of libvpx, an open-source video codec library from Google and the Alliance for Open Media (AOMedia). A successful exploit of this flaw could lead to browser crashes or arbitrary code execution.

Multiple vulnerabilities have been identified in Cisco Catalyst SD-WAN Manager (formerly Cisco SD-WAN vManage). These vulnerabilities could potentially allow attackers to access an affected instance or cause a denial of service (DoS) condition on the affected system. Cisco has taken action to address these vulnerabilities through software updates, "Although exploiting this vulnerability demands significant access to the target environment, threat actors have already initiated attacks, as reported by the company in the same advisory.

US and Japanese law enforcement and cybersecurity agencies warn of the Chinese 'BlackTech' hackers breaching network devices to install custom backdoors for access to corporate networks. The joint report comes from the FBI, NSA, CISA, and the Japanese NISC (cybersecurity) and NPA (police), who explain that the state-sponsored hacking group is breaching network devices at international subsidiaries to pivot to the networks of corporate headquarters.

Hackers are breaching GitHub accounts and inserting malicious code disguised as Dependabot contributions to steal authentication secrets and passwords from developers. The campaign unfolded in July 2023, when researchers discovered unusual commits on hundreds of public and private repositories forged to appear as Dependabot commits.

Researchers at Proofpoint have uncovered a new malware strain dubbed ZenRAT which is being distributed via bogus installation packages of the Bitwarden password manager. ZenRAT is a modular remote access trojan that comes with various modules designed to steal information from victims’ systems. Although researchers noted that ZenRAT is being hosted on fake websites pretending to be associated with Bitwarden, it’s unclear how end users are being directed to these sites.

Threat actors are employing a novel tactic by incorporating zero-point fonts within emails, creating the illusion that malicious emails have undergone successful security scans in Microsoft Outlook. While the ZeroFont phishing method has been previously observed, its current application marks a significant development. ISC Sans analyst Jan Kopriva, in a recent report, cautions that this technique could greatly enhance the success rate of phishing attacks, underscoring the importance of user awareness regarding its deployment in real-world scenarios.

Google has assigned a new CVE ID (CVE-2023-5129) to a libwebp security vulnerability exploited as a zero-day in attacks and patched two weeks ago. The company initially disclosed the flaw as a Chrome weakness, tracked as CVE-2023-4863, rather than assigning it to the open-source libwebp library used to encode and decode images in WebP format.

Security researchers have identified ShadowSyndicate as a threat actor using seven ransomware families in attacks over the past year. They suggest it could be an initial access broker and affiliate to ransomware operations. Their findings are based on a distinct SSH fingerprint found on 85 IP servers, discovered using tools like Shodan and Censys. This fingerprint was first seen in July 2022 and still in use in August 2023. Researchers also found eight different Cobalt Strike watermarks on ShadowSyndicate servers.

The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, has announced that it is among the victims of Clop ransomware's MOVEit hacking spree. BORN is a perinatal and child registry that collects, interprets, shares and protects critical data about pregnancy, birth and childhood in the province of Ontario.

An updated version of an Android banking trojan called Xenomorph has set its sights on more than 35 financial institutions in the U.S. The campaign, according to Dutch security firm ThreatFabric, leverages phishing web pages that are designed to entice victims into installing malicious Android apps that target a broader list of apps than its predecessors.

Resecurity research has uncovered that the 'Smishing Triad' cybercrime group, known for conducting phishing attacks via SMS (smishing), has expanded its operations into the United Arab Emirates (UAE).

The number of victim organizations hit by Cl0p via vulnerable MOVEit installations has surpassed 2,000, and the number of affected individuals is now over 60 million. The victim organizations are overwhelmingly based in the US.

Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin. ‘Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

According to a joint investigation conducted by Citizen Lab and Google’s Threat Analysis Group, three zero-day flaws addressed by Apple on September 21, 2023, were leveraged as part of an exploit chain to deliver Predator spyware on the device of a former Egyptian member of parliament Ahmed Eltantawy.

A highly advanced backdoor malware called 'Deadglyph' was recently employed in a cyber espionage operation targeting a Middle Eastern government agency. This sophisticated malware, known as Deadglyph, has been linked to the Stealth Falcon Advanced Persistent Threat (APT) group, also known as Project Raven or FruityArmor.

Researchers at Kaspersky Lab have uncovered a new backdoor called "SessionManager" that has been used in attacks targeting Microsoft IIS Servers since March 2021. This backdoor allows threat actors to maintain persistent, update-resistant, and stealthy access to a targeted organization's IT infrastructure. It has been deployed in over 20 organizations, and as of late April 2022, many samples were not yet flagged as malicious by online file scanning services.

The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account. Royal gained access to the City's network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4. During this period, they successfully collected and exfiltrated 1.169 TB worth of files based on system log data analysis conducted by city officials and external cybersecurity experts.

Proofpoint has observed an increase in activity from specific malware families targeting Chinese-language speakers. Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity. Newly observed ValleyRAT is emerging as a new malware among Chinese-themed cybercrime activity, while Sainbox RAT and related variants are recently active as well.

Pro-Russia hacker group NoName is suspected of launching a DDoS cyberattack that caused significant disruptions at several Canadian airports. The attack affected check-in kiosks and electronic gates, leading to delays in the processing of arrivals at border checkpoints across the country. The Canada Border Services Agency (CBSA) confirmed the DDoS attack and is investigating the incident, assuring that no personal information has been compromised. No evidence of a data breach has been found at this time.

The P2PInfect botnet worm has entered a phase of significantly increased activity, with a notable surge observed from late August through September 2023. Initially documented by Unit 42 in July 2023, P2PInfect is categorized as a peer-to-peer malware that exploits a remote code execution vulnerability to breach Redis instances on internet-exposed Windows and Linux systems.

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant).

Today, T-Mobile customers said they could see other peoples' account and billing information after logging into the company's official mobile application. According to user reports on social media, the exposed information included customers' names, phone numbers, addresses, account balances, and credit card details like the expiration dates and the last four digits.

Chinese-speaking individuals have become the focus of numerous email phishing campaigns, with the objective of disseminating various malware types like Sainbox RAT, Purple Fox, and a newly identified trojan named ValleyRAT.

GitLab recently rolled out security updates to address a critical vulnerability impacting its enterprise edition. Tracked as CVE-2023-5009, the flaw could enable an attacker to run pipelines as an arbitrary user via scheduled security scan policies. As such, the actor could use elevated permissions of the impersonated user to further access sensitive information, modify source code, or even run arbitrary code on the targeted system.

Finnish law enforcement authorities have announced the takedown of PIILOPUOTI, a dark web marketplace that specialized in illegal narcotics trade since May 2022. ‘The site operated as a hidden service in the encrypted TOR network,’ the Finnish Customs (aka Tulli) said in a brief announcement on Tuesday. ‘The site has been used in anonymous criminal activities such as narcotics trade.’

Threat actors exploited a recently disclosed WinRAR vulnerability (CVE-2023-40477) by repurposing an older proof-of-concept (PoC) code. The Zero Day Initiative initially reported the WinRAR vulnerability to the vendor on June 8, 2023, but publicly disclosed it on August 17, 2023. Within four days of the public disclosure, an actor known as "whalersplonk" uploaded a fake PoC script to their GitHub repository.

Snatch is a ransomware group primarily targeting Windows-based systems. They employ various tactics, including exploiting vulnerabilities, brute force attacks, and data exfiltration to compromise and extort victims. Snatch operates under a ransomware-as-a-service (RaaS) model and has targeted critical infrastructure sectors such as Defense Industrial Base (DIB), Food and Agriculture, and Information Technology.

Telecommunications companies have increasingly become the focus of state-sponsored actors and advanced adversaries in recent years. In 2022, the telecommunications sector consistently ranked as one of the most targeted verticals in Talos IR (Incident Response) engagements. Telecom companies control critical infrastructure assets, which make them attractive targets for adversaries seeking to create significant disruptions.

Trend Micro fixed a remote code execution zero-day vulnerability in the Trend Micro's Apex One endpoint protection solution that was actively exploited in attacks. Apex One is an endpoint security solution catering to businesses of all sizes, and the 'Worry-Free Business Security' suite is designed for small to medium-sized companies.

China-linked threat group Earth Lusca has deployed a new Linux malware called SprySOCKS in a recent cyber espionage campaign. Researchers at Trend Micro discovered this malware while tracking Earth Lusca's activities. SprySOCKS, based on an open-source Windows backdoor called Trochilus, was adapted for Linux. Earth Lusca continues to develop it, as evidenced by different versions detected.

CISA has published an additional malware analysis report associated with malicious Barracuda activity.

In the Middle East, telecommunication service providers are facing a new cyber threat known as ShroudedSnooper. This intrusion set employs a stealthy backdoor called HTTPSnoop, as reported by Cisco Talos. HTTPSnoop is a backdoor that uses innovative techniques to interface with Windows HTTP kernel drivers and devices.

The malware loader 'Bumblebee' has broken its two-month vacation with a new campaign that employs new distribution techniques that abuse 4shared WebDAV services. WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that enables clients to perform remote authoring operations such as creating, accessing, updating, and deleting web server content.

Microsoft on Monday said it took steps to correct a glaring security gaffe that led to the exposure of 38 terabytes of private data. The leak was discovered on the company's AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data, Wiz said. It also included a disk backup of two former employees' workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages.

A new cloud-native cryptojacking operation, known as AMBERSQUID, is targeting less common AWS services like AWS Amplify, AWS Fargate, and Amazon SageMaker for illicit cryptocurrency mining. Sysdig, a security firm, identified this campaign while analyzing 1.7 million Docker Hub images and attributed it to Indonesian attackers due to their use of the Indonesian language in scripts and usernames.

“Researchers at vx-underground have uncovered a major data breach involving the hacker known as "USDoD," who leaked highly sensitive data from TransUnion, a leading consumer credit reporting agency. The breach exposed personal information of 58,505 individuals globally, including names, passport details, financial data, and more, dating back to March 2022.

The pro-Russian cybercrime group named NoName057(16) has been observed launching distributed denial-of-service (DDoS) attacks against Canadian organizations, a fresh government alert warns. Since March 2022, the threat actor – also known as NoName05716, 05716nnm or Nnm05716 – has been launching disruptive attacks in support of Russia’s invasion of Ukraine.

The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage. While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials. After gaining access to the Sophos Central account using a stolen One-Time Password (OTP), they disabled Tamper Protection and modified the security policies

Since February 2023, Microsoft has reported that an Iranian-backed threat group known as APT33 (or Peach Sandstorm, HOLMIUM, Refined Kitten) has been conducting password spray attacks against thousands of organizations in the U.S. and globally. These attacks involve attempting to access multiple accounts using a single or commonly used password, increasing the chances of success without triggering account lockouts.

Trucking and fleet management solutions provider ORBCOMM has confirmed that a ransomware attack is behind recent service outages preventing trucking companies from managing their fleets. ORBCOMM is a solutions provider for freight companies to manage fleets and track transported assets. The company also provides Electronic Logging Devices (ELD) that truckers use to log their hours to adhere to federal safety regulations.

An ongoing campaign is targeting Facebook Business accounts with bogus messages to harvest victims' credentials using a variant of the Python-based NodeStealer and potentially take over their accounts for follow-on malicious activities. ‘The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors.

A major data breach at Airbus revealed earlier this week stemmed from a RedLine info-stealer likely hidden in a pirated copy of Microsoft software, according to researchers. The European aerospace giant said it has launched an investigation into the incident.

Despite authentication being a cornerstone of cybersecurity, risk mitigation strategies remain outdated, according to new research from Enzoic. With the attack surface expanding and the increasing sophistication of cyber threats, organizations are struggling to deliver secure and user-friendly authentication. The research uncovered that despite the emergence of modern strategies, most companies still rely on traditional approaches.

The "Scattered Spider" threat group is believed to be responsible for the cyberattack on MGM Resorts that occurred on September 10. This attack has left systems offline in over 30 hotels and casinos owned by the conglomerate worldwide, and the disruption continues even days later. As reported by Reuters, the Scattered Spider ransomware group, as identified by sources familiar with the situation, is believed to consist of young individuals based in the US and UK.

The iPhone belonging to Galina Timchenko, a prominent Russian journalist and critic of the government, was compromised with NSO Group's Pegasus spyware, a new collaborative investigation from Access Now and the Citizen Lab has revealed. The infiltration is said to have happened on or around February 10, 2023. Timchenko is the executive editor and owner of Meduza, an independent news publication based in Latvia.

Adobe recently addressed a critical flaw in Acrobat and Reader that could enable actors to execute malicious code on targeted systems. Tracked as CVE-2023-26369, the vulnerability has been rated 7.8 out of 10 on the CVSS scale, indicating a high level of severity. According to the vendor, CVE-2023-26369 relates to an out-of-bounds write issue and can be exploited to execute arbitrary code via specially crafted PDF documents.

Auckland Transport's Hop card system has been hit by a suspected ransomware attack, leading to disruptions in card top-up services and limited functionality at customer service centers. The attack is under investigation, and there is no indication that personal or financial data has been compromised. Commuters can still use their cards to tag on and off, but online top-ups and services on the AT website are unavailable.

Akamai researchers recently discovered a high-severity vulnerability in Kubernetes tracked as CVE-2023-3676 (CVSS 8.8). This identification of this issue led to the discovery of two more vulnerabilities tracked as CVE-2023-3893, and CVE-2023-3955 (CVSS 8.8). All three vulnerabilities were caused by insecure function call and the lack of user input sanitization.

A new strain of macOS malware is targeting enterprise users, as indicated by file names and content. Some versions of this malware, called MetaStealer, masquerade as Adobe files, while others use deceptive methods like password-protected ZIP files sent by fake clients. Once opened, these files reveal an app disguised as a PDF.

Microsoft has reported a change in tactics by an initial access broker, previously associated with ransomware groups. This actor, identified as Storm-0324, has shifted its focus to Microsoft Teams phishing attacks as a means to infiltrate corporate networks. Storm-0324 is a financially motivated threat group with a history of deploying ransomware such as Sage and GandCrab in previous campaigns.

A new ransomware family called 3AM has emerged in the wild after it was detected in a single incident in which an unidentified affiliate deployed the strain following an unsuccessful attempt to deliver LockBit (attributed to Bitwise Spider or Syrphid) in the target network. 3AM gets its name from the fact that it's referenced in the ransom note. It also appends encrypted files with the extension .threeamtime.

As part of the September Patch Tuesday, Microsoft addressed 59 flaws, including two zero-days that were exploited in attacks in the wild. In total, Microsoft released fixes for 3 Security Feature Bypass Vulnerabilities, 24 Remote Code Execution Vulnerabilities, 9 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, 5 Spoofing Vulnerabilities, and 5 Edge - Chromium Vulnerabilities.

Mozilla released emergency security updates today to fix a critical zero-day vulnerability exploited in the wild, impacting its Firefox web browser and Thunderbird email client. Tracked as CVE-2023-4863, the security flaw is caused by a heap buffer overflow in the WebP code library (libwebp), whose impact spans from crashes to arbitrary code execution.

Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware. The attackers trick the targets into downloading a RAR/ZIP archive containing a downloader for an evasive Python-based stealer that grabs cookies and passwords stored in the victim's browser.

Yesterday, Google released security updates to fix a critical zero-vulnerability in its Chrome web browser. Tracked as CVE-2023-4863, the flaw relates to a heap-based buffer overflow in the WebP image format. Successful exploitation of this issue could result in browser crashes or arbitrary code execution.

Security researchers at Kaspersky have exposed the activities of the infamous ransomware group Cuba. In a recent advisory, Kaspersky revealed that this cyber-criminal gang has been targeting organizations across different industries worldwide. In December 2022, Kaspersky detected a suspicious incident on a client's system, which led to the discovery of three mysterious files triggering the komar65 library, also known as BUGHATCH.

Apple released security updates for older iPhones to fix a zero-day vulnerability tracked as CVE-2023-41064 that was actively exploited to infect iOS devices with NSO's Pegasus spyware. CVE-2023-31064 is a remote code execution flaw that is exploited by sending maliciously crafted images via iMessage.

An espionage threat group tracked as 'Redfly' hacked a national electricity grid organization in Asia and quietly maintained access to the breached network for six months. These new findings come from Symantec, who found evidence of ShadowPad malware activity in the organization's network between February 28 and August 3, 2023, along with keyloggers and specialized file launchers.

A recent phishing scheme has exploited Microsoft Teams messages as a means to distribute harmful attachments that deploy the DarkGate Loader malware. This campaign commenced in late August 2023, as phishing messages originating from two compromised external Office 365 accounts were observed, targeting various organizations. These accounts were employed to deceive Microsoft Teams users into downloading and launching a ZIP file titled "Alterations to the holiday calendar."

Several malicious Telegram clones for Android on Google Play were installed over 60,000 times, infecting people with spyware that steals user messages, contacts lists, and other data. The apps appear to be tailored for Chinese-speaking users and the Uighur ethnic minority, suggesting possible ties to the well-documented state monitoring and repression mechanisms. The apps were discovered by Kaspersky, who reported them to Google.

The Ragnar Locker ransomware gang has claimed responsibility for an attack on Israel's Mayanei Hayeshua hospital, threatening to leak 1 TB of data allegedly stolen during the cyberattack. The cyberattack on Mayanei Hayeshua occurred in early August, disrupting the hospital's record-keeping system and preventing new patients from receiving care.

Sri Lanka's government cloud system, Lanka Government Cloud (LGC), has fallen victim to a massive ransomware attack that began on August 26, 2023. The attack resulted in the encryption of LGC services and backup systems, affecting approximately 5,000 email addresses using the "gov[dot]lk" domain, including those of the Cabinet Office.

The United States, in coordination with the United Kingdom, sanctioned eleven more individuals who are members of the Russia-based Trickbot cybercrime group. The sanctions were provided by the U.S. Department of the Treasury’s Office of Foreign Assets Control. The sanctioned TrickBot members worked as administrators, managers, developers, and coders, who have materially supported the operations of the group. The group has been tied to Russian intelligence services and has targeted the U.S. government, companies and hospitals.

A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called Atomic Stealer (or AMOS), indicating that it's being actively maintained by its author. An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer first came to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users.

Yesterday, Apple issued emergency security updates to address two zero-day flaws that were exploited in attacks targeting iPhone and Mac users. The vulnerabilities are being tracked as CVE-2023-41064 (discovered by Citizen Lab security researchers) and CVE-2023-41061 (discovered by Apple) and were found in the Image I/O and Wallet frameworks. CVE-2023-41064 relates to a validation issue in Wallet which can be exploite

Attackers operating from IP addresses in France, Luxembourg, and Germany have been utilizing the legitimate Windows tool, Advanced Installer, to create software packages that deliver cryptocurrency mining malware onto computers in various sectors. The malware payloads, as reported by Cisco Talos researchers on September 7, include the M3_Mini_RAT client stub. This remote access trojan enables the attackers to establish backdoors, download, and execute additional threats, including PhoenixMiner for Ethereum cryptocurrency mining and IOIMiner, a multi-coin mining threat.

A variant of the Mirai malware botnet has been observed infecting affordable Android TV set-top boxes that are widely used for media streaming by millions of users. Dr. Web's antivirus team reports that this trojan represents a fresh iteration of the 'Pandora' backdoor, initially seen in 2015. The primary focus of this campaign is on economical Android TV boxes such as the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3.

Cisco has addressed multiple security vulnerabilities, including a critical bug (CVE-2023-20238), which could be exploited by remote attackers to gain control of affected systems or cause a denial-of-service (DoS) condition. The most severe vulnerability allows an attacker to bypass authentication, potentially leading to unauthorized access and misuse of the system.

State-backed hacking groups have breached a U.S. aeronautical organization using exploits targeting critical Zoho and Fortinet vulnerabilities, a joint advisory published by CISA, the FBI, and the United States Cyber Command (USCYBERCOM) revealed on Thursday.

As part of the September 2023 Android security updates, Google addressed 33 vulnerabilities, including a high-severity zero-day that is actively being exploited in the wild. Tracked as CVE-2023-35674, the zero-day flaw impacts the Android Framework and could allow threat actors to escalate privileges on vulnerable devices without requiring user interaction or additional execution privileges

The USA and the United Kingdom have sanctioned eleven Russian nationals associated with the TrickBot and Conti ransomware cybercrime operations. The TrickBot malware operation launched in 2015 and focused on stealing banking credentials. However, over time, it developed into a modular malware that provided initial access to corporate networks for other cybercrime operations, such as Ryuk and, later, Conti ransomware operations.

China has developed a new capability using artificial intelligence to automatically generate images for influence operations in the United States and other democracies. These images aim to mimic U.S. voters across the political spectrum and create controversy along racial, economic, and ideological lines. Microsoft's Threat Analysis Center (MTAC) has observed China-affiliated actors using AI-generated visual media in campaigns that focus on politically divisive topics and denigrate U.S. political figures and symbols.

In July, Microsoft announced it had mitigated an attack conducted by a China-linked threat actor, tracked as Storm-0558, which targeted customer emails. Storm-0558 threat actors focus on government agencies in Western Europe and were observed conducting cyberespionage, data theft, and credential access attacks.

Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes. ‘It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol,’ Morphisec said in a new detailed technical write-up shared with The Hacker News.

An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic. ‘New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,’ Elastic Security Labs researchers Salim Bitam and Daniel Stepanic said in a technical report published late last month.

An entity identified as W3LL created a phishing toolkit capable of evading multi-factor authentication and employed various tools to compromise over 8,000 corporate Microsoft 365 accounts. Over the course of ten months, security experts detected the utilization of W3LL's resources and infrastructure in the establishment of approximately 850 phishing campaigns, targeting login credentials for more than 56,000 Microsoft 365 accounts.

The "Smishing Triad" cybercriminal group, believed to be Chinese-speaking, has been targeting individuals worldwide through a package tracking text scam sent via iMessage. Impersonating various postal services and government agencies, including the Royal Mail, New Zealand Postal Service, Correos, Postnord, Poste Italiane, and the Italian Revenue Service, the group aims to collect personal and payment information for identity theft and credit card fraud.

The government computer emergency response team of Ukraine, CERT-UA, recorded a targeted cyber attack against a critical energy infrastructure facility in Ukraine. To implement the malicious plan, an e-mail message with a fake sender address and a link to an archive, for example, "photo.zip", was distributed. Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file "weblinks.cmd" to the victim's computer.

A new open source tool designed to emulate cyber-attacks against operational technology (OT) has been released by MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA). The MITRE Calder for OT is now publicly available as an extension to the open-source Caldera platform on GitHub.

Summoning Team’s Sina Kheirkhah recently published a proof-of-concept exploit code for a critical SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool. Tracked as CVE-2023-34039, the vulnerability can be exploited by remote attackers to bypass SSH authentication on unpatched appliances and access the tool’s command line interface.

The German Federal Financial Supervisory Authority (BaFin) announced today that an ongoing distributed denial-of-service (DDoS) attack has been impacting its website since Friday. BaFin is Germany’s financial regulatory authority, part of the Federal Ministry of Finance, responsible for supervising 2,700 banks, 800 financial, and 700 insurance service providers.

Two recent vulnerabilities in MinIO have been exploited by threat actors to breach object storage systems. This access allows the actors to view private information, execute arbitrary code, and potentially take over servers. MinIO is a open-source storage service that is compatible with various cloud containers including Amazon S3.

Researchers at Okta issued a warning regarding social engineering attacks directed at IT service desk agents serving U.S.-based clients. The aim of these attacks was to deceive these agents into resetting multi-factor authentication (MFA) for users with elevated privileges. The attackers' ultimate objective was to gain control of Okta Super Administrator accounts, which have extensive privileges. This access would enable them to exploit identity federation functionalities, permitting impersonation of users within the compromised organization.

North Korean state-sponsored hackers are behind the VMConnect campaign that uploaded to the PyPI (Python Package Index) repository malicious packages, one of them mimicking the VMware vSphere connector module vConnector. The packages were uploaded at the beginning of August, with one named VMConnect targeting IT professionals seeking virtualization tools.

Researchers found a vulnerability in the widely-used plugin, All-in-One WP Migration, employed for migrating WordPress sites, and having an active user base of 5 million. This vulnerability involves unauthorized manipulation of access tokens, potentially granting attackers access to sensitive site data. All-in-One WP Migration is a user-friendly tool tailored for WordPress site migration.

Researchers at ESET recently disclosed details of a new campaign where threat actors are using the Google Play Store and Samsung Galaxy Store to advertise malicious Android apps for Signal and Telegram, with the end goal of infecting unsuspecting users with BadBazaar spyware.

American entertainment giant Paramount Global disclosed a data breach after its systems got hacked and attackers gained access to personally identifiable information (PII). Paramount said in breach notification letters signed by Nickelodeon Animation Studio EVP Brian Keane sent to affected individuals that the attackers had access to its systems between May and June 2023.

Since March 2023 (and possibly even earlier), affiliates of the Akira and LockBit ransomware operators have been breaching organizations via Cisco ASA SSL VPN appliances, “In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups),” Rapid7 researchers said on Tuesday.

According to a new report from the National Security and Defense Council of Ukraine, the Russian Gamaredon group has intensified their cyber espionage activities ahead of and during Ukraine’s current counter-offensive operations.

Yesterday afternoon, the FBI announced the disruption of the Qakbot botnet. Through an international law enforcement operation, authorities were able to not only seize infrastructure used by operators, but were able to uninstall the malware from infected devices.

VMware recently rolled out security updates to fix two vulnerabilities impacting Aria Operations for Networks, which could enable actors to bypass authentication and execute code remotely.

A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate. ‘The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates,’ Telekom Security said in a report published last week.

ChatGPT and similar large language models (LLMs) have added further complexity to the ever-growing online threat landscape. Cybercriminals no longer need advanced coding skills to execute fraud and other damaging attacks against online businesses and customers, thanks to bots-as-a-service, residential proxies, CAPTCHA farms, and other easily accessible tools.

A vulnerability in Skype mobile apps can be exploited by attackers to discover a user’s IP address – a piece of information that may endanger individuals whose physical security depends on their general location remaining secret. The security vulnerability has been discovered by a security researcher named Yossi, who privately reported it to Microsoft and demonstrated its effective exploitation to journalist Joseph Cox.

The Spanish National Police has issued an alert about an active ransomware campaign known as 'LockBit Locker,' which is currently targeting architecture firms in the country using phishing emails. According to the translated police statement, a series of emails have been identified as being sent to architecture companies.

Researchers from ReliaQuest found that cybercriminals relied primarily on seven different malware loaders to carry out attacks in the first half of 2023. QakBot, SocGholish, and Raspberry Robin were the most commonly used loaders, accounting for roughly 80% of all intrusions. GootLoader, ChromeLoader, Guloader, and Ursnif were also commonly seen.

According to Sophos, an unknown threat actor believed to be linked to the FIN8 hacking group, has been exploiting a critical remote code execution flaw (CVE-2023-3519) to compromise unpatched Citrix NetScaler systems in domain-wide attacks.

Japan's computer emergency response team (JPCERT) is sharing a new 'MalDoc in PDF' attack detected in July 2023 that bypasses detection by embedding malicious Word files into PDFs. The file sampled by JPCERT is a polyglot recognized by most scanning engines and tools as a PDF, yet office applications can open it as a regular Word document (.doc). Polyglots are files that contain two distinct file formats that can be interpreted and executed as more than one file type, depending on the application reading/opening them.

Microsoft has detected a new hacking collective referred to as Flax Typhoon. This group focuses on government bodies, educational institutions, vital manufacturing units, and IT organizations, presumably with the aim of espionage. The attackers avoid heavy usage of malware for infiltrating and controlling victim networks. Instead, they opt for utilizing existing components within the operating system, often referred to as living-off-the-land binaries (LOLBins), along with legitimate software.

An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. ‘The binary now includes support for Telnet scanning and support for more CPU architectures,’ Akamai security researcher Larry W. Cashdollar said in an analysis published this month. The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors.

The Rhysida ransomware group recently claimed responsibility for a cyberattack targeting Prospect Medical Holdings, a US healthcare company operating 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island and a network of 166 outpatient clinics and centers. The attack allegedly took place on August 3rd, with employees finding ransom notes on their systems stating that their network was hacked and devices had been encrypted. Due to the attack, the hospitals were forced to shut down their IT networks to mitigate the impact, causing employees to use paper charts.

Emsisoft released a report this week detailing the massive ransomware campaign carried out by the Cl0p ransomware group, which targeted the MOVEit Transfer file transfer platform. According to Emsisoft, “the attacks impacted approximately 1,000 Organizations and 60,144,069 individuals.

Poland's Internal Security Agency (ABW) and national police are investigating a hacking attack on the country's state railway network. The attack disrupted railway traffic overnight and triggered an emergency status that stopped trains near the city of Szczecin. The attack is suspected to be part of broader destabilization efforts by Russia, possibly in conjunction with Belarus.

Cybersecurity experts have revealed an intricate network of interconnected ransomware types that all stem from a shared origin: the Adhubllka ransomware group. Netenrich, a cybersecurity firm, conducted a study exploring the lineage of various ransomware versions, such as LOLKEK, BIT, OBZ, U2K, and TZW. The researchers discovered significant resemblances in code, tactics, and infrastructure among these apparently distinct ransomware types. By tracking the evolution of these variants, the experts established a genealogical link connecting them to the original Adhubllka ransomware, which emerged in January 2020.

A new financially motivated operation is leveraging a malicious Telegram bot to help threat actors scam their victims. Dubbed Telekopye, a portmanteau of Telegram and kopye (meaning "spear" in Russian), the toolkit functions as an automated means to create a phishing web page from a premade template and send the URL to potential victims, codenamed Mammoths by the criminals.

WordPress security company Patchstack discovered two critical vulnerabilities affecting Jupiter X Core, a premium visual editor plugin for setting up Wordpress and WooCommerce websites. The first flaw tracked as CVE-2023-38388, allows unauthenticated threat actors to upload files, which could lead to arbitrary code execution on the server.

Researchers from Secureworks Counter Threat Unit (CTU) have identified a new Wi-Fi scanning malware named Whiffy Recon, which has been dropped by the Smoke Loader botnet. This malicious code employs nearby Wi-Fi access points as reference points for Google's geolocation API to triangulate the positions of infected systems.

Ransomware threat actors are reducing the time they spend within compromised networks before being detected by security solutions. In the first half of this year, the median dwell time for these hackers decreased to five days from nine days in 2022. However, the overall median dwell time for all cyberattacks dropped to eight days from ten in 2022, indicating a general trend of quicker detection. Ransomware attacks constituted nearly 69% of all recorded cyberattacks during this period.

The FBI in the United States issued a cautionary notice regarding the potential efforts of threat actors associated with North Korea to convert pilfered cryptocurrency, totaling over $40 million in value. In a disclosure, the Federal Bureau of Investigation outlined the actions of six cryptocurrency wallets operated by entities connected to North Korea. These wallets possess approximately 1,580 Bitcoin, equivalent to around $41 million based on current valuations. Authorities suspect these funds are connected to the recent heist of a substantial sum of cryptocurrency, amounting to hundreds of millions of dollars.

A toolkit possibly developed by Russian individuals, known as Telekopye to security experts, aims to let fraudsters focus on refining their social engineering skills, freeing them from the technical aspects of online scams. Eset researchers uncovered a tool they named Telekopye, derived from the combination of "Telegram" and "kopye," the Russian word for spear.

Thousands of Openfire servers remain vulnerable to CVE-2023-32315, an actively exploited and path traversal vulnerability that allows an unauthenticated user to create new admin accounts. Openfire is a widely used Java-based open-source chat (XMPP) server downloaded 9 million times. On May 23, 2023, it was disclosed that the software was impacted by an authentication bypass issue that affected version 3.10.0, released in April 2015, until that point.

Danish hosting firms CloudNordic and AzeroCloud recently disclosed that they suffered from a ransomware attack, causing the firms to lose a majority of customer data and shut down all systems, including websites, emails, and customer sites. Since the attack took place last Friday, IT teams have only managed to restore some of the servers without any data, with CloudNordic stating that the restoration process isn’t going smoothly and that many of their customers’ data seems irrecoverable.

The Barracuda Email Security Gateway (ESG) vulnerability, identified as CVE-2023-2868, has been exploited by a Chinese state-sponsored cyberespionage group named UNC4841. This vulnerability affects Barracuda ESG versions 5.1.3.001 to 9.2.0.006, enabling attackers to perform command injections via specially crafted TAR file attachments in emails. Despite Barracuda's patch release in May 2023, the FBI has found that the patches are ineffective, and the vulnerability remains actively exploited.

The North Korean state-backed hacker group Lazarus has been exploiting a critical vulnerability (CVE-2022-47966) in Zoho's ManageEngine ServiceDesk software to compromise an internet backbone infrastructure provider and healthcare organizations. This campaign began in early 2023, targeting entities in the U.S. and U.K. The attackers employed the QuiteRAT malware and a newly identified remote access trojan (RAT) named CollectionRAT. The latter was discovered through the analysis of the group's infrastructure.

ESET researchers found the Spacecolon toolkit spreading Scarab ransomware across global organizations. It exploits weak web servers or RDP credentials for entry, with Turkish elements hinting at a Turkish-speaking developer. Spacecolon dates back to May 2020, with ongoing campaigns and a recent May 2023 build. ESET hasn’t linked it to any known group naming it “CosmicBeetle”.

The TP-Link Tapo L530E smart bulb and its corresponding mobile app are affected by four vulnerabilities, leaving users susceptible to hacking. Researchers from the University of Catania and the University of London have identified these vulnerabilities, which could potentially enable attackers to pilfer users' WiFi passwords.

There's mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data. Akira ransomware is a relatively new ransomware operation launched in March 2023, with the group later adding a Linux encryptor to target VMware ESXi virtual machines.

According to Group-IB a WInRaR zero-day vulnerability was actively exploited to install malware when clicking on harmless files in an archive, allowing hackers to breach online cryptocurrency trading accounts. Tracked as CVE-2023-38831, the vulnerability is triggered by creating specially crafted archives with a slightly modified structure compared to safe files, which causes WinRAR's ShellExecute function to receive an incorrect parameter when it attempts to open the decoy file.

The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information. Duolingo is one of the largest language learning sites in the world, with over 74 million monthly users worldwide. In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500. This data includes a mixture of public login and real names, and non-public information, including email addresses and internal information related to the DuoLingo service.

US based software company Ivanti has issued a warning to its customers about an ongoing exploitation of a critical Sentry API authentication bypass vulnerability. The vulnerability affects Ivanti Sentry, which serves as a gatekeeper for enterprise ActiveSync and Sharepoint servers, as well as a Kerberos Key Distribution Center Proxy server. The cybersecurity firm Mnemonic discovered the vulnerability (CVE-2023-38035), allowing unauthorized attackers to access sensitive admin portal configuration APIs through port 8443 used by Mobile Iron Configuration Service (MICS).

An undisclosed Advanced Persistent Threat (APT) hacking collective known as 'Carderbee' has been detected launching assaults on various institutions situated in Hong Kong and other parts of Asia. This group employs authentic software to infiltrate victims' machines with the PlugX malware. According to findings from Symantec, the legitimate software involved in this supply chain breach is Cobra DocGuard, designed by the Chinese developer 'EsafeNet.' This software is typically employed in security applications for tasks like data encryption and decryption.

CISA has added a critical flaw in Adobe ColdFusion to its catalog of actively exploited vulnerabilities. Tracked as CVE-2023-26359, the flaw relates to a deserialization bug residing in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier).

A legitimate-looking ad for Amazon in Google search results redirects visitors to a Microsoft Defender tech support scam that locks up their browser. Today, BleepingComputer was alerted to what appeared to be a valid advertisement for Amazon in the Google search results. The advertisement shows Amazon's legitimate URL, just like in the company's typical search result.

A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called ‘OfficeNote.’ ‘The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg, SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis.

The Cuba ransomware group has been observed launching attacks against critical infrastructure organizations in the US and IT firms in Latin America. They utilize a mix of both old and new tools. In early June 2023, Blackberry’s Threat Research and Intelligence Team identified this recent campaign. They have noted that Cuba now uses CVE-2023-27543 to extract credentials from configuration files.

The Kimsuky APT, believed to have ties to North Korea, initiated a spear-phishing effort directed at American contractors participating in a war simulation center. The South Korean police recently revealed this, clarifying that although the state-affiliated hackers did engage in the campaign, no sensitive information was compromised.

The threat actors behind the HiatusRAT malware have returned from their hiatus with a new wave of reconnaissance and targeting activity aimed at Taiwan-based organizations and a U.S. military procurement system. Besides recompiling malware samples for different architectures, the artifacts are said to have been hosted on new virtual private servers (VPSs), Lumen Black Lotus Labs said in a report published last week.

An international law enforcement operation led by Interpol has led to the arrest of 14 suspected cybercriminals in an operation codenamed 'Africa Cyber Surge II,' launched in April 2023. The four-month operation spanned 25 African countries and disrupted over 20,000 cybercrime networks engaged in extortion, phishing, BEC, and online scams, responsible for financial losses of over $40,000,000.

RARLAB recently fixed a high-severity vulnerability in WinRAR, a popular file archiver utility for Windows used by millions of users worldwide. Tracked as CVE-2023-40477, the flaw was discovered by security researcher “goodbyeselene” from Zero Day Initiative, who reported the bug to RARLab on June 8th, 2023.

Microsoft has identified a new variant of the BlackCat ransomware which incorporates the Impacket networking framework and the Remcom hacking tool. These tools facilitate the ransomware’s ability to propagate within a compromised network.

Since at least 2019, Mandiant has tracked threat actor interest in, and use of, AI capabilities to facilitate a variety of malicious activity. Based on our own observations and open source accounts, adoption of AI in intrusion operations remains limited and primarily related to social engineering.

The Cybernews research team delved into an often overlooked aspect of website security—HTTP security headers. These headers guide browsers in interacting with web pages, defending against cyber threats. They studied the top 100 sites, including Pinterest, IMDB, and Facebook. Results revealed many popular websites lacking crucial security measures, raising concerns for both site owners and users.

Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to alert users when an extension they have installed has been removed from the Chrome Web Store. The feature, set for release alongside Chrome 117, allows users to be notified when an add-on has been unpublished by a developer, taken down for violating Chrome Web Store policy, or marked as malware.

A new "mass-spreading" social engineering campaign is targeting users of the Zimbra Collaboration email server with an aim to collect their login credentials for use in follow-on operations. The activity, active since April 2023 and still ongoing, targets a wide range of small and medium businesses and governmental entities, most of which are located in Poland, Ecuador, Mexico, Italy, and Russia.

The Monti ransomware gang has returned, after a two-month break from publishing victims on their data leak site, using a new Linux locker to target VMware ESXi servers, legal, and government organizations. Researchers at Trend Micro analyzing the new encryption tool from Monti found that it has ‘significant deviations from its other Linux-based predecessors.

CVE-2023-2868 is a critical command injection vulnerability in Barracuda Email Security Gateway (ESG), a platform used for email management and filtering malicious emails. Threat actors can exploit this vulnerability to compromise Barracuda ESG and access targets' email records and content.

Hudson Rock, a threat intelligence firm, uncovered cybercrime forum credentials on about 120,000 computers infected with various info-stealer malware. These compromised computers, spanning from 2018 to 2023, were largely owned by threat actors themselves. The analysis of over 14.5 million infected computers revealed hackers' identities through additional credentials, autofill data, and system info.

As part of a joint effort with Dutch Institute of Vulnerability Disclosure (DIVD), researchers at cybersecurity company Fox-IT (NCC Group) have uncovered a large-scale campaign that planted webshells on Citrix Netscaler servers vulnerable to CVE-2023-3519, a critical remote code execution flaw that was patched on July 18. By scanning the internet, they uncovered 2491 webshells across 1952 distinct NetScaler servers, which made up 6% of all Netscalers (31,127) vulnerable to CVE-2023-3519, on a global scale, as of July 21, 2023.

A phishing campaign was observed predominantly targeting a notable energy company in the US, employing QR codes to slip malicious emails into inboxes and bypass security. Roughly one-third (29%) of the 1,000 emails attributed to this campaign targeted a large US energy company, while the remaining attempts were made against firms in manufacturing (15%), insurance (9%), technology (7%), and financial services (6%). According to Cofense, who spotted this campaign, this is the first time that QR codes have been used at this scale, indicating that more phishing actors may be testing their effectiveness as an attack vector.

Linkedin is facing a surge of account breaches, leading to numerous accounts being either locked for security concerns or seized by malicious actors. According to a recent report from Cyberint, numerous LinkedIn users have expressed frustration over compromised accounts or access issues, with attempts to address these problems through LinkedIn support. Although, LinkedIn’s support response time has lengthened, no official statement has been made yet.

CISA recently added a critical flaw to its known catalog of actively exploited vulnerabilities. Tracked as CVE-2023-24489, the flaw relates to an improper access control bug in Citrix ShareFile storage zones controller and can be exploited by an unauthenticated threat actor to remotely compromise the controller.

Anonfiles, a popular service for sharing files anonymously, has shut down after saying it can no longer deal with the overwhelming abuse by its users. Anonfiles is an anonymous file-sharing site that allows people to share files anonymously without their activity being logged. However, it soon became one of the most popular file-sharing services used by threat actors to share samples of stolen data, stolen credentials, and copyrighted material. F

The Clorox Company, a prominent multinational consumer goods firm known for its household and professional cleaning, health, and personal care products, recently faced a cybersecurity breach that compelled them to take specific systems offline. Detecting unauthorized activity on their Information Technology (IT) systems, Clorox swiftly initiated measures to halt and rectify the situation, including offline system shutdowns, as stated in an 8-K filing.

The resurgence of the Raccoon Stealer malware is marked by the release of version 2.3.0 after a 6-month hiatus. Raccoon Stealer is a well-known information-stealing malware that has been active since 2019, offered to threat actors through a subscription model at $200 per month. The malware targets over 60 applications to collect sensitive data such as login credentials, credit card details, browsing history, cookies, and cryptocurrency wallets.

Researchers have discovered a widespread operation that distributed proxy server applications to over 400,000 Windows systems. These devices function as residential exit nodes without obtaining users’ permission, and a company is making money by charging for the proxy traffic that passes through these machines. Threat actors find residential proxies useful for carrying out extensive credential stuffing attacks using new IP addresses.

The Uptycs Threat Research team discovered the QwixxRAT (aka Telegram RAT) in early August 2023 while it was advertised through Telegram and Discord platforms. According to the experts, QwixxRAT is meticulously designed to steal a broad range of information, including data from browser histories, credit card details, screenshots, and keystrokes.

Multiple vulnerabilities have been discovered in data center power management systems and supply technologies, enabling unauthorized access and remote code injection by threat actors. These vulnerabilities can be exploited to gain full access to data center systems, perform remote code injection, and create backdoors, potentially compromising connected devices and the broader network. The vulnerabilities were found in CyberPower's PowerPanel Enterprise Data Center Infrastructure Management platform and Dataprobe's iBoot Power Distribution Unit.

The FBI has raised an alert about a new strategy employed by cybercriminals. They are now pushing harmful “beta” editions of cryptocurrency investment applications on widely used mobile app stores. These apps are subsequently exploited to pilfer cryptocurrency. The perpetrators introduce these harmful apps to the mobile app stores under the guise of “beta” versions.

E-commerce sites using Adobe's Magento 2 software are the target of an ongoing campaign that has been active since at least January 2023. The attacks, dubbed Xurum by Akamai, leverage a now-patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution. ‘The attacker seems to be interested in payment stats from the orders in the victim's Magento store placed in the past 10 days,’ Akamai researchers said in an analysis published last week, attributing the campaign to actors of Russian origin.

Researchers from New York University, New York University Abu Dhabi, and KU Leuven University have discovered several vulnerabilities affecting most VPN products that can be exploited by attackers to read user traffic, steal user information, or attack user devices. The attacks, known as TunnelCrack attacks, are independent of the VPN protocol being used and can reveal which websites a user is visiting, posing a significant privacy risk even if the user is using additional encryption such as HTTPS.

Researchers from UC Irvine and Tsinghua University have introduced a cache poisoning attack named 'MaginotDNS' that targets Conditional DNS (CDNS) resolvers, potentially compromising entire top-level domains (TLDs). This attack capitalizes on security inconsistencies in various DNS software and server modes, rendering around one-third of CDNS servers vulnerable.

Microsoft recently disclosed 15 high-severity vulnerabilities in CODESYS V3 software development kit (SDK), which is a software development environment widely used to program and engineer programmable logic controllers.

A cyberattack on MOVEit file-transfer servers since late May has affected over 637 organizations. German cybersecurity company KonBriefing reported this number. It includes groups directly hacked through their MOVEit servers and others connected to users of Progress Software's file-transfer tool. The Clop ransomware group, thought to be Russian, is behind the attacks. They've taken data with personal details of about 41 million people.

An unknown threat actor has been linked to a cyber attack on a power generation company in southern Africa with a new variant of the SystemBC malware called DroxiDat as a precursor to a suspected ransomware attack. ‘The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation's critical infrastructure,’ Kurt Baumgartner, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT), said.

Researchers at Zscaler recently disclosed details of a new information-stealing malware dubbed Statc Stealer that has been observed infecting Windows devices. Written in the C++ programming language, Statc Stealer is capable of performing filename discrepancy checks to prevent sandbox detection and reverse engineering analysis by security professionals.

The U.S. government released a report after analyzing simple techniques, e.g. SIM swapping, used by the Lapsus$ extortion group to breach dozens of organizations with a strong security posture. Reviewing the group’s operations started in December last year following a long trail of incidents attributed to or claimed by Lapsus$ after leaking proprietary data from alleged victims.

The newly surfaced Rhysida ransomware faction has swiftly become a concerning addition to the growing threat landscape. Its involvement in a series of impactful assaults since its emergence in May of this year has been linked to the well-known Vice Society ransomware group, which has been operating since 2021. Among the entities targeted by Rhysida are the Chilean Army and Prospect Medical Holdings. In a recent incident, the group’s attack had a far reaching impact, affecting 17 hospitals and 166 clinics across the United States.

This week, the Missouri Department of Social Services (DSS) disclosed that Medicaid healthcare information was potentially exposed after IBM suffered a data breach. The attack was carried out by the Clop ransomware gang, which has been hacking vulnerable MOVEit Transfer servers worldwide by exploiting a SQL injection vulnerability (CVE-2023-34362) in the file transfer solution.

The Government Computer Emergency Response Team of Ukraine (CERT-UA) recently published an advisory warning against attacks targeting state organizations using Merlin, an open-source post-exploitation and command and control framework. Merlin was developed in the Go programming language and is available for free on GitHub.

The US National Institute of Standards and Technology (NIST) has released a new draft version of its popular best practice security framework, designed to expand its scope and provide more guidance on implementation. The NIST Cybersecurity Framework (CSF) 2.0 is the first refresh since it was launched in 2014. It is designed to help organizations “understand, reduce and communicate about cybersecurity risk,” the standards body said.

EvilProxy has emerged as a widely used phishing platform for attacking MFA-secured accounts. According to Proofpoint’s recent findings, over 120,000 phishing emails have been sent to more than a hundred organizations in an attempt to compromise Microsoft 365 accounts. Proofpoint’s research highlights a significant increase in successful cloud account takeovers, especially affecting top-level executives, over the last five months.

The U.K. Electoral Commission on Tuesday disclosed a "complex" cyber attack on its systems that went undetected for over a year, allowing the threat actors to access years worth of voter data belonging to 40 million people. ‘The incident was identified in October 2022 after suspicious activity was detected on our systems," the regulator said.

As part of the August Patch Tuesday, Microsoft patched 87 flaws, two of which were actively exploited zero-days. In total, the tech giant released fixes for 18 Elevation of Privilege vulnerabilities, 3 Security Feature Bypass vulnerabilities, 23 Remote Code Execution vulnerabilities, 10 Information Disclosure vulnerabilities, 8 Denial of Service vulnerabilities, and 12 Spoofing vulnerabilities.

A phishing-as-a-service (PaaS) platform which may have been responsible for over 150,000 phishing domains has been taken offline after an Interpol-led operation, the policing group said. Interpol teamed up with investigators in Indonesia, Japan and the US and industry partners the Cyber Defense Institute, Group-IB, Palo Alto Networks Unit 42, Trend Micro and Cybertoolbelt to make the arrests.

The LockBit ransomware group has claimed responsibility for hacking Varian Medical Systems, a healthcare company that designs and manufactures medical devices and software for cancer treatment. The group threatens to leak medical data belonging to cancer patients. Varian Medical Systems operates globally and is owned by Siemens Healthineers, generating significant revenue.

The Google Play store was infiltrated by 43 Android applications with 2.5 million installs that secretly displayed advertisements while a phone's screen was off, running down a device's battery. McAfee's Mobile Research Team discovered the malicious Android apps and reported them to Google as they violated Google Play Store's policies.

An unknown threat actor is using a variant of the Yashma ransomware to target various entities in English-speaking countries, Bulgaria, China, and Vietnam at least since June 4, 2023. Cisco Talos, in a new write-up, attributed the operation with moderate confidence to an adversary of likely Vietnamese origin.

The cyberattack on the IT systems and email server of NPO Mashinostroyeniya, a Russian organization specializing in space rocket design and intercontinental ballistic missile engineering, has been attributed to the North Korean state sponsored hacking group ScarCruft. This group has a history of engaging in cyber activities with links to various targets.

Horizon3 researchers recently disclosed a new high-severity vulnerability in PaperCut print management software for Windows that could result in remote code execution in certain configurations. Tracked as CVE-2023-39143, the flaw impacts PaperCut NG/MF prior to version 22.1.3. A successful exploit of CVE-2023-39143 could potentially allow unauthenticated attackers to read, delete, and upload arbitrary files to the PaperCut MF/NG application server.

The Colorado Department of Higher Education (CDHE) discloses a massive data breach impacting students, past students, and teachers after suffering a ransomware attack in June. In a 'Notice of Data Incident' published on the CDHE website, the Department says they suffered a ransomware attack on June 19th, 2023. When ransomware gangs breach an organization, they quietly spread through a network while stealing sensitive data and files from computers and servers.

The Clop ransomware gang has changed their extortion approach once more, now employing torrents to release the data they stole during MOVEit attacks. The ransomware gang started extorting victims on June 14 by gradually adding names to their Tor data leak site and eventually making the files public. However, the slow download speed on Tor sites limited the potential damage.

A leading Spanish research institute has become the latest organization in the country to come under cyber-attack from Russia, after a weeks-long DDoS campaign that appears to be geopolitically motivated. Local reports claimed that prolific hacktivist group NoName057 is responsible for the DDoS blitz, which impacted at least 72 websites between July 19 and 30.

A team of researchers from British universities has developed a deep learning model called 'CoAtNet' that can perform acoustic attacks by stealing data from keyboard keystrokes recorded using a microphone. The model achieved an alarming accuracy of 95% in predicting the keystrokes, showcasing the potential danger of sound-based side-channel attacks. The study reveals that even when using platforms like Zoom for training, the prediction accuracy only dropped slightly to 93%, which is still a significant threat.

Malware-related cyber-threats in operational technology (OT) and Internet of Things (IoT) environments jumped tenfold year-on-year in the first six months of 2023, according to Nozomi Networks. In their latest “OT & IoT Security Report” the researchers shared ICS vulnerabilities, data from IoT honeypots and attack statistics from OT environments. “Specific to malware, denial-of-service (DoS) activity remains one of the most prevalent attacks against OT systems,” the vendor explained in a blog post announcing the report.

Chinese state-sponsored hackers have been targeting industrial organizations with new malware that can steal data from air-gapped systems. Air-gapped systems typically fulfill critical roles and are isolated from the enterprise network and the public internet either physically or through software and network devices. Researchers at cybersecurity company Kaspersky discovered the new malware and attributed it to the cyber-espionage group APT31, a.k.a. Zirconium.

The number of ransomware attacks targeting industrial organizations and infrastructure has doubled since the second quarter of 2022, according to data from industrial cybersecurity firm Dragos. In a report analyzing data from the second quarter of 2023, Dragos said it saw 253 ransomware incidents, up 18% from the first quarter of 2023, when it observed 214 attacks.

Hackers are using a fake Android app named 'SafeChat' to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones. The Android spyware is suspected to be a variant of "Coverlm," which steals data from communication apps such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger. CYFIRMA researchers say the Indian APT hacking group 'Bahamut' is behind the campaign, with their latest attacks conducted mainly through spear phishing messages on WhatsApp that send the malicious payloads directly to the victim.

In July, researchers from Palo Alto Networks Unit 42 discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers on Linux and Windows systems. P2PInfect is written in Rust and exploits the CVE-2022-0543 vulnerability to gain initial access. It establishes P2P communication to the network and has been found on over 307,000 unique public Redis systems in the past two weeks, with 934 possibly vulnerable. The worm's goal and the threat actors behind it remain unclear.

In the wake of WormGPT, a ChatGPT clone trained on malware-focused data, a new generative artificial intelligence hacking tool called FraudGPT has emerged, and at least another one is under development that is allegedly based on Google's AI experiment, Bard. Both AI-powered bots are the work of the same individual, who appears to be deep in the game of providing chatbots trained specifically for malicious purposes ranging from phishing and social engineering, to exploiting vulnerabilities and creating malware.

Canon is warning users of home, office, and large format inkjet printers that their Wi-Fi connection settings stored in the devices' memories are not wiped, as they should, during initialization, allowing others to gain access to the data.

Citrix ShareFile is a widely used cloud-based file-sharing application, which is affected by the critical remote code execution (RCE) tracked as CVE-2023-24489 (CVSS score of 9.1). The flaw impacts the customer-managed ShareFile storage zones controller, an unauthenticated, remote attacker can trigger the flaw to compromise the controller by uploading arbitrary file or executing arbitrary code.

In May, Network and email security firm Barracuda disclosed that a recently patched remote command injection zero-day vulnerability had been exploited since October 2022 to gain access to a subset of its Email Security Gateway appliances. The flaw tracked as CVE-2023-2868, was further exploited to deploy previously unknown malware dubbed Saltwater and SeaSpy as well as a malicious tool called SeaSide to establish reverse shells for easy remote access. In light of the attacks, Barracuda offered replacement devices to all affected customers at no charge.

The Abyss Locker operation is the latest to develop a Linux encryptor to target VMware's ESXi virtual machines platform in attacks on the enterprise. As the enterprise shifts from individual servers to virtual machines for better resource management, performance, and disaster recovery, ransomware gangs create encryptors focused on targeting the platform.

In early July, researchers from Lumen Black Lotus Labs discovered the AVRecon botnet, which targeted small office/home office (SOHO) routers and infected over 70,000 devices across 20 countries. The threat actors behind the campaign aimed to build a botnet for various criminal activities, including password spraying and digital advertising fraud.

Microsoft fixed a known issue impacting WSUS (Windows Server Update Services) servers upgraded to Windows Server 2022, causing them not to push Windows 11 22H2 updates to enterprise endpoints. While the updates would successfully download to the WSUS server, they failed to propagate further to client devices. The root cause stems from the accidental removal of .msu and .wim MIME types during the upgrade process to Windows Server 2022.

The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat. The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in a new report published Thursday.

Zimbra recently addressed a zero-day vulnerability that was exploited in attacks targeting Zimbra Collaboration Suite email servers. Tracked as CVE-2023-38750, the flaw relates to a case of reflected Cross-Site Scripting impacting Zimbra Collaboration Suite Version 8.8.15, which could enable threat actors to steal sensitive information or execute arbitrary code on vulnerable systems. The flaw was uncovered by security researcher Clément Lecigne of Google Threat Analysis Group and was initially disclosed to the public two weeks ago.

Multiple critical vulnerabilities have been detected in Ninja Forms. a widely used WordPress forms builder plugin with more than 900,000 active installations. The plugin, created by Saturday Drive, enables users to generate a wide range of forms such as contact forms, event registration, file uploads, and payments. Security researchers from Patchstack published a new advisory revealing the presence of the first vulnerability which is a reflected cross site scripting flaw based on POST requests.

While consumers are usually the ones worried about their information being exposed in data breaches, it's now the hacker's turn, as the notorious Breached cybercrime forum's database is up for sale and member data has been shared with Have I Been Pwned. Yesterday, the Have I Been Pwned data breach notification service announced that visitors can check if their information was exposed in a data breach of the Breached cybercrime forum.

The Australian and US governments have issued a joint advisory about the growing cyber-threats to web applications and application programming interfaces (APIs). The guidance, Preventing Web Application Access Control Abuse was released by the Australian Cyber Security Centre (ACSC), US Cybersecurity and Infrastructure Security Agency (CISA), and US National Security Agency (NSA) on July 27, 2023/

The incidence of vendor email compromise attacks has surged, as recent data reveals a significant uptick in these cyber threats. A new report released yesterday by Abonormal Security, a cybersecurity firm, highlight the growing risk posed by VEC attacks, which are a variant of business email compromise.

A new 'Nitrogen' initial access malware campaign uses Google and Bing search ads to promote fake software sites that infect unsuspecting users with Cobalt Strike and ransomware payloads. The goal of the Nitrogen malware is to provide the threat actors initial access to corporate networks, allowing them to conduct data-theft, cyberespionage, and ultimately deploying the BlackCat/ALPHV ransomware.

NATO has confirmed that its IT team is investigating claims about an alleged data-theft hack on the Communities of Interest (COI) Cooperation Portal by a hacking group known as SiegedSec. The COI Cooperation Portal (dnbl.ncia.nato.int) is the military alliance's unclassified information-sharing and collaboration environment, dedicated to supporting NATO organizations and member nations. Yesterday, the hacking group 'SiegedSec' posted on Telegram what they claimed to be hundreds of documents stolen from the COI Cooperation Portal.

Generative AI models are becoming very attractive for crooks, Netenrich researchers recently spotted a new platform dubbed FraudGPT which is advertised on multiple marketplaces and the Telegram Channel since July 22, 2023. According to Netenrich, this generative AI bot was trained for offensive purposes, such as creating spear phishing emails, conducting BEC attacks, cracking tools, and carding.

Microsoft announced a new Defender for IoT feature that will allow analyzing the firmware of embedded Linux devices like routers for security vulnerabilities and common weaknesses. Dubbed Firmware Analysis and now available in Public Preview, the new capability can detect a wide range of weaknesses, from hardcoded user accounts and outdated or vulnerable open-source packages to the use of a manufacturer's private cryptographic signing key.

ALPHV ransomware gang, aka BlackCat, is now providing an API for their leak site to increase visibility for their attacks. Earlier this week, several researchers spotted a new page within the BlackCat leak site with instructions for using their API to collect timely updates about new victims. APIs, or Application Programming Interfaces, are typically used to enable communication between two software components based on agreed definitions and protocols .

VMware recently fixed an information disclosure bug impacting its VMware Tanzu Application service for VMs (TAS for VMs) and Isolation Segment. “TAS for VMs helps enterprises automate the deployment of applications across on-premises or public and private clouds (e.g., vSphere, AWS, Azure, GCP, OpenStack). Tracked as CVE-2023-20891, the issue seems to be caused by credentials being logged and exposed via system audit logs.

Security experts have discovered numerous vulnerabilities in a widely employed radio communication system, which is extensively used by law enforcement and critical infrastructure for transmitting data. These vulnerabilities could potentially enable remote decryption of cryptographically protected communications. Five vulnerabilities in Terrestrial Trunked Radio, a European radio communication standard have been identified by researchers from the Dutch security firm Midnight Blue.

A critical severity 'Super Admin' privilege elevation flaw puts over 900,000 MikroTik RouterOS routers at risk, potentially enabling attackers to take full control over a device and remain undetected. The flaw, CVE-2023-30799, allows remote attackers with an existing admin account to elevate their privileges to "super-admin" via the device's Winbox or HTTP interface.

The analysis of nearly 20 million information-stealing malware logs sold on the dark web and Telegram channels revealed that they had achieved significant infiltration into business environments. Information stealers are malware that steals data stored in applications such as web browsers, email clients, instant messengers, cryptocurrency wallets, FTP clients, and gaming services. The stolen information is packaged into archives called 'logs,' which are then uploaded back to the threat actor for use in attacks or sold on cybercrime marketplaces.

The Biden-Harris Administration has taken a new step towards ensuring the responsible development of artificial intelligence (AI) technology by securing voluntary commitments from leading AI companies. As part of the new initiative, Amazon, Anthropic, Google, Inflection, Meta, Microsoft and OpenAI have pledged to prioritize safety, security and trust in their AI systems.

Apple has released security updates to address a zero-day vulnerability that was exploited in attacks targeting iPhones, Macs, iPads. Tracked as CVE-2023-38606, the flaw relates to a shortcoming in the kernel that could allow a malicious application to potentially modify sensitive kernel states.

The Norwegian National Security Authority (NSM) has confirmed that attackers used a zero-day vulnerability in Ivanti's Endpoint Manager Mobile (EPMM) solution to breach a software platform used by 12 ministries in the country. The Norwegian Security and Service Organization (DSS) said on Monday that the cyberattack did not affect Norway's Prime Minister's Office, the Ministry of Defense, the Ministry of Justice, and the Ministry of Foreign Affairs.

The Lazarus hacking group, sponsored by the North Korean state, is currently involved in breaching Windows Internet Information Service (IIS) web servers with the intention of taking control of these servers for distributing malware. IIS is a web server solution developed by Microsoft, commonly used to host websites or application services, including Microsoft Exchange’s Outlook on the web.

The Clop ransomware group is emulating the tactics of the ALPHV ransomware gang by constructing dedicated internet accessible websites for individual victims. “To overcome these obstacles, last year, the ALPHV ransomware operation, also known as BlackCat, introduced a new extortion tactic of creating clearweb websites to leak stolen data that were promoted as a way for employees to check if their data was leaked.

According to researchers at Avast, a new variant of AsyncRAT is being distributed via free, pirated versions of popular software and utilities such as video games, image and sound editing software, and Microsoft Office. Dubbed HotRat, the remote access trojan has been seen in the wild since October 2022, with majority of the infections being located in Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa, and India. The attack chain disclosed by Avast entails bundling cracked software available online via torrent sites with a malicious AutoHotKey (AHK script).

Qualys Threat Research Unit recently uncovered a remote code execution vulnerability impacting OpenSSH’s forwarded ssh-agent, a background program that maintains users' keys in memory and facilitates remote logins to a server without having to enter their passphrase again. Tracked as CVE-2023-38408, the vulnerability impacts OpenSSH before 9.3p2 and can be exploited to execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent. A successful exploit requires certain libraries to be present on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system.

In the first half of 2023, Checkmarx researchers detected multiple open-source software supply chain attacks aimed at the banking sector. These attacks targeted specific components in web assets used by banks, according to the experts the attackers used advanced techniques. A threat actor leverage the NPM platform to upload malicious packages that included malicious objects upon installation.

Recently, American Megatrends International, a hardware and software company, identified two critical severity vulnerabilities in their MegaRAC Baseboard Management Controller software. The MegaRac BMC software is designed to offer administrators “out of band” and “lights out” remote system management capabilities. This functionality allows administrators to troubleshoot servers as if they were physically present in front of the devices, even when operating remotely.

VirusTotal apologized on Friday for leaking the information of over 5,600 customers after an employee mistakenly uploaded a CSV file containing their info to the platform last month. The data leak impacted only Premium account customers, with the uploaded file containing their names and corporate email addresses. Emiliano Martines, the online malware scanning service's head of product management, also assured impacted customers that the incident was caused by human error and was not the result of a cyber-attack or any vulnerability with VirusTotal.

Researchers at FortiGuard Labs have observed several distributed denial-of-service botnets exploiting a critical flaw in Zyxel devices to gain remote control of vulnerable systems. Tracked as CVE-2023-28771, the vulnerability is related to a command injection bug affecting multiple firewall models that could enable an unauthorized actor to execute arbitrary code via specially crafted packets sent to the targeted appliance.

Researchers at Lookout released a report on July 19, 2023, revealing that the Chinese espionage group APT41 is associated with the advanced Android surveillanceware known as WyrmSpy and DragonEgg. The report emphasized APT41’s well documented past of conducting espionage and seeking financial advantages by targeting government institutions and private companies.

A new .NET-based backdoor dubbed DeliveryCheck (aka CAPIBAR or GAMEDAY) was observed targeting the defense sector in Ukraine and Eastern Europe, capable of delivering next-stage payloads.

Adobe recently published an emergency ColdFusion security update that addressed several vulnerabilities, including a new zero-day that was exploited in attacks in the wild. The zero-day tracked as CVE-2023-38205 is being described as an instance of improper access control that could result in a security bypass. Two other flaws were addressed, one of which was rated critical in severity while the other was rated medium in severity.

Palo Alto Networks Unit 42 researchers have discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers running on both Linux and Windows systems. The capability to target Redis servers running on both Linux and Windows operating systems makes P2PInfect more scalable and potent than other worms.

US-based enterprise software company JumpCloud was breached by North Korean Lazarus Group hackers, according to security researchers at SentinelOne and CrowdStrike. In a report published on Thursday, SentinelOne Senior Threat Researcher Tom Hegel linked the North Korean threat group to the JumpCloud hack based on multiple indicators of compromise shared by the company in a recent incident report.

Threats actors have extensively employed an advanced web-inject kit known as drlBAN to orchestrate fraudulent assaults on corporate banking institutions and their customers. As stated in a recent advisory from Cleafy security researchers, drlBAN was initially discovered in 2019. It utilizes customized JavaScript code to specifically target different entities within the corporate banking sector. Functioning as part of a Man-in-the-Browser attack, these web injects enable cyber criminals to manipulate the content of legitimate web pages in real time, circumventing the TLS protocol.

Ukraine’s Cyber Police Department has dismantled another massive bot farm linked to more than 100 individuals after researching nearly two dozen locations. The bots were allegedly used to promote Russian propaganda, justifying Russia’s invasion of Ukraine. The bots were also leveraged to spread illegal content and personal information and conduct other fraudulent activities.

Cybersecurity researcher MalwareHunterTeam recently uncovered a new ransomware as a service (RaaS) dubbed SophosEncrypt which is allegedly impersonating Sophos. MalwareHunterTeam Initially thought SophosEncrypt to be part of a red team exercise by Sophos, however, Sophos followed up on Twitter stating that they did not create the encryptor and are conducting an investigation. Taking a closer look at the sample uncovered by MalwareHunterTeam, the encryptor is written in the Rust programming language.