Current Active Threats


Queensland Government Energy Generator Hit by Ransomware
Date: 2021-11-30

Queensland government-owned energy generator CS Energy said on Tuesday it was responding to a ransomware incident that occurred over the weekend. First reported by Energy Source & Distribution, the company said the incident has not impacted electricity generation at Callide and Kogan Creek power station, and it was looking to restore its network.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Yanluowang Ransomware Operation Matures with Experienced Affiliates
Date: 2021-11-30

An affiliate of the recently discovered Yanluowang ransomware operation is focusing its attacks on U.S. organizations in the financial sector using BazarLoader malware in the reconnaissance stage. Based on observed tactics, techniques, and procedures, the threat actor is experienced with ransomware-as-a-service (RaaS) operations and may be linked with the Five Hands group.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Spy Chief's Warning: Our Foes Are Now 'Pouring Money' into Quantum Computing and AI
Date: 2021-11-30

The rise of technologies like artificial intelligence (AI) and quantum computing is changing the world -- and intelligence services must adapt in order to operate in an increasingly digital environment, the head of MI6 has warned. In his first public speech since taking the role of "C" in October 2020, Richard Moore, chief of the UK Secret Intelligence Service (MI6), discussed the challenges posed by the rapid evolution in technology.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

DNA Testing Firm Discloses Data Breach Affecting 2.1 Million People
Date: 2021-11-30

DNA Diagnostics Center (DDC), an Ohio-based DNA testing company, has disclosed a hacking incident that affects 2,102,436 persons. The incident resulted in a confirmed data breach that occurred between May 24, 2021, and July 28, 2021, but the firm discovered it only on October 29, 2021
The information that the hackers accessed includes the following:
Full names Credit card number + CVV Debit card number + CVV Financial account number Platform account password The database contained older backups from 2004-2012 and was not linked to active systems. “DDC acquired certain assets from this national genetic testing organization in 2012 that included certain personal information, and therefore, impacts from this incident are not associated with DDC,” said the organization.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Panasonic Discloses Data Breach After Network Hack
Date: 2021-11-29

Japanese multinational conglomerate Panasonic disclosed a security breach after unknown threat actors gained access to servers on its network this month. "Panasonic Corporation has confirmed that its network was illegally accessed by a third party on November 11, 2021," the company said in a press release issued Friday. "As the result of an internal investigation, it was determined that some data on a file server had been accessed during the intrusion."

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Wind Turbine Maker Vestas Confirms Recent Security Incident Was Ransomware
Date: 2021-11-29

Wind turbine maker Vestas says "almost all" of its IT systems are finally up and running 10 days after a security attack by criminals, confirming that it had indeed fallen victim to ransomware. Alarm bells rang the weekend before last when the Danish organisation said it had identified a "cyber security incident" and closed off parts of its tech estate to "contain the issue.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

APT37 Targets Journalists with Chinotto Multi-Platform Malware
Date: 2021-11-29

North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering holes, spear-phishing emails, and smishing attacks delivering malware dubbed Chinotto capable of infecting Windows and Android devices. APT37 (aka Reaper) has been active since at least 2012 and is an advanced persistent threat group (APT) linked to the North Korean government with high confidence by FireEye.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Biopharmaceutical Firm Supernus Pharmaceuticals Hit by Hive Ransomware During an Ongoing Acquisition
Date: 2021-11-29

Biopharmaceutical company Supernus Pharmaceuticals confirmed it was the victim of a data breach after a ransomware attack that hit the firm last in Mid-November. The Company states that the security breach did not impact its operations, it notified government authorities and engaged cybersecurity experts and its outside law firm to respond to the incident. Supernus Pharmaceuticals also declared to have successfully recovered the encrypted files and has taken additional security measures to prevent future incidents.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Experts Warn of Attacks Exploiting CVE-2021-40438 Flaw in Apache HTTP Server
Date: 2021-11-29

Threat actors are exploiting a recently addressed server-side request forgery (SSRF) vulnerability, tracked as CVE-2021-40438, in Apache HTTP servers. The CVE-2021-40438 flaw can be exploited against httpd web servers that have the mod_proxy module enabled. A threat actor can trigger the issue using a specially crafted request to cause the module to forward the request to an arbitrary origin server

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Apple Sues NSO Group Over Pegasus Spyware
Date: 2021-11-25

Apple on Tuesday filed a lawsuit against mercenary spyware company NSO Group and its parent company, seeking a permanent injunction that bans NSO Group from using any Apple software, services, or devices. The complaint also provides new information on how NSO Group infected victims' Apple devices with its Pegasus spyware. State-sponsored actors like the NSO Group spend millions of dollars on sophisticated surveillance technologies without effective accountability. That needs to change," said Craig Federighi, Apple SVP of Software Engineering, said in a statement. "While these cybersecurity threats only impact a very small number of our customers, we take any attack on our users very seriously, and we're constantly working to strengthen the security and privacy protections in iOS to keep all our users safe.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Industry Group Sounds Alarm over 'Tardigrade' Malware Targeting Biomanufacturing Sector
Date: 2021-11-25

A group of likely foreign government-sponsored hackers is behind cyberattacks on two bio-manufacturing companies that occurred this year, using a kind of malware capable of operating with independence within a network, an industry group warned. The Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) dubbed the malware “Tardigrade” after the resilient micro-animal, and said it looks like the work of an advanced persistent threat group, a term that most often refers to government-backed attacker.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Biometric Auth Bypassed Using Fingerprint Photo, Printer, and Glue
Date: 2021-11-25

Researchers demonstrated that fingerprints could be cloned for biometric authentication for as little as $5 without using any sophisticated or uncommon tools. Although fingerprint-based biometric authentication is generally considered superior to PINs and passwords in terms of security, the fact that imprints can be left in numerous public places makes it ripe for abuse.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Vulnerability Alert: VMware vCenter Server Updates Address Arbitrary File Read and SSRF Vulnerabilit
Date: 2021-11-24

Multiple vulnerabilities in VMware vCenter Server were privately reported to VMware. Updates are available to remediate these vulnerabilities in affected VMware products.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

CISA Issues Holiday Ransomware Message
Date: 2021-11-24

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning Americans not to take a break from cybersecurity this holiday season.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

FBI Warns of Phishing Targeting High-profile Brands' Customers
Date: 2021-11-24

The Federal Bureau of Investigation (FBI) warned today of recently detected spear-phishing email campaigns targeting customers of "brand-name companies" in attacks known as brand phishing.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Observing Attacks Against Hundreds of Exposed Services in Public Clouds
Date: 2021-11-24

Notorious ransomware groups such as REvil and Mespinoza exploit exposed cloud services to gain initial access to victims' environments. Using a honeypot infrastructure of 320 nodes deployed globally, researchers aim better to understand the attacks against exposed services in public clouds.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

US Govt Warns Critical Infrastructure Of Ransomware Attacks During Holidays
Date: 2021-11-23

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warn critical infrastructure partners of ransomware attacks during the holiday season. Government experts warn of other malicious activities such as phishing scams, fraudulent sites spoofing reputable businesses, and unencrypted financial transactions.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Code Execution Bug Patched in imunify360 Linux Server Security Suite
Date: 2021-11-23

Imunify360 is the security solution for Linux web servers based on machine learning technology which utilizes a milti-layer approach to provide total protection against any types of malicious attacks or abnormal behavior including distributed brute force attacks.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Over 4000 UK Retailers Compromised by Magecart Attacks
Date: 2021-11-22

UK government security experts have been forced to notify over 4000 domestic online businesses that their websites were infected with digital skimming code. GCHQ agency, the National Cyber Security Centre (NCSC), informed 4151 compromised online shops until the end of September. Most of these were exploited via a known bug in the popular Magento e-commerce software. The NCSC argued digital retailers needed to get their house in order ahead of the busy festive shopping period, which begins at the end of this week with the Black Friday weekend.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

6M Sky Routers Vulnerable to Cyberattacks
Date: 2021-11-22

The Sky is a UK-based provider of broadband, Sky Broadband being a service employed by Sky UK. 6M Sky routers have been left exposed to cyberattacks for almost 18 months, meaning a year and a half while the company was trying to remediate a DNS rebinding flaw in the routers of the customers.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

California Pizza Kitchen Suffers Data Breach, SSN of 100k Individuals Exposed
Date: 2021-11-22

Founded in 1985, California Pizza Kitchen (CPK) is an American casual dining restaurant chain specializing in California-style pizza. According to Wikipedia, the chain has over 250 locations in 32 U.S. states and ten other countries, including 15 California Pizza Kitchen non-traditional franchise concepts designed for airports, universities, and stadiums.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

FBI Warning: This Zero-day VPN Software Flaw was Exploited by APT Hackers
Date: 2021-11-22

The FBI has warned that a sophisticated group of attackers have exploited a zero-day flaw in a brand of virtual private networking (VPN) software since May. The FBI said its forensic analysis showed that the exploitation of the zero-day vulnerability in the FatPipe WARP, MPVPN, and IPVPN software, by an advanced persistent threat (APT) group, went back to at least May 2021. It did not provide any further information about the identity of the group.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Vestas impacted by cyber security incident
Date: 2021-11-22

Vestas Wind Systems, one of the world's largest makers of wind turbines, today confirmed company data had been compromised in a "cyber security incident" that forced the firm to isolate parts of its I.T. infrastructure. To contain the issue, I.T. systems were shut down across multiple business units and locations.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Memento Ransomware Uses Password-protected WinRAR Archives to Block Access to the Files
Date: 2021-11-22

In October, Sophos researchers spotted a ransomware called Memento that adopts a curious approach to block access to a victims files. The ransomware copies files into password-protected WinRAR archives; it uses a renamed freeware version of the legitimate file utility WinRAR. The Memento ransomware then encrypts the password and deletes the original files from the victim’s system.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Rising Cyber Insurance Premiums Highlight Importance of Ransomware Prevention
Date: 2021-11-19

A point noted in this report is that insurers often will not cover the total amount of a security incident, meaning that cyber insurance payouts can help only so much. According to the report and news we have shared throughout 2021, ransomware attacks are rising. They will continue to be somewhat lucrative for those involved, especially if insurers continue to honor payouts and meet ransomware demands. According to the report, one client said that they received requests for 30+ ransomware payouts in their first year of operation.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

This USPS Spoof Shows Us That Phishmas is Upon Us
Date: 2021-11-19

The holidays are approaching, and there appears to be a shipping crunch. Due to supply chain concerns, many are worried that they won’t get their holiday gifts in time.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

CISA Publishes Cybersecurity Playbooks for FCEB Agencies
Date: 2021-11-19

On November 16, 2021, The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) published the Cybersecurity Incident & Vulnerability Response Playbooks: Operational Procedures for Planning and Conducting Cybersecurity Incident and Vulnerability Response Activities in FCEB Information Systems.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Ransomware Actor Uses Password-protected Archives To Bypass Encryption Protection
Date: 2021-11-19

This is a new group that I have not heard of or reported on yet; they refer to themselves as the "memento team." Like other groups, they are using Python-based ransomware that's been rewritten and reconfigured after 'set-backs,' as described by security researchers.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Revealed: The 200 Most used and Worst Passwords of 2021
Date: 2021-11-19

According to a report from NordPass, people are still using passwords such as ”123456,” ”12345,” ”password,” and ”qwerty.” Research reveals that these three are the weakest passwords nowadays and can easily make you vulnerable to hacking. The password 123456 appeared over 103 million times in NordPass’s research.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

OTPBlitz: New OTP retrieval service launched on darknet forum
Date: 2021-11-19

A new service known as OTPBlitz has been launched on the darknet forum XSS. OTPBlitz is designed to enable criminals to retrieve one-time passcodes (OTP) from victims by calling them directly and using text-to-speech software to impersonate platforms or services which utilise OTP. The operators target specific platforms or services, such as banks or payment providers, and then attempt to use social engineering via ‘scripts’ read by text-to-speech software to persuade victims to share their OTP.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Critical Root RCE Bug Affects Multiple Netgear SOHO Router Models
Date: 2021-11-18

A recent vulnerability released by Netgear could allow an attacker to leverage a pre-authentication buffer overflow in various product models. The models range from WiFi Extenders, Routers, Extenders, DSL Modems, Air Cards, and Cable Modems.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Russian Ransomware Gangs Might be Collaborating with Chinese Hackers
Date: 2021-11-18

RAMP is a Russian-language forum that debuted in July 2021 and has drawn a lot of interest from researchers and cybercriminals alike. The forum was created on the same domain that previously housed the Babuk ransomware data leak site and the Payload[.]bin data leak site.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

China's APT41 Manages Library of Breached Certificates
Date: 2021-11-18

A freelance Chinese APT group is actively managing a library of compromised code-signing digital certificates to support cyber-espionage attacks targeting supply chain vendors, according to Venafi. The security vendor’s latest research report details the work of APT41, an unusual group in that it has previously been observed carrying out attacks for both traditional state-sponsored cyber-espionage and personal financial gain.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

US, UK and Australia Warn of Iran-linked APTs Exploiting Fortinet, Microsoft Exchange Flaws
Date: 2021-11-18

A joint advisory released by government agencies (the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the United Kingdom’s National Cyber Security Centre (NCSC)) in the U.S., U.K., and Australia warns that Iran-linked threat actors are exploiting Fortinet and Microsoft Exchange vulnerabilities in attacks aimed at critical infrastructure in the US and Australian organizations.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

FBI FLASH: AC-000155
Date: 2021-11-17

As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN® device software1 going back to at least May 2021. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. Exploitation of this vulnerability then served as a jumping off point into other infrastructure for the APT actors. This vulnerability is not yet identified with a CVE number but can be located with the FatPipe Security Advisory number FPSA006. The vulnerability affects all FatPipe WARP®, MPVPN, and IPVPN® device software prior to the latest version releases 10.1.2r60p93 and 10.2.2r44p1.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Threat Actors Offer Millions for Zero-days, Developers Talk of Exploit-as-A-service
Date: 2021-11-17

One forum user in early May offered $25,000 for proof-of-concept (POC) exploit code for CVE-2021-22893, a critical-severity vulnerability in Pulse Secure VPN that Chinese hackers had leveraged since at least April. Another actor with deeper pockets claimed a budget of up to $3 million for no-interaction remote code execution (RCE) bugs, the so-called zero-click exploits, for Windows 10 and Linux. The same user offered up to $150,000 for original solutions for "unused startup methods in Windows 10" so malware would be active every time the system booted.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Threat Actors Offer Millions for Zero-days, Developers Talk of Exploit-as-A-service
Date: 2021-11-17

As of November 2021, FBI forensic analysis indicated exploitation of a 0-day vulnerability in the FatPipe MPVPN device software1 going back to at least May 2021. The vulnerability allowed APT actors to gain access to an unrestricted file upload function to drop a web shell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity. The exploitation of this vulnerability then served as a jumping-off point into other infrastructure for the APT actors.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabili
Date: 2021-11-17

CISA released an alert (AA21-321A) this morning suggesting that APT groups on behalf of the Iranian government may be exploiting vulnerabilities in servers and appliances that are exposed to the internet and have not received security patches from vendors.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

DDoS Attacks Surge 35% in Q3 as VoIP is Targeted
Date: 2021-11-17

Security experts have warned of a surge in distributed denial of service (DDoS) attacks in the third quarter, with quantity, size and complexity all increasing in the period. The findings come from Lumen’s Q3 DDoS Report, which revealed that the firm mitigated 35% more attacks in the quarter than Q2 2021. The vendor claimed that the largest bandwidth attack it tackled during the period was 612 Gbps — a 49% increase over Q2. The largest packet rate-based attack scrubbed was 252 Mbps — a 91% increase.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Now Iran's State-backed Hackers are Turning to Ransomware
Date: 2021-11-17

Microsoft has detailed the activities of six Iranian hacker groups that are behind waves of ransomware attacks that have arrived every six to eight weeks since September 2020. Russia is often seen as the home of the biggest cyber-criminal ransomware threats, but state-sponsored attackers from North Korea and Iran have also shown a growing interest in ransomware.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Banking Trojan Sharkbot Makes Waves Across Europe, US
Date: 2021-11-16

Researchers from Cleafy believe that Cleafy SharkBot utilizes ATS attack techniques to bypass behavioral analytics, biometric checks, and multi-factor authentication (MFA). However, there is one caveat, the malware must compromise Android Accessibility Services first.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Intel Addresses 2 High-severity Issues in BIOS Firmware of Several Processors
Date: 2021-11-16

Intel disclosed two high-severity vulnerabilities that affect the BIOS firmware in several processor families; both vulnerabilities have received a CVSS v3 score of 8.2. The vulnerabilities, tracked as CVE-2021-0157 and CVE-2021-0158, were discovered by researchers at SentinelOne and can be exploited by an attacker with physical access to the device to elevate privileges.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Rowhammer Technique Bypasses Existing DDR4 Memory Defenses
Date: 2021-11-16

“Researchers have developed a new fuzzing-based technique called 'Blacksmith' that revives Rowhammer vulnerability attacks against modern DRAM devices that bypasses existing mitigations. The emergence of this new Blacksmith method demonstrates that today's DDR4 modules are vulnerable to exploitation, allowing a variety of attacks to be conducted”

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

FBI's Email System Hacked to Send Out Fake Cyber Security Alert to Thousands
Date: 2021-11-16

ON SATURDAY, the U.S. Federal Bureau of Investigation (FBI) confirmed unidentified threat actors have breached one of its email servers to blast hoax messages about a fake "sophisticated chain attack." The incident, which was first publicly disclosed by threat intelligence non-profit SpamHaus, involved sending rogue warning emails with the subject line "Urgent: Threat actor in systems" originating from a legitimate FBI email address "eims@ic.fbi[.]gov" that framed the attack on Vinny Troia, a security researcher and founder of dark web intelligence firms Night Lion Security and Shadowbyte, while also claiming him to be affiliated with a hacking outfit named TheDarkOverlord.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

North Korean Hackers Target Cybersecurity Researchers with Trojanized IDA Pro
Date: 2021-11-16

Also known by the monikers APT38, Hidden Cobra, and Zinc, the Lazarus Group was active as early as 2009 and linked to a string of attacks for financial gain and harvesting sensitive information from compromised environments. Lazarus, the North Korea-affiliated state-sponsored group, is attempting to once again target security researchers with backdoors and remote access trojans using a trojanized pirated version of the popular IDA Pro reverse engineering software.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Exchange Exploit Leads to Domain Wide Ransomware
Date: 2021-11-16

ProxyShell is a name given to a combination of three vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker chaining the exploitation of these vulnerabilities could execute arbitrary code with SYSTEM privileges on Exchange servers.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Has Released Out-of-Band Security Updates To Address Authentication Issues Affecting Windows Server
Date: 2021-11-16

Microsoft has released out-of-band updates to fix authentication failures related to Kerberos delegation scenarios impacting Domain Controllers (DC) running Windows Server. These issues impact Windows Server 2019 and lower versions, including Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2 SP1, and Windows Server 2008 SP2.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Emotet Malware Is Back and Rebuilding Its Botnet via Trickbot
Date: 2021-11-16

The Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware. Emotet would then use infected devices to perform other spam campaigns and install other payloads, such as the QakBot (Qbot) and Trickbot malware. These payloads would then be used to provide initial access to threat actors to deploy ransomware, including Ryuk, Conti, ProLock, Egregor, and many others.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Zero-day Bug in All Windows Versions Gets Free Unofficial Patch
Date: 2021-11-12

A free and unofficial patch is now available for a zero-day local privilege escalation vulnerability in the Windows User Profile Service that lets attackers gain SYSTEM privileges under certain conditions.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

SunWater Data Breach: Queensland's Water Supplier Targeted by Hackers for Nine Months
Date: 2021-11-12

According to an audit report that the Queensland Audit Office released on the 10th of November, it seems that hackers have targeted the Queensland water supplier for nine months, during which the threat actors maintained continued access to company servers.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Threat Actors Add Johnson Memorial Health to Dark Web Leak Site
Date: 2021-11-12

Johnson Memorial Health is located in Indiana; they have reportedly been targeted and breached by attackers, which has impacted their ability to operate, "At this time, no appointments or surgeries have been canceled, and we ask all patients scheduled to receive services to report to JMH as normal.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Google Warns of Hackers Using Macos Zero-Day Flaw to Capture Keystrokes, Screengrabs
Date: 2021-11-12

Google's Threat Analysis Group (TAG) has revealed that hackers targeting visitors to websites in Hong Kong were using a previously undisclosed, or zero-day, flaw in macOS to spy on people. Apple patched the bug, tracked as CVE-2021-30869, in a macOS Catalina update in September, about a month after Google TAG researchers found it being used.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

BotenaGo Botnet Targets Millions of IoT Devices Using 33 Exploits
Date: 2021-11-12

BotenaGo is a new botnet discovered by researchers at AT&T that leverages thirty three exploits to target millions of routers and IoT devices.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

TeamTNT Group Targets Poorly Configured Docker Servers Exposing REST APIs
Date: 2021-11-10

Trend Micro researchers reported that TeamTNT hackers are targeting poorly configured Docker servers exposing Docker REST APIs as part of an ongoing campaign that started in October. Threat actors execute malicious scripts to deploy Monero cryptocurrency miners, perform container-to-host escape using well-known techniques, and scan the Internet for exposed ports from other compromised containers.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Android Malware Targets Netflix, Instagram, and Twitter Users
Date: 2021-11-10

A new Android malware known as MasterFred uses fake login overlays to steal the credit card information of Netflix, Instagram, and Twitter users. This new Android banking trojan also targets bank customers with custom fake login overlays in multiple languages

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

CVE-2021-3064 PAN-OS: Memory Corruption Vulnerability in GlobalProtect Portal and Gateway Interfaces
Date: 2021-11-10

Palo Alto Networks issued a critical security advisory for CVE-2021-3064, where a Memory Corruption Vulnerability was discovered in GlobalProtect Portal and Gateway Interfaces. The advisory states that, “A memory corruption vulnerability exists in Palo Alto Networks GlobalProtect portal and gateway interfaces that enables an unauthenticated network-based attacker to disrupt system processes and potentially execute arbitrary code with root privileges. The attacker must have network access to the GlobalProtect interface to exploit this issue.”

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Spike in Conti Ransomware Attacks
Date: 2021-11-10

I wanted to let you know that we received information from an internal source that a company in the telecommunications industry or otherwise provides services to those in the field has confirmed a breach likely on behalf of Conti ransomware operators or its affiliates.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Stor-a-File Hit by Ransomware After Crooks Target Solarwinds Serv-u FTP Software
Date: 2021-11-10

We reported yesterday that companies using vulnerable Solarwinds Serv-U instances should patch them right away as various global security researchers have been observing active exploitation. Several vulnerable servers were reported in the United States and China; Palo Alto attributed attacks to the FIN11, a financially motivated cybercriminal group operating out of Russia.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Urges Exchange Admins To Patch Bug Exploited in the Wild
Date: 2021-11-10

We have provided members with a .PDF version of this report that is intended to be distributed as widely as possible amongst business constituents. Please use the download button at the top.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Patch! Microsoft Urges Exchange Admins To Patch Bug Exploited in the Wild
Date: 2021-11-10

In this week's Microsoft Tuesday patch update, several vulnerabilities were publicly disclosed, which varied greatly in severity. One particular vulnerability seems to be receiving quite much attention amongst organizations, cybercriminals, and adversaries.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Two NPM Packages With 22 Million Weekly Downloads Found Backdoored
Date: 2021-11-10

NPM is the package manager for the Node JavaScript platform. It puts modules in place so that nodes can find them and manages dependency conflicts intelligently. It is highly configurable to support a wide variety of use cases. Most commonly, it is used to publish, discover, install, and develop node programs.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Medical Software Firm Urges Password Resets after Ransomware Attack
Date: 2021-11-09

Medatixx, a German medical software vendor whose products are used in over 21,000 health institutions, urges customers to change their application passwords following a ransomware attack that has severely impaired its entire operations. The firm clarified that the impact has not reached clients and is limited to their internal IT systems and shouldn't affect any of their PVS (practice management systems)

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Meet Lyceum: Iranian Hackers Targeting Telecoms, ISPs
Date: 2021-11-09

Researchers have provided a deep dive into the activities of Lyceum, an Iranian threat group focused on infiltrating the networks of telecoms companies and internet service providers (ISPs). Lyceum, also known as Hexane, Siamesekitten, or Spirlin, has been active since 2017. The advanced persistent threat (APT) group has been linked to campaigns striking Middle Eastern oil and gas companies in the past and now appears to have expanded its focus to include the technology sector.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

TA505 Shifts Focus from Malspam to Exploitation of Vulnerabilities
Date: 2021-11-09

TA505, also known as FIN11, Buhtrap, Ratopak Spider, Silence, and Gold Evergreen, depending on the security vendor and or company, has a long history of breaching companies through various initial access vectors. FIN11 activity has been reported since approximately 2006 and is considered one of the most significant financially motivated threat actors because of the large volumes of messages they send to targeted organizations.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

US Charges Ukrainian National for Kaseya Ransomware Attack
Date: 2021-11-09

Earlier this year, the attack against Kaseya products had devastating consequences for MSPs, downstream customers, and companies alike. According to multiple sources, five individuals from various parts of the globe have been arrested since February 2021. These five are believed to have been responsible for deploying REvil on systems belonging to some 5,000 organizations.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Five Affiliates to Sodinokibi/Revil Unplugged
Date: 2021-11-08

On 4 November, Romanian authorities arrested two individuals suspected of cyber-attacks deploying the Sodinokibi/REvil ransomware. They are allegedly responsible for 5,000 infections, which in total pocketed half a million euros in ransom payments.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Web shells, NGLit
Date: 2021-11-08

Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Web shells, NGLite Trojan, and KdcSponge Stealer
Several Nation-State attacks were reported over the weekend where attackers are leveraging CVE-2021-40539 in Zoho ManageEngine ADSelfService Plus build 6114. ManageEngine ADSelfService Plus has integrated self-service password management and a single sign-on solution for Active Directory and cloud apps. On September 16th, 2021, we alerted members of software vulnerabilities that could be leveraged in remote attacks. We shared CISA's alert so that companies could apply patches to mitigate risks as necessary. Initial exploitation is obtained via web shells, including the use of Godzilla, which can be obtained publicly on Github. PaloAlto also mentions in their reporting that they observed the use of a new backdoor called NGLite, which is also publicly available on Github. Both programs appear to be developed with Chinese instructions, "used for redundancy and to maintain access to high-interest networks

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Chinese Spy Faces Decades in Jail After Conviction
Date: 2021-11-08

A Chinese intelligence officer has been convicted of cyber-espionage by a US federal jury, in the first ever case of its kind. Xu Janun, deputy division director of the Sixth Bureau of the Jiangsu Province Ministry of State Security, was found guilty of conspiring to and attempting to commit economic espionage and theft of trade secrets, according to the Department of Justice (DoJ)

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Operation Cyclone Targets Clop Ransomware Affiliates
Date: 2021-11-08

Interpol announced the arrest of six alleged affiliates with the Clop ransomware operation as part of an international joint law enforcement operation codenamed Operation Cyclone. Law enforcement authorities from South Korea, Ukraine, and the United States, joined their efforts in a 30-month investigation that was coordinated by Interpol

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Access to Oiltanking platform for sale on Raid Forums
Date: 2021-11-08

Access to a platform operated by Oiltanking is for sale on Raid Forums. Oiltanking is a multinational logistics service provider specialising in petroleum products headquartered in Germany. The sale is being conducted by the user mont4na. According to mont4na, this access includes user emails, usernames and plaintext passwords.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

FBI Warns of Increased Use of Cryptocurrency ATMs, QR Codes for Fraud
Date: 2021-11-05

The use of QR codes is becoming increasingly common because of the cost reduction; manufacturing companies realize that they can replace paper with technology. They’ve also found a place at conferences, restaurants, and other public places amid the COVID-19 pandemic as a sanitary measure to prevent sickness. Like any other piece of technology, such implementation has security risks associated with its use.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

One Single Vulnerability Is All an Attacker Needs
Date: 2021-11-05

Attackers will often search public-facing appliances or exploit vulnerabilities on internal LANs after initial access is made, which could be through misconfigured remote protocols or by accessing services that lack proper authentication mechanisms.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

CISA Urges Vendors to Patch BrakTooth Bugs after Exploits Release
Date: 2021-11-05

Researchers have released public exploit code and a proof of concept tool to test Bluetooth devices against System-on-a-Chip (SoC) security bugs impacting multiple vendors, including Intel, Qualcomm, Texas Instruments, and Cypress. Collectively known as BrakTooth, these 16 flaws impact commercial Bluetooth stacks on over 1,400 chipsets used in billions of devices such as smartphones, computers, audio devices, toys, IoT devices, and industrial equipment

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

US Targets DarkSide Ransomware, Rebrands with $10 Million Reward
Date: 2021-11-05

The US government is targeting the DarkSide ransomware and its rebrands with up to a $10,000,000 reward for information leading to the identification or arrest of members of the operation. The US Department of Statement will reward informants who supply the identification or location of DarkSide ransomware members operating in key leadership positions.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hardcoded SSH Key in Cisco Policy Suite Lets Remote Hackers Gain Root Access
Date: 2021-11-05

Cisco Systems has released security updates to address vulnerabilities in multiple Cisco products that could be exploited by an attacker to log in as a root user and take control of vulnerable systems.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

BlackMatter Ransomware to Shut Down, Affiliates Transferring Victims to LockBit
Date: 2021-11-05

Yesterday, we reported on the potential closure of the prolific BlackMatter ransomware group. First reported by VX-Underground, messages shared with Bleeping Computer showed BlackMatter was going to close shop due to law enforcement pressure.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Phishing and Spam Lures Feature Sports, Aim to Steal Credentials
Date: 2021-11-03

Phishing remains the most successful way to steal credentials from victims, new data shows 5.6 million phishing sites have been used this year to send 36 million malware laden email attachments.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Almost Half of Rootkits are Used for Cyberattacks Against Government Organizations
Date: 2021-11-03

Research into how rootkits are used by cybercriminals has revealed that close to half of campaigns are focused on compromising government systems. On Wednesday, Positive Technologies released a report on the evolution and application of rootkits in cyberattacks, noting that 77% of rootkits are utilized for cyberespionage.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Google Fixes Actively Exploited Zero-Day Kernel Flaw in Android
Date: 2021-11-03

Google released their Android November 2021 security updates this week. The updates address 18 vulnerabilities in the framework and 18 issues in the kernel and vendor components.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

BlackMatter Ransomware Claims to be Shutting Down Due to Police Pressure
Date: 2021-11-03

The BlackMatter ransomware is allegedly shutting down its operation due to pressure from the authorities and recent law enforcement operations. BlackMatter operates a private ransomware-as-a-service (RaaS) website that affiliates can use to communicate with the core operators, open support tickets, and receive new ransomware builds

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ransomware Targets Companies During Mergers and Acquisitions
Date: 2021-11-03

The Federal Bureau of Investigation (FBI) warns that ransomware gangs are targeting companies involved in "time-sensitive financial events" such as corporate mergers and acquisitions to make it easier to extort their victims. In a private industry notification published on Monday, the FBI said ransomware operators would use the financial information collected before attacks as leverage to force victims to comply with ransom demands

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Trickbot IOCs October 2021
Date: 2021-11-03

A trusted third party to the Cybersecurity and Infrastructure Security Agency (CISA) has provided the attached information regarding Trickbot malware for your awareness and action. Trickbot is a highly modular malware, capable of performing a number of actions on a network such as steal information or drop ransomware.The attached “Trickbot” spreadsheet lists Trickbot infrastructure in use in September and October 2021. Specific dates and infrastructure are indicated on the tabs of the spreadsheet.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Increased Ransomware Activity: Updates on Blackmatter and Recent Attacks
Date: 2021-11-02

Blackmatter, the ransomware responsible for targeting various critical infrastructure and industry across the globe have reportedly added a new tool to their arsenal. BlackMatter uses a ransomware-as-a-service model that allows ransomware's developers to profit from cybercriminal affiliates. Researchers from Symantec have discovered a new tool that they’ve named Exmatter, the tool targets specific file types from selected directories and then uploads them to attacker-controlled servers before the ransomware is installed on networks.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Most Computer Code Compilers Vulnerable to Novel Attacks
Date: 2021-11-02

Most computer code compilers are at risk of ‘Trojan source’ attacks in which adversaries can introduce targeted vulnerabilities into any software without being detected, according to researchers from the University of Cambridge. The paper, Trojan Source: Invisible Vulnerabilities, detailed how weaknesses in text encoding standards such as Unicode can be exploited “to produce source code whose tokens are logically encoded in a different order from the one they are displayed.” This leads to very difficult vulnerabilities for human code reviewers to detect, as the rendered source code looks perfectly acceptable

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Phishing Attacks Are Harder to Spot on Your Smartphone. That's Why Hackers Are Using Them More
Date: 2021-11-02

There's been a surge in mobile phishing attacks targeting the energy sector as cyber attackers attempt to break into networks used to provide services including electricity and gas. The energy industry is highly critical, providing people with vital services required for everyday use. That role makes it a prime target for cyber criminals

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Cybercriminals Sell Access to International Shipping, Logistics Giants
Date: 2021-11-02

On Tuesday, Intel 471 published an analysis of current black market trends online, revealing instances of initial access brokers (IABs) offering access to international shipping and logistics companies across the ground, air, and sea.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ransomware Attack Impedes Toronto’s Public Transportation System
Date: 2021-11-02

A ransomware attack has disrupted the activities of the Toronto public transportation agency and has taken down several systems used by drivers and commuters alike. The Toronto Transit Commission said the attack was detected last week on Thursday night and was discovered by a TTC IT staffer who detected “unusual network activity.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Possible Cyber Attack Hits ‘Brain’ of N.L. Health-care System, Delaying Thousands of Appointments
Date: 2021-11-02

Healthcare facilities and related industry have been targeted by criminals frequently as of late. In recent news, “A cyberattack appears to be behind a provincewide disruption of health-care services in Newfoundland and Labrador that has affected thousands of appointments and procedures, including those involving COVID-19 testing.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

BlackMatter: New Data Exfiltration Tool Used in Attacks
Date: 2021-11-01

Security researchers have discovered a new data exfiltration tool designed to accelerate information theft for ransomware groups using the BlackMatter variant. The Symantec Threat Hunter team explained in a new blog post today that the custom tool is the third discovery of its kind, following the development of the Ryuk Stealer tool and the LockBit-linked StealBit. The researchers claimed BlackMatter itself is linked to the “Coreid” cybercrime group, which may have also been responsible for Darkside — the variant that led to the Colonial Pipeline outage.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hive Ransomware Now Encrypts Linux and FreeBSD Systems
Date: 2021-11-01

In a report from ESET researchers revealed that The Hive ransomware gang now also encrypts Linux and FreeBSD using new malware variants specifically developed to target these platforms. However, as Slovak internet security firm ESET discovered, Hive's new encryptors are still in development and still lack functionality. They also said that the Linux variant also proved to be quite buggy during ESET's analysis, with the encryption completely failing when the malware was executed with an explicit path.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Pink Botnet Infected Over 1.6 Million Devices, It Is One of the Largest Botnet Ever Seen
Date: 2021-11-01

Qihoo 360’s Netlab Cybersecurity researchers discovered a huge botnet, tracked as Pink, that already infected over 1.6 million devices. The botnet was created to launch DDoS attacks and to insert advertisements in the legitimate HTTP traffic of the victims, most of which are in China (96%)

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

FBI: HelloKitty Ransomware Adds DDoS Attacks to Extortion Tactics
Date: 2021-11-01

The U.S. Federal Bureau of Investigation (FBI) has sent out a flash alert warning private industry partners that the HelloKitty ransomware gang (aka FiveHands) has added distributed denial-of-service (DDoS) attacks to their arsenal of extortion tactics. The FBI said that the ransomware group would take their victims' official websites down in DDoS attacks if they didn't comply with the ransom demands

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

CISA: IB-21-10183 Exfiltration Tool Associated with BlackMatter Reported in IT Sector
Date: 2021-11-01

The attack chain possibly involves the Trickbot Trojan as an initial infection vector. Once executed, the malware, using hardcoded rules, will attempt to exfiltrate files from a local machine. This malware has been used to conduct ransomware attacks against medium to large sized organizations concentrated in North America, Europe, and Asia.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ransomware Gangs Use SEO Poisoning To Infect Visitors
Date: 2021-10-29

Researchers have spotted two campaigns linked to either the REvil ransomware gang or the SolarMarker backdoor that use SEO poisoning to serve payloads to targets. SEO poisoning, also known as "search poisoning," is an attack method that relies on optimizing websites using 'black hat' SEO techniques to rank higher in Google search results. Due to their high ranking, victims who land on these sites believe they are legitimate, and actors enjoy a heavy influx of visitors who look for specific keywords.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Google Fixes 2 New Actively Exploited Zero-day Flaws in Chrome
Date: 2021-10-29

Google has released Chrome 95.0.4638.69 for Windows, Mac, and Linux to address two zero-day vulnerabilities, tracked as CVE-2021-38000 and CVE-2021-38003, actively exploited in attacks in the wild

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Data Breach at University of Colorado
Date: 2021-10-29

An American university is notifying thousands of former and current students that their personal information may have been compromised during a recent data breach. In a security notice issued October 25, the University of Colorado Boulder (CU Boulder) attributed the breach to an unpatched vulnerability in software provided by a third-party vendor, Atlassian Corporation Plc.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Misconfigured Database Leaks 880 Million Medical Records
Date: 2021-10-29

Researchers have found an unsecured database leaking over 886 million sensitive patient records online. The non-password-protected data trove was found by Jeremiah Fowler and Website Planet and traced to healthcare AI firm Deep 6 AI, which fixed the privacy snafu promptly after it was responsibly disclosed. Deep 6 AI applies intelligent algorithms to medical data to help find patients for clinical trials within minutes. The exposed data included date, document type, physician note, encounter IDs, patient ID, note, UUID, patient type, note ID, date of service, note type, and detailed note text.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

WordPress Plugin Bug Impacts 1M Sites, Allows Malicious Redirects
Date: 2021-10-28

The OptinMonster plugin is affected by a high-severity flaw that allows unauthorized API access and sensitive information disclosure on roughly a million WordPress sites. Tracked as CVE-2021-39341, the flaw was discovered by researcher Chloe Chamberland on September 28, 2021, with a patch becoming available on October 7, 2021

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Warns Over Uptick in Password Spraying Attacks
Date: 2021-10-27

Cyber attackers aren't just looking for software flaws, supply chain weakness, and open RDP connections. The other key asset hackers are after is identities, especially account details that will give them access to other internal systems. Russian cyber actors were not only behind the SolarWinds attack that trojanized software updates, they have also been using extensive password spraying techniques to steal admin accounts for initial access.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

North Korean State Hackers Start Targeting the IT Supply Chain
Date: 2021-10-27

North Korean-sponsored Lazarus hacking group has switched focus on new targets and was observed by Kaspersky security researchers expanding its supply chain attack capabilities. Lazarus has been seen using a new variant of the BLINDINGCAN backdoor to target political think tanks in South Korea, and to breach a Latvian IT vendor earlier this year. The infection chain used South Korean security software to deploy a malicious payload.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

98% of orgs with Office 365 harbor malicious emails inside their mailboxes. Threats like ransomware, spear phishing, and account takeover put your organization and employees at significant risk. Find out what’s hiding in your inbox.


Via security assessment, we can quickly identify security gaps, patches and software updates that are out of date, then advise steps to fix.


Via short questionnaire, we'll help you determine whether weakness exist in the way you protect your confidential data. In a few minutes, we'll produce a comprehensive profile of strengths and vulnerabilities of your IT security. Let us show you where protections should be placed before those vulnerabilities are exploited.


LA-Cyber can directly submit suspicious URLs and files through the ISAO’s Cyber Forum for rapid analysis to determine if they are known or zero-day cybersecurity threats.



Suggested Pages

Readiness Pro: Privacy/Security Assessment & Policy Development Tool

Network Perimeter Security - Firewalls

Email Security

Security Awareness Training

Network Security, Monitoring & Patching

Cloud Based Backup & Recovery

Backup Tape Vaulting & Rotation Services

Air Gapping as a Service

Data Archiving

Data Destruction Services

Security Operations Center (SOC)

Data Storage and Media Updating

Server & Data Center Relocation Services

Breach Investigation & Notification Services

Forensic & Legal Investigations

Contact LACyber

LACyber's main office is located at 155 Great Arrow, Buffalo New York. Our main office phone number is (716) 871-7040.

Location:

155 Great Arrow, Buffalo, NY 14207

Call:

+1 716 871-7040

Loading
Your message has been sent. Thank you!