LACyber: Active Cyber Threats

Current Active Threats

New OT Malware Possibly Related To Russian Emergency Response Exercises
Date: 2023-05-26

COSMICENERGY’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident, which issued IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have made use of an MSSQL server as a conduit system to access OT. Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption. COSMICENERGY accomplishes this via its two derivative components, which we track as PIEHOP and LIGHTWORK. PIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user-supplied remote MSSQL server for uploading files and issuing remote commands to a RTU. PIEHOP utilizes LIGHTWORK to issue the IEC-104 commands "ON" or "OFF" to the remote system and then immediately deletes the executable after issuing the command.

BlackByte Ransomware Claims City of Augusta Cyberattack
Date: 2023-05-26

The City of Augusta in Georgia, USA, has verified that the recent disruption to its IT system was a result of unauthorized intrusion into its network. While the administration has not revealed specific details about the nature of the cyberattack, the BlackByte ransomware group has publicly acknowledged the city of Augusta as one of its targeted victims.

Microsoft 365 Phishing Attacks Use Encrypted RPMSG Messages
Date: 2023-05-26

Attackers are now using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways. RPMSG files (also known as restricted permission message files) are encrypted email message attachments created using Microsoft's Rights Management Services (RMS) and offer an extra layer of protection to sensitive info by restricting access to authorized recipients. To access and read the encrypted contents of RPMSG attachments, recipients are required to either authenticate using their Microsoft account or acquire a one-time passcode for decryption.

New Buhti Ransomware Uses Leaked Payloads and Public Exploits
Date: 2023-05-26

A relatively new ransomware operation calling itself Buhti appears to be eschewing developing its own payload and is instead utilizing variants of the leaked LockBit and Babuk ransomware families to attack Windows and Linux systems. While the group doesn’t develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types. Buhti, which first came to public attention in February 2023, was initially reported to be attacking Linux computers. However, Symantec’s Threat Hunter Team has also uncovered attempts to attack Windows computers on compromised networks.

‘Operation Magalenha’ Targets Credentials of 30 Portuguese Banks
Date: 2023-05-26

A report from Sentinel Labs has revealed the details of this campaign, shedding light on the tools utilized by the threat actor, the different methods of infection employed, and the techniques employed to distribute their malware. The analyst obtained information regarding the origin and tactics of the threat actor through the discovery of a server misconfiguration that inadvertently exposed files, directories, internal correspondence, and other sensitive data.

North Korea-Linked Lazarus APT Targets Microsoft IIS Servers to Deploy Malware
Date: 2023-05-25

Researchers at AnhLab Security Emergency Response Center (ASEC) have revealed that the Lazarus APT Group, a cybercriminal organization associated with North Korea, has been focusing its attention on exploiting vulnerable Microsoft IIS servers. Through the use of DLL side-loading, the attackers deploy a malicious Dll file named msvcr100[.]dll, which is strategically placed in the same directory as a legitimate application called Wordconv[.]exe. By exploiting the Windows ISS web server process the malicious library is executed to carry out their nefarious activities.

Chinese Hackers Breach US Critical Infrastructure in Stealthy Attacks:
Date: 2023-05-25

This advisory highlights the recent state-sponsored cyber activity by the People's Republic of China (PRC) and provides crucial information for network defenders to identify and mitigate this activity. The advisory focuses on network and host artifacts, particularly command lines used by the cyber actor, and includes indicators of compromise (IOCs) for reference. However, defenders should exercise caution and evaluate matches to determine their significance, considering the possibility of false positive indicators resulting from benign activity.

New PowerExchange Malware Backdoors Microsoft Exchange Servers
Date: 2023-05-25

FortiEDR research lab has identified a targeted attack against a government entity in the United Arab Emirates, involving a custom PowerShell-based backdoor called PowerExchange. The backdoor utilizes the victim's Microsoft Exchange server as its command and control (C2) server, operating through an email-based C2 protocol. The investigation revealed multiple implants and a unique web shell named ExchangeLeech, capable of credential harvesting. The indicators point to an Iranian threat actor as the perpetrator of these attacks. The attack chain starts with email phishing and the execution of a malicious .NET executable. The backdoor establishes communication with the Exchange server, sends and receives commands through mailboxes, and executes malicious payloads.

North Korean APT Group Kimsuky Shifting Attack Tactics
Date: 2023-05-25

North Korean hackers belonging to the Kimsuky group are employing custom-built malware to carry out information exfiltration campaigns against organizations supporting human rights activists and North Korean defectors. The cybersecurity firm SentinelOne discovered a new variant of the RandomQuery malware, which is commonly used by the Pyongyang threat actor. Kimsuky specializes in targeting think tanks and journalists. The distribution of the malware is facilitated through compiled HTML files, a tactic frequently utilized by North Korean hackers. The objective of this particular campaign is file enumeration and information exfiltration, “The variation of RandomQuery in this campaign has the "single objective of file enumeration and information exfiltration," in contrast to recently observed North Korean use of the malware to support a wider array of functions such as keylogging and the execution of additional malware.

GoldenJackal State Hackers Silently Attacking Govts Since 2019
Date: 2023-05-24

Kaspersky recently disclosed the activities of a lesser-known advanced persistent threat group called GoldenJackal. This group has been engaged in espionage against government and diplomatic organizations in Asia since 2019. To maintain a cover presence, the threat actors have been cautious in their operations. They carefully choose their targets and limit the frequency of their attacks, aiming to minimize the risk of detection. Kaspersky, which has been monitoring GoldenJackal since 2020, has revealed that the group is active in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey.

SuperMailer Abuse Bypasses Email Security for Super-Sized Credential Theft
Date: 2023-05-24

A large-scale operation focused on harvesting credentials has emerged, utilizing a legitimate email newsletter program called SuperMailer to distribute a substantial volume of phishing emails. The intention behind this campaign is to bypass secure email gateway protections. Recent findings from Cofense, as of May 23, reveal that SuperMailer-generated emails account for a significant portion of all credential phishing attempts, constituting approximately 5% of the firm's telemetry for May.

IT Employee Piggybacked on Cyberattack for Personal Gain
Date: 2023-05-24

A former IT employee of an Oxford-based company has been convicted of blackmailing his employer and unauthorized access to a computer for personal gain. After a cyber security incident at the company, the employee took advantage of the breach by accessing a board member's private emails, altering the original blackmail email, and changing the payment address.

State-Aligned Actors Targeting SMBs Globally
Date: 2023-05-24

Proofpoint researchers have discovered that advanced persistent threat (APT) actors are increasingly targeting small and medium-sized businesses (SMBs), governments, militaries, and major corporations through compromised SMB infrastructure in phishing campaigns. These threat actors are also launching financially motivated attacks against SMB financial services firms and carrying out supply chain attacks affecting SMBs. Proofpoint emphasizes the tangible risk that APT actors pose to SMBs today through the compromise of their infrastructure.

Barracuda Warns of Email Gateways Breached via Zero-Day Flaw
Date: 2023-05-24

Barracuda, a company specializing in email and network security solutions, informed its customers that some of their Email Security Gateway (ESG) appliances were breached due to a recently patched zero-day vulnerability. The vulnerability was discovered on May 19 and was promptly addressed with security patches on May 20 and 21. Barracuda confirmed unauthorized access to a subset of ESG appliances but assured customers that its other products were unaffected. Impacted organizations were notified, and Barracuda advised them to review their environments for any potential spread of the threat actors to other devices on the network. Details regarding the number of affected customers and potential data impact were not provided.

A Deeper Insight Into the Cloudwizard APT’s Activity Revealed a Long-Running Activity
Date: 2023-05-23

Researchers warn of a threat actor known as CloudWizard APT, which is actively targeting organizations operating in the Russo-Ukraine conflict region. In March 2023, Kaspersky reearchers dicovered the new APT group, referred to as Bad Magic or Red Stinger, engaging in cyber attacks against entities in the same area. The attackers utilized PowerMagic and CommonMagic implants in their operations. During their investigation, the researchers discovered another set of highly advanced malicious activities linked to the same threat actor, demonstrating even greater sophistication.

Food Distributor Sysco Says Cyberattack Exposed 126,000 Individuals
Date: 2023-05-23

A multinational company headquartered in Houston, Texas, Sysco is one of the largest distributors of food products, kitchen equipment, smallware, and tabletop products to restaurants, lodging establishments, healthcare and education organizations, and other entities” (Security Week, 2023). The company initially disclosed the incident in early May, in a Form 10-Q filing with the US Securities and Exchange Commission (SEC), when it revealed that the data breach was identified on March 5, 2023, but said that the attackers likely had unauthorized access to its systems starting January 14, 2023.

BatLoader Campaign Impersonates ChatGPT and Midjourney to Deliver Redline Stealer
Date: 2023-05-23

In early May, researchers at eSentire Threat Response Unit (TRU) spotted an ongoing BatLoader campaign using Google Search Ads to redirect victims to imposter web pages for AI-based services like ChatGPT and Midjourney” (Info Security Magazine, 2023). Threat actors are using BatLoader in the form of an MSIX Windows App Installer file to deliver Redline Stealer.

Batloader Campaign Impersonates ChatGPT and Midjourney to Deliver Redline Stealer
Date: 2023-05-22

In the campaign observed by the researchers, threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer. In February 2023, eSentire reported another BatLoader campaign targeting users searching for AI tools.“Both AI services are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord). This vacuum has been exploited by threat actors looking to drive AI app-seekers to imposter web pages promoting fake apps.

Vulnerability in Zyxel Firewalls May Soon Be Widely Exploited (CVE-2023-28771)
Date: 2023-05-22

Rapid7 researchers have issued a warning regarding a recently patched command injection vulnerability (CVE-2023-28771) in various Zyxel firewalls. They have published a technical analysis and a Proof of Concept (PoC) script that demonstrates the vulnerability, enabling the attacker to gain a reverse root shell. The affected devices include Zyxel APT, USG FLEX, and VPN firewalls running ZDL firmware versions v4.60 to v5.35, as well as Zyxel ZyWALL/USG gateways/firewalls running ZLD v4.60 to v4.73. These firewall devices perform network traffic monitoring and control, possess VPN and SSL inspection capabilities, and provide additional protection against malware and other threats.

Phishing Vendor Sells IP Addresses to Duck Anomaly Detection
Date: 2023-05-22

A large-scale phishing-as-a-service operation is shifting tactics to allow attackers to avoid anomaly detection by using localized IP addresses, warns Microsoft. The computing giant discovered the provider in 2021 after detecting a phishing campaign that used more than 300,000 domains and unique subdomains in a single run. BulletProofLink, also referred to as BulletProftLink or Anthrax, sells access to phishing kits, email templates, hosting, and automated series "at a relatively low cost.”

Shifting Tactics Fuel Surge in Business Email Compromise
Date: 2023-05-22

Business email fraud continues to rise, with the Federal Bureau of Investigation (FBI) reporting more than 21,000 complaints with adjusted losses over $2.7 billion. Microsoft has observed an increase in sophistication and tactics by threat actors specializing in business email compromise (BEC), including leveraging residential internet protocol (IP) addresses to make attack campaigns appear locally generated. This new tactic is helping criminals further monetize Cybercrime-as-a-Service (CaaS) and has caught federal law enforcement’s attention because it allows cybercriminals to evade “impossible travel” alerts used to identify and block anomalous login attempts and other suspicious account activity.

CISA Warns of Samsung ASLR Bypass Flaw Exploited in Attacks
Date: 2023-05-22

CISA warned last Friday of a security vulnerability affecting Samsung devices which has been used in attacks to bypass Android address space layout randomization (ASLR) protection. ASLR is an Android security feature that randomizes the memory addresses where key app and OS components are loaded into the device's memory. This makes it more difficult for attackers to exploit memory-related vulnerabilities and successfully launch attacks like buffer overflow, return-oriented programming, or other memory-based exploits.

Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict
Date: 2023-05-19

New findings reveal a significant increase in cyber espionage attacks targeting Taiwanese organizations, coinciding with recent political tensions. According to research by Trellix, the number of malicious phishing emails aimed at Taiwanese companies surged between April 7 to the 10th of this year. The most affected sectors were networking/IT, manufacturing, and logistics.

LockBit Leaks 1.5TB of Data Stolen From Indonesia's BSI Bank
Date: 2023-05-19

The LockBit ransomware group has leaked 1.5 terabytes of personal and financial data from Bank Syariah Indonesia (BSI) after failed ransom negotiations. The stolen data includes information from approximately 15 million customers and employees of the country's largest Islamic bank. BSI has restored its key banking services under the supervision of Bank Indonesia. BSI initially experienced disruptions due to a cyberattack, but LockBit claims the bank misled customers by attributing the issues to technical maintenance.

8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency
Date: 2023-05-19

The notorious cryptojacking group tracked as 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware. The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely. ‘This allows attackers to gain unauthorized access to sensitive data or compromise the entire system,’ Trend Micro researcher Sunil Bharti said in a report published this week. 8220 Gang, first documented by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control (C2) network communications.

Apple Fixes Three New Zero-Days Exploited to Hack iPhones, Macs
Date: 2023-05-19

Apple recently patched three new zero-day flaws which were exploited in attacks targeting vulnerable iPhones, Macs, and iPad. Tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, the vulnerabilities reside in the multi-platform WebKit browser engine.

Hackers Target Vulnerable Wordpress Elementor Plugin After PoC Released
Date: 2023-05-19

Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month. The critical-severity flaw is tracked as CVE-2023-32243 and impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1, allowing unauthenticated attackers to arbitrarily reset the passwords of administrator accounts and assume control of the websites. The flaw that impacted over a million websites was discovered by PatchStack on May 8th, 2023, and fixed by the vendor on May 11th, with the release of the plugin's version 5.7.2.

Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise
Date: 2023-05-18

Every day, numerous Android phone users worldwide unknowingly contribute to the financial gains of an organization known as the Lemon Group simply by owning their devices. What these users are unaware of is that the Lemon Group has pre-infected their phones even before they purchase them. As a result, the Lemon Group secretly exploits these devices, utilizing them to steal and sell SMS messages and one-time passwords (OTPs), display unwanted advertisements, create online messaging and social media accounts, and carry out various other activities.

BianLian Skips Encryption On Way To Extortion
Date: 2023-05-18

The U.S. cybersecurity agency has warned that the BianLian ransomware group is shifting from malicious encryption to pure extortion. Instead of double extortion, the group now demands a ransom for keeping stolen data secret. The group's change in tactics is likely influenced by the release of a free decryptor by cybersecurity firm Avast. BianLian gains initial access to networks through compromised remote desktop protocol credentials, acquired from brokers or through phishing. They implant a customized backdoor and install remote management tools like TeamViewer.

MalasLocker Ransomware Targets Zimbra Servers, Demands Charity Donation
Date: 2023-05-18

A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking. The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted.

Cisco Warns of Critical Switch Bugs With Public Exploit Code
Date: 2023-05-18

Yesterday, Cisco published an advisory, warning customers of four critical remote code execution vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189) impacting several of its Small Business Series Switches. The four flaws received a CVSS score of 9.8 out of 10 and are due to an improper validation of requests sent to the targeted switches’ web interfaces. A successful exploit of the issues could enable unauthenticated actors to execute arbitrary code with root privileges on targeted devices.

New ZIP Domains Spark Debate Among Cybersecurity Experts
Date: 2023-05-18

Cybersecurity researchers and IT admins have raised concerns over Google's new ZIP and MOV Internet domains, warning that threat actors could use them for phishing attacks and malware delivery. Earlier this month, Google introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses. The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs.

FBI Confirms BianLian Ransomware Switch to Extortion Only Attacks
Date: 2023-05-17

A recent collaboration between government agencies in the United States and Australia, led by CISA, has resulted in a joint Cybersecurity Advisory. The advisory highlights the latest tactics, techniques, and procedures (TTPs) employed by the BianLian ransomware group, which has been actively targeting critical infrastructure in both countries since June 2022. As part of the broader #StopRansomware initiative, this advisory draws on investigations conducted by the FBI and the Australian Cyber Security Centre (ACSC) up until March 2023.

Russian Ransomware Affiliate Charged With Attacks On Critical Infrastructure
Date: 2023-05-17

The U.S Justice Department of The Treasury recently imposed sanctions on Mikhail Matveev, a Russian citizen, for his role in launching cyberattacks against U.S law enforcement, businesses, and critical infrastructure. Matveev is known for his affiliation with various Russia-linked ransomware variants such as Hive LockBit and Babuk. According to the Treasury,

State-Sponsored Sidewinder Hacker Group's Covert Attack Infrastructure Uncovered
Date: 2023-05-17

Group-IB recently uncovered a previously undocumented attack infrastructure utilized by the SideWinder, a prolific state-sponsored group, to target entities located in Pakistan and China. The infrastructure unearthed encompasses 55 domains and IP addresses which were identified by researchers as phishing domains mimicking various organizations in the news, government, telecommunications, and financial sectors.

Feds Charge Russian, Chinese Nationals With Illegal Exports
Date: 2023-05-17

U.S. federal prosecutors have announced indictments and arrests related to illegal technology exports to Russia, China, and Iran. The cases involve individuals accused of smuggling military and dual-use technology, including tactical military antennas, lasers, pressure sensors, and other electronics. The Biden administration has vowed to crack down on export violations and has created the Disruptive Technology Strike Force. The cases highlight the efforts to prevent advanced technology from falling into the hands of foreign adversaries who may use them to threaten national security and democratic values.

Hackers Infect TP-Link Router Firmware to Attack EU Entities
Date: 2023-05-17

A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organizations. The backdoor malware is deployed in a custom and malicious firmware designed specifically for TP-Link routers so that the hackers can launch attacks appearing to originate from residential networks.

Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks
Date: 2023-05-16

During last week’s Black Hat Asia 2023 conference, Israeli industrial cybersecurity firm OTORIO disclosed several vulnerabilities in cloud management platforms associated with three industrial cellular router vendors that could expose OT networks to external attacks. In total 11 vulnerabilities were disclosed, which could enable threat actors to execute code remotely and take control over hundreds of thousands of devices and OT networks. In particular, the flaws impact cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks to remotely manage and operate devices.

BEC Attackers Spoof CC'd Execs to Force Payment
Date: 2023-05-16

Security experts have discovered a fresh advancement in business email compromise tactics aimed at intensifying the recipient's urgency to settle a counterfeit invoice. Referred to as "VIP Invoice Authentication Fraud" by Armorblox, this strategy involves deceptive emails that imitate reputable vendors or familiar third parties regularly receiving payments from the targeted organization. The scammer initiates an invoice request targeting an individual, often in the finance team of the targeted organization. What sets this tactic apart from others is that the scammer also includes the recipient's boss in the email thread, using a fake email domain that closely resembles the boss's actual email address.

New RA Group ransomware targets U.S. orgs in double-extortion attacks
Date: 2023-05-16

A new ransomware group named 'RA Group' is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea. The new ransomware operation started in April 2023, when they launched a data leak site on the dark web to publish victims' details and stolen data, engaging in the typical 'double-extortion' tactic used by most ransomware gangs.

PharMerica Reports Breach Affecting Nearly 6 Million People
Date: 2023-05-16

PharMerica, an institutional pharmacy, suffered a significant data breach in March, affecting nearly 6 million current and deceased patients. Hackers, allegedly from the Money Message ransomware group, accessed personal information such as names, birthdates, Social Security numbers, medications, and health insurance details. The group leaked spreadsheets containing patient data on the dark web and also posted internal business documents,

Open-source Cobalt Strike Port 'Geacon' Used in macOS Attacks
Date: 2023-05-16

Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices. Both Geacon and Cobalt Strike are utilities that legitimate organizations use to simulate attacks against their networks and improve defenses, but threat actors have also relied on them for attacks.

CISA Warns of Critical Ruckus Bug Used to Infect Wi-Fi Access Points
Date: 2023-05-16

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned last Friday of a critical remote code execution (RCE) flaw in the Ruckus Wireless Admin panel actively exploited by a recently discovered DDoS botnet. While this security bug (CVE-2023-25717) was addressed in early February, many owners are likely yet to patch their Wi-Fi access points. Furthermore, no patch is available for those who own end-of-life models affected by this issue.

Enigmatic Hacking Group Operating in Ukraine
Date: 2023-05-15

A newly uncovered hacking group with a string of cyberespionage successes is targeting Ukrainian and pro-Russian targets alike, its motivations uncertain in a conflict that offers little to no middle ground. Malwarebytes in a Wednesday blog post dubs the threat actor "Red Stinger," saying the group is the same as the "Bad Magic" threat actor revealed by Kaspersky in March. Malwarebytes says it traced Red Stinger activities back to 2020, while Kaspersky says it spotted the group in October 2022 - the dates suggesting an investment in stealthy techniques and operational security.

Discord Discloses Data Breach After Support Agent Got Hacked
Date: 2023-05-15

Discord, a popular communication platform, recently experienced a data breach after one of its support agents was hacked. The incident was reported by Discord on their official blog. The breach occurred due to unauthorized access to the support agent's account, which allowed the attacker to gain access to certain user data. Discord confirmed that the breach did not affect the entire user database and that only a small portion of users were impacted.

Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign
Date: 2023-05-15

Symantec recently disclosed details of a year-long running campaign targeting government, aviation, education, and telecom sectors located in South and Southeast Asia. Dubbed Lancefly, the operation commenced in mid-2022 and continued until the first quarter of 2023. According to researchers, they observed the actors deploying a powerful backdoor dubbed Merdoor, which has been around since 2018.

XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks
Date: 2023-05-15

Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. ‘The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new analysis.

Multinational Tech Firm ABB Hit by Black Basta Ransomware Attack
Date: 2023-05-15

ABB, a leading provider of electrification and automation technology, has suffered a Black Basta ransomware attack that has reportedly impacted its business operations. The multinational company, headquartered in Zurich, Switzerland, employs approximately 105,000 workers and recorded $29.4 billion in revenue for 2022. ABB's services include the development of industrial control systems and SCADA systems for energy suppliers and manufacturing.

Stealthier Version of Linux BPFDoor Malware Spotted in the Wild
Date: 2023-05-15

A new, stealthier variant of the Linux malware 'BPFDoor' has been discovered, featuring more robust encryption and reverse shell communications. BPFDoor is a stealthy backdoor malware that has been active since at least 2017 but was only discovered by security researchers around 12 months ago. The malware gets its name from the use of the 'Berkley Packet Filter' (BPF) for receiving instructions while bypassing incoming traffic firewall restrictions.

Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability
Date: 2023-05-15

U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country. The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday.

Fake In-Browser Windows Updates Push Aurora Info-Stealer Malware
Date: 2023-05-15

A malvertising campaign was recently detected using an in-browser Windows update simulation to deceive users and distribute the Aurora information-stealing malware. Aurora which is coded in Golang, has been advertised on hacker forums for over a year as a highly capable info stealer with low anti-virus detection rates. The campaign, as reported by Malwarebytes researchers, relies on popunder ads on adult content websites with high traffic to redirect unsuspecting users to a location where they are served malware.

Feds Warn of Rise in Attacks Involving Veeam Software Flaw
Date: 2023-05-15

Federal authorities have issued a warning about an increase in cyberattacks targeting Veeam's backup application in the healthcare sector. The attacks exploit a high-severity vulnerability (CVE-2023-27532) in Veeam Backup & Replication, potentially leading to unauthorized access, data theft, or ransomware deployment. The vulnerability affects all versions of the software and poses a significant threat to healthcare environments that rely on Veeam for protecting and restoring files and applications.

New Ransomware Decryptor Recovers Data From Partially Encrypted Files
Date: 2023-05-15

A new 'White Phoenix' ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption. Intermittent encryption is a strategy employed by several ransomware groups that alternates between encrypting and not encrypting chunks of data. This method allows a file to be encrypted much faster while still leaving the data unusable by the victim.

Microsoft Fixes BlackLotus Vulnerability, Again
Date: 2023-05-15

Microsoft issued an optional patch Tuesday as part of its monthly dump of fixes that addresses for the second time a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware. In all, the Redmond giant pushed out 38 security fixes in its May patch cycle, addressing three zero-day flaws - two of which are under active exploitation, including the UEFI flaw - and six bugs rated critical. Security researchers earlier this year spotted the BlackLotus bootkit for sale on hacker forums for $5,000.

Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft
Date: 2023-05-15

Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines. The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023. Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected, but pointed out Microsoft, Exchange servers with the March update omit the vulnerable feature. ‘An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server,’ Barnea said in a report shared with The Hacker News.

Cybersecurity Firm Dragos Discloses Cybersecurity Incident, Extortion Attempt
Date: 2023-05-15

Industrial cybersecurity company Dragos today disclosed what it describes as a "cybersecurity event" after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices. While Dragos states that the threat actors did not breach its network or cybersecurity platform, they got access to the company's SharePoint cloud service and contract management system” (Bleeping Computer, 2023). "On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform," the company said.

New ‘Greatness’ Service Simplifies Microsoft 365 Phishing Attacks
Date: 2023-05-12

The platform Greatness, which offers a phishing-as-a-Service, witnessed a surge in its activities as it focuses on targeting organizations that use Microsoft 365 in the United States, Canada, the U.K., Australia, and South Africa. As a widely cloud-based productivity platform, Microsoft 365 is highly coveted by cybercriminals who seek to pilfer data or login credentials for exploitation in network intrusions. According to a recent report from Cisco Talos, researchers have revealed that the Greatness phishing platform was established in the middle of 2022, with a significant upsurge in its operations in December 2022, and then again in March 2023.

Critical Ruckus RCE Flaw Exploited By New DDoS Botnet Malware
Date: 2023-05-10

A new malware botnet named 'AndoryuBot' is targeting a critical-severity flaw in the Ruckus Wireless Admin panel to infect unpatched Wi-Fi access points for use in DDoS attacks. Tracked as CVE-2023-25717, the flaw impacts all Ruckus Wireless Admin panels version 10.4 and older, allowing remote attackers to perform code execution by sending unauthenticated HTTP GET requests to vulnerable devices. The flaw was discovered and fixed on February 8, 2023. Still, many have not applied the available security updates, while end-of-life models impacted by the security problem will not get a patch.

Food Distribution Giant Sysco Warns of Data Breach After Cyberattack
Date: 2023-05-10

Sysco, a major global food distribution company, has confirmed that its network was breached earlier this year by attackers who stole sensitive information, including business, customer, and employee data. In an internal memo sent to employees on May 3rd and seen by BleepingComputer, the company revealed that customer and supplier data in the U.S. and Canada, as well as personal information belonging to U.S. employees, may have been impacted in the incident.

Top 5 Password Cracking Techniques Used by Hackers
Date: 2023-05-10

Phishing is often stated as the most successful initial access method for both cybercriminals and more sophisticated nation state actors. Gaining access to valid accounts is one of the easiest and most powerful tools for a threat actors. Why spend the resources breaching powerful security tools, when you can simply trick an employee into clicking a bad link, or by cracking their password?

Multiple Vulnerabilities in Aruba Products Could Allow for Arbitrary Code Execution.
Date: 2023-05-10

Multiple vulnerabilities have been discovered in Aruba Products, the most severe of which could allow for arbitrary code execution. Aruba Mobility Conductor is an advanced WLAN deployed as a virtual machine (VM) or installed on an x86-based hardware appliance. Aruba Mobility Controller is a WLAN hardware controller in a virtualized environment managing WLAN Gateways and SD-WAN Gateways that are managed by Aruba Central.

BEC Campaign via Israel Spotted Targeting Large Multinational Companies
Date: 2023-05-10

Abnormal Security researchers have identified a threat group based in Israel that is responsible for a series of business email compromise (BEC) campaigns. The group's primary targets are large and multinational corporations with annual revenue exceeding $10 billion. Since February 2021, the group has launched approximately 350 BEC campaigns, with email attacks directed at employees in 61 countries spanning six continents. The attackers impersonate the targeted employee's CEO and subsequently redirect the communication to a second external persona, typically a mergers and acquisitions attorney who oversees the payment process. In certain cases, when the attack advances to the second state, the perpetrators may ask to switch from email communications to a WhatsApp voice call to expedite the attack and minimize the chances of leaving behind any traceable evidence.

FBI Seizes 13 More Domains Linked to DDoS-For-Hire Services
Date: 2023-05-09

The U.S. Justice Department announced today the seizure of 13 more domains linked to DDoS-for-hire platforms, also known as 'booter' or 'stressor' services. This week's seizures are part of a coordinated international law enforcement effort (known as Operation PowerOFF) to disrupt online platforms allowing anyone to launch massive distributed denial-of-service (DDoS) attacks against any target for the right amount of money.

Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability
Date: 2023-05-09

Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft said. The tech giant's threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access.

Five Takeaways From the Russian Cyber-Attack on Viasat's Satellites
Date: 2023-05-09

The cyber-attack on US firm Viasat’s KA-SAT satellites in Ukraine on February 24, 2022, prompted one of the largest formal attributions of a cyber-attack to a nation-state in history. Nearly 20 countries accused Russia of being responsible, including a dozen EU member states and the Five Eyes countries (US, UK, Australia, New Zealand and Canada). This cyber intrusion, which preceded Russia’s invasion of its neighbor by just a few hours, was thoroughly discussed during the third edition of CYSAT, an event dedicated to cybersecurity in the space industry that took place in Paris, France on April 26-27, 2023.

Western Digital Says Hackers Stole Customer Data in March Cyberattack
Date: 2023-05-09

Western Digital Co. has taken its store offline and sent customers data breach notifications after confirming that hackers stole sensitive personal information in a March cyberattack. The company emailed the data breach notifications late Friday afternoon, warning that customers' data was stored in a Western Digital database stolen during the attack.

Fleckpe Trojan Infects 620K Devices via Google Play
Date: 2023-05-09

The Google Play store was found to have hosted Android malware disguised as legitimate applications, which have been downloaded over 620,000 times since 2022. The malicious apps were disguised as photo-editing apps, camera editors and smartphone wallpaper packs, and infected 11 legitimate applications before being taken down. Once downloaded, the malware executes a payload from the app asset, which sends the infected device's mobile code to a command-and-control server. The server then sends a paid subscription page, which the Trojan opens in an invisible web browser to subscribe the user.

Meet Akira — A New Ransomware Operation Targeting the Enterprise
Date: 2023-05-08

The Akira ransomware operation is gradually expanding its list of victims by infiltrating corporate networks globally, encrypting files, and demanding ransoms amounting to millions of dollars. The operation began in March 2023 and has already targeted 16 companies in diverse industries such as finance, education, real estate, manufacturing, and consulting. Although there was ransomware named Akira released in 2017, there is no connection between these two operations.

MSI’s Firmware, Intel Boot Guard Private Keys Leaked
Date: 2023-05-08

The cybercriminals who breached Taiwanese multinational MSI last month have apparently leaked the company’s private code signing keys on their dark web site. MSI (Micro-Star International) is a corporation that develops and sells computers (laptops, desktops, all-in-one PCs, servers, etc.) and computer hardware (motherboards, graphics cards, PC peripherals, etc.). The company confirmed in early April that it had been hacked. A ransomware group called Money Message claimed responsibility for the breach, said they grabbed (among other things) some of the company’s source code, and asked for $4 million to return/delete it.

New Cactus Ransomware Encrypts Itself to Evade Antivirus
Date: 2023-05-08

Researchers at Kroll corporate investigation have uncovered a new ransomware operation dubbed Cactus which is exploiting known vulnerabilities in Fortinet VPN appliances to gain initial access to the networks of large commercial entities. What’s more is that this group employs an unusual tactic of evading defenses and scanning from antivirus solutions.

WordPress Custom Field Plugin Bug Exposes Over 1M Sites to XSS Attacks
Date: 2023-05-08

Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks (XSS). The two plugins are among WordPress's most popular custom field builders, with 2,000,000 active installs on sites worldwide.

Kimsuky Hackers Use New Recon Tool to Find Security Gaps
Date: 2023-05-05

The Kimusky hacking group, known by aliases such as Thalium and Velvet Chollima, has been using a new version of its reconnaissance malware called ReconShark to conduct a cyberespionage campaign on a global scale. According to Sentinel Labs, the group has broadened its target range to include government organizations, research centers, universities, and think tanks in the US, Europe, and Asia. South Korean and German authorities warned in March 2023 that Kimusky had distributed malicious Chrome extensions and Android spyware as a remote access trojan to target Gmail accounts. Kaspersky previously reported in August 2022 that the group had targeted politicians, diplomats, university professors, and journalists in South Korea using a multi-stage target validation scheme to ensure the successful infection of only valid targets.

Microsoft Patches Serious Azure Cloud Security Flaws
Date: 2023-05-04

Microsoft has patched three vulnerabilities in its Azure cloud platform that could have allowed attackers to access sensitive info on a targeted service, deny access to the server, or scan the internal network to mount further attacks, researchers have found. Researchers from the Ermetic Research Team discovered the flaws in the Azure API Management Service, which allows organizations to create, manage, secure, and monitor APIs across all of their environments, they revealed in a blog post published Thursday.

Russian Hackers Use WinRAR to Wipe Ukraine State Agency’s Data
Date: 2023-05-04

The Russian 'Sandworm' hacking group has been linked to an attack on Ukrainian state networks where WinRar was used to destroy data on government devices. In a new advisory, the Ukrainian Government Computer Emergency Response Team (CERT-UA) says the Russian hackers used compromised VPN accounts that weren't protected with multi-factor authentication to access critical systems in Ukrainian state networks. Once they gained access to the network, they employed scripts that wiped files on Windows and Linux machines using the WinRar archiving program.

City of Dallas Hit by Royal Ransomware Attack Impacting It Services
Date: 2023-05-04

The City of Dallas, Texas, has suffered a Royal ransomware attack, causing it to shut down some of its IT systems to prevent the attack's spread. Dallas is the ninth largest city in the United States, with a population of approximately 2.6 million people, according to US census data. Local media reported that the City's police communications and IT systems were shut down Monday morning due to a suspected ransomware attack. This has led to 911 dispatchers having to write down received reports for officers rather than submit them via the computer-assisted dispatch system. The Dallas County Police Department's website was also offline for part of the day due to the security incident but has since been restored

Hackers Start Using Double DLL Sideloading to Evade Detection
Date: 2023-05-04

A group of hackers, also known as Dragon Breath, Golden Eye Dog, or APT-Q-27, is utilizing multiple sophisticated versions of the traditional DLL sideloading technique to avoid detection. These attack variations start with an initial approach that uses legitimate applications, such as Telegram, to sideload a second-stage payload, which may also be legitimate, and in turn, loads a malicious malware loader DLL.

Drone Goggles Maker Claims Firmware Sabotaged to ‘Brick’ Devices
Date: 2023-05-04

Orqa, a maker of First Person View (FPV) drone racing goggles, claims that a contractor introduced code into its devices' firmware that acted as a time bomb designed to brick them. On early Saturday, Orqa started receiving reports from customers surprised to see their FPV.One V1 goggles enter bootloader mode and become unusable.

Google Chrome Will Lose the “Lock” Icon for HTTPS-Secured Sites
Date: 2023-05-03

n September 2023, Google Chrome will stop showing the lock icon when a site loads over HTTPS, partly due to the now ubiquitous use of the protocol. It took many years, but the unceasing push by Google, other browser makers and Let’s Encrypt to make HTTPS the norm for accessing resources on the Web resulted in an unmitigated success; according to Google, over 95% of page loads in Chrome on Windows are now over an encrypted, secure channel using HTTPS.

FBI Seizes 9 Crypto Exchanges Used to Launder Ransomware Payments
Date: 2023-05-03

In a recent announcement from the FBI, the agency stated it carried out an operation alongside with the Virtual Currency Response Team, the National Police of Urkaine, and legal prosecutors in the country to seize several cryptocurrency exchange sites that were being used by scammed and cybercriminals, including ransomware actors to launder money from victims.

Researchers Uncover New BGP Flaws in Popular Internet Routing Protocol Software
Date: 2023-05-03

Cybersecurity researchers have uncovered weaknesses in a software implementation of the Border Gateway Protocol (BGP) that could be weaponized to achieve a denial-of-service (DoS) condition on vulnerable BGP peers. BGP is a gateway protocol that's designed to exchange routing and reachability information between autonomous systems. It's used to find the most efficient routes for delivering internet traffic. The three vulnerabilities reside in version 8.4 of FRRouting, a popular open source internet routing protocol suite for Linux and Unix platforms.

APT41 Subgroup Plows Through Asia-Pacific, Utilizing Layered Stealth Tactics
Date: 2023-05-03

APT41 is a well-known Chinese cyber threat that is made up of various subgroups. The group has previously used a variety of tactics over the years to carry out espionage attacks against government agencies, businesses, and individuals. The group's attacks against the US government have led to indictments of its members by US law enforcement. On May 2, Trend Micro researchers reported that Earth Longzhi, a suspected subgroup of APT41, has launched a new campaign after almost a year of inactivity with more advanced stealth tactics to carry out espionage campaigns against the same types of targets.

T-Mobile Discloses Second Data Breach Since the Start of 2023
Date: 2023-05-02

T-Mobile disclosed the second data breach of 2023 after discovering that attackers had access to the personal information of hundreds of customers for more than a month, starting late February 2023. Compared to previous data breaches reported by T-Mobile, the latest of which impacted 37 million people, this incident affected only 836 customers.

Apple’s First Rapid Security Response Patch Fails to Install on iPhones
Date: 2023-05-02

Apple has launched the first Rapid Security Response (RSR) patches for iOS 16.4.1 and macOS 13.3.1 devices. As the company describes in a recently published support document, RSR patches are small-sized updates that target the iPhone, iPad, and Mac platforms and patch security issues between major software updates. Some of these out-of-band security updates may also be used to address vulnerabilities actively exploited in attacks.

New LOBSHOT Malware Gives Hackers Hidden VNC Access to Windows Devices
Date: 2023-05-02

A newly discovered malware named 'LOBSHOT' can discreetly take control of Windows devices using hVNC and is being distributed through Google Ads. Cybersecurity researchers had earlier reported an increase in threat actors using Google ads to distribute malware through fake websites for popular applications such as 7-ZIP, VLC, OBS, Notepad ++, CCleaner, TradingView, Rufus, and others. These malicious sites pushed malware, including Gozi, RedlLine, Vidar, Cobalt Strike, SectoRAT, and the Royal Ransomware, instead of the intended applications.

Killer Use Cases for AI Dominate RSA Conference Discussions
Date: 2023-05-02

Pre-RSA social media gaming predicted it. Many predicted they would loath it. And it happened: Discussions at this year's RSA conference again and again came back to generative artificial intelligence - but with a twist. Even some of the skeptics professed their conversion to the temple of AI, whose overlord, for better or worse, is poised to preside over human activity with indifference about good or evil intent. Count Israeli cryptographer Adi Shamir - the S in the RSA cryptosystem - as a convert. One year ago, speaking at RSA, he thought AI might have some defense use cases but didn't see it being an offensive threat.

North Korea-linked ScarCruft APT Uses Large LNK Files in Infection Chains
Date: 2023-05-02

Check Point researchers released new attack details attributed to North Korea’s ScarCruft APT (APT37, Reaper, Group123) group. Since 2022, the group has shifted tactics away from using malicious documents to deliver malware, and instead has been adopting oversized LNK files which are embedded with malicious payloads.

APT28 Targets Ukrainian Government Entities with Fake "Windows Update" Emails
Date: 2023-05-01

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "Windows Update" and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates.

Hackers Target Vulnerable Veeam Backup Servers Exposed Online
Date: 2023-05-01

According to researchers at WithSecure, a Finnish cybersecurity and privacy company, threat actors have been leveraging a recently fixed vulnerability in Veeam Backup and Replication software to target unpatched Veeam backup servers. The vulnerability in question is being tracked as CVE-2023-27532 and allows unauthenticated users in the backup infrastructure to obtain encrypted credentials stored in the VeeamVBR configuration database.

One Brooklyn Reports Breach, Faces Lawsuit Post-Cyberattack
Date: 2023-05-01

A safety net hospital system in New York City faces a proposed class action lawsuit tied to a late 2022 cybersecurity incident that breached the personal information of more than 235,000 patients. The incident affected three One Brooklyn Health System hospitals and several other facilities. First discovered on Nov 19, 2022, the incident caused patient rerouting and disrupted access to electronic health records and patient portals for more than a month.

Hackers Leak Images to Taunt Western Digital’s Cyberattack Response
Date: 2023-05-01

The ransomware group known as ALPHV or BlackCat has shared screenshots of internal emails and video conferences taken from Western Digital's systems. This suggests that the hackers maintained access to the company's networks even as Western Digital worked to address the cyber attack. The leak occurred after the group had issued a warning to Western Digital on April 17, stating they would escalate their actions until the company paid a ransom or could no longer withstand the consequences.

Cold Storage Giant Americold Outage Caused by Network Breach
Date: 2023-05-01

Americold, a leading cold storage and logistics company, has been facing IT issues since its network was breached on Tuesday night. The company said it contained the attack and is now investigating the incident that also affected operations per customer and employee reports. It also estimated that its systems will be down until at least next week.

Vietnamese Hackers Linked to 'Malverposting' Campaign
Date: 2023-04-28

According to a recent blog post by Guardio Labs, a Vietnamese threat actor is conducting a malverposting campaign, which has been ongoing for several months. It's estimated that this campaign has infected more than 500,000 devices worldwide within the last three months alone. Malverposting is the act of using social media posts and tweets to spread malicious software and other security threats. In this instance, the attacker abused Facebook's Ad service to distribute malware. Guardio Labs' head of cyber security, Nati Tal, stated that the high number of infections was made possible by using Facebook's Ad service as the initial delivery mechanism.

Hackers Exploit TP-Link N-Day Flaw to Build Mirai Botnet
Date: 2023-04-28

Researchers from the Trend Micro's Zero Day Initiative said telemetry from Eastern Europe indicates that Mirai operators are exploiting a flaw in the TP-Link Archer AX21 firmware. The bug, CVE-2023-1389, allows attackers to inject a command into the router web management interface. A handful of teams competing in the December 2022 Pwn2Own competition in Toronto identified the flaw.

New Atomic macOS Malware Steals Keychain Passwords and Crypto Wallets
Date: 2023-04-28

Threat actors are advertising a new information stealer for the Apple macOS operating system called Atomic macOS Stealer (or AMOS) on Telegram for $1,000 per month, joining the likes of MacStealer. ‘The Atomic macOS Stealer can steal various types of information from the victim's machine, including Keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password,’ Cyble researchers said in a technical report.

Linux Version of RTM Locker Ransomware Targets VMware ESXi Servers
Date: 2023-04-28

In a new report by Uptycs, researchers analyzed a Linux variant of the RTM Locker that is based on the leaked source code of the now-defunct Babuk ransomware. The RTM Locker Linux encryptor appears to be created explicitly for attacking VMware ESXi systems, as it contains numerous references to commands used to manage virtual machines. When launched, the encryptor will first attempt to encrypt all VMware ESXi virtual machines by first gathering a list of running VMs. The encryptor then terminates all running virtual machines and starts to encrypt files that have the following file extensions - .log (log files), .vmdk (virtual disks), .vmem (virtual machine memory), .vswp (swap files), and .vmsn (VM snapshots). All of these files are associated with virtual machines running on VMware ESXi. Like Babuk, RTM uses a random number generation and ECDH on Curve25519 for asymmetric encryption, but instead of Sosemanuk, it relies on ChaCha20 for symmetric encryption.

Zyxel Fixed a Critical RCE Flaw in its Firewall Devices and Urges Customers to Install the Patches
Date: 2023-04-28

Researchers from TRAPA Security have discovered a critical remote code execution vulnerability, tracked as CVE-2023-28771 (CVSS score 9.8), impacting Zyxel Firewall. The vulnerability is an improper error message handling in Zyxel ZyWALL/USG series firmware versions 4.60 through 4.73, VPN series firmware versions 4.60 through 5.35, USG FLEX series firmware versions 4.60 through 5.35, and ATP series firmware versions 4.60 through 5.35. A remote, unauthenticated attacker can trigger the flaw by sending specially crafted packets to a vulnerable device and execute some OS commands remotely.

Tencent QQ Users Hacked in Mysterious Malware Attack, Says ESET
Date: 2023-04-28

Security researchers from ESET have linked a Chinese APT hacking group, Evasive Panda, to an attack that distributed the MsgBot malware via an automatic update for the Tencent QQ messaging app. Evasive Panda has been active since at least 2012, targeting organizations and individuals in mainland China, Hong Kong, Macao, Nigeria, and several countries in Southeast and East Asia. ESET discovered the latest capagin in January 2022, but evidence suggest it began in 2020. The victims of the campaign, primarily are members of an international NGO, are concentrated in the provinces of Gangsu, Guangdong, and Jiangsu, indicating a specific and targeted approach.

Obscure Network Protocol Has Flaw That Could Unleash DDoS
Date: 2023-04-27

An obscure routing protocol codified during the 1990s has come roaring back to attention after researchers found a flaw that would allow attackers to initiate massive distributed denial-of-service attacks. Researchers from Bitsight and Curesec say they found a bug in Service Location Protocol. Service Location Protocol, the brainchild of executives from Sun Microsystems and a now-defunct internet service provider, was envisioned as a dynamic method of discovering resources such as printers on a closed enterprise network.

Cisco Discloses XSS Zero-Day Flaw in Server Management Tool
Date: 2023-04-27

Cisco disclosed today a zero-day vulnerability in the company's Prime Collaboration Deployment (PCD) software that can be exploited for cross-site scripting attacks. This server management utility enables admins to perform migration or upgrade tasks on servers in their organization's inventory.

Clop, LockBit Ransomware Gangs Behind Papercut Server Attacks
Date: 2023-04-27

On April 19th, PaperCut, a printing management software company, disclosed that threat actors were actively exploiting two flaws in PaperCut MF or NG, urging admins to upgrade their servers to the latest version as soon as possible. The flaws, tracked as CVE-2023-27350 and CVE-2023-27351, were fixed last month in the PaperCut Application Server and allow remote attackers to perform unauthenticated remote code execution and information disclosure.

98% of orgs with Office 365 harbor malicious emails inside their mailboxes. Threats like ransomware, spear phishing, and account takeover put your organization and employees at significant risk. Find out what’s hiding in your inbox.

Via security assessment, we can quickly identify security gaps, patches and software updates that are out of date, then advise steps to fix.

Via short questionnaire, we'll help you determine whether weakness exist in the way you protect your confidential data. In a few minutes, we'll produce a comprehensive profile of strengths and vulnerabilities of your IT security. Let us show you where protections should be placed before those vulnerabilities are exploited.

LA-Cyber can directly submit suspicious URLs and files through the ISAO’s Cyber Forum for rapid analysis to determine if they are known or zero-day cybersecurity threats.

Current Active Threats

Suggested Pages

Contact LACyber

Location:

Email:

Call: