Current Active Threats


Russian Cybergangs Stole Over 50 Million Passwords This Year
Date: 2022-11-23

At least 34 distinct Russian-speaking cybercrime groups using info-stealing malware like Raccoon and Redline have collectively stolen 50,350,000 account passwords from over 896,000 individual infections from January to July 2022. The stolen credentials were for cryptocurrency wallets, Steam, Roblox, Amazon, and PayPal accounts, as well as payment card records. According to a report from Group-IB, whose analysts have been tracking these operations globally, most victims are based in the United States, Germany, India, Brazil, and Indonesia, but the malicious operations targeted 111 countries.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ducktail Malware Operation Evolves with New Malicious Capabilities
Date: 2022-11-23

Operators of the Ducktail information stealer have returned introducing new malicious capabilities. Ducktail is a malware designed to siphon browser cookies and take advantage of authenticated Facebook sessions to steal information from victims and run ads on their accounts for monetary gain. The info-stealer is attributed to a Vietnamese threat actor which is known for targeting businesses in the digital marketing and advertising sectors which are active on the Facebook Ads and Business platform. “Also targeted are individuals within prospective companies that are likely to have high-level access to Facebook Business accounts. This includes marketing, media, and human resources personnel.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Backdoored Chrome Extension Installed by 200,000 Roblox Players
Date: 2022-11-23

SearchBlox' installed by more than 200,000 users, has been discovered to contain a backdoor that can steal your Roblox credentials and your assets on Rolimons, a Roblox trading platform. After analyzing the extension code, which indicated the presence of a backdoor, it has been suggested the backdoor was introduced either intentionally by its developer or after an initial compromise. The extensions claim to let allow users to "search Roblox servers for the desired player... blazingly fast." Suspicions arose among the Roblox community members of SearchBlox containing malware where someone tweeted that the Popular plug-in SearchBlox has been COMPROMISED / BACKDOORED - and if you have it, your account may be at risk.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Breach Energy Orgs via Bugs in Discontinued Web Server
Date: 2022-11-23

Microsoft said today that security vulnerabilities found to impact a web server discontinued since 2005 have been used to target and compromise organizations in the energy sector. Recorded Future revealed in a report published in April that state-backed Chinese hacking groups (including one traced as RedEcho) targeted multiple Indian electrical grid operators, compromising an Indian national emergency response system and the subsidiary of a multinational logistics company.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Black Basta Using QBot Malware to Target US-Based Companies
Date: 2022-11-23

Researchers say Black Basta is dropping QBot malware - also called QakBot - in a widespread ransomware campaign targeting mostly U.S.-based companies. In the group's latest campaign, attackers are again using QBot to install a backdoor and then drop in encryption malware and other malicious code, according to Cybereason.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Experts Warn Threat Actors May Abuse Red Team Tool Nighthawk
Date: 2022-11-22

Security researchers are warning that a new red-teaming tool dubbed “Nighthawk” may soon be leveraged by threat actors. Created in late 2021 by MDSec, the tool is best described as an advanced C2 framework, which functions like Cobalt Strike and Brute Ratel as a commercially distributed remote access trojan (RAT) designed for legitimate use.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hospital Workers Charged with Selling Patient Information
Date: 2022-11-22

The U.S. Justice Department in a statement says a federal grand jury on Nov. 10 indicted five former employees of Memphis, Tennessee-based Methodist Le Bonheur Healthcare with accessing and disclosing patient information to a sixth individual, Roderick Harvey, without the knowledge, consent or authorization of the patients. Four of the employees worked as financial counselors at Methodist Healthcare, and one of the individuals held a variety of roles, including PBX unit secretary, according to court documents. The longest-tenured employee, Taylor, worked in the hospital's emergency room as a financial counselor for 18 years, according to court documents.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Emotet Is Back and Delivers Payloads Like Icedid and Bumblebee
Date: 2022-11-22

In April, the operators of the infamous Emotet botnet started testing new attack techniques in response to Microsoft’s move to disable Visual Basic for Applications (VBA) macros by default. In June, Proofpoint experts spotted a new variant of the Emotet bot that uses a new module to steal credit card information stored in the Chrome web browser. The experts noticed multiple changes to the bot and its payloads, and the operators introduced changes to the malware modules, loader, and packer. Below are the changes observed by Proofpoint, “The volume of emails that Emotet sending bots attempt to deliver each day is in the hundreds of thousands. These numbers are comparable to historic averages. Hence, it does not appear that the Emotet botnet lost any significant spamming capability during the inactive period.” reads the report published by Proofpoint.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Chinese 'Mustang Panda' Hackers Actively Targeting Governments Worldwide
Date: 2022-11-21

A notorious advanced persistent threat actor known as Mustang Panda has been linked to a spate of spear-phishing attacks targeting government, education, and research sectors across the world. The primary targets of the intrusions from May to October 2022 included counties in the Asia Pacific region such as Myanmar, Australia, the Philippines, Japan, and Taiwan, cybersecurity firm Trend Micro said in a Friday report.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Google Provides Rules to Detect Tens of Cracked Versions of Cobalt Strike
Date: 2022-11-21

Google Cloud researchers announced to have discovered 34 different Cobalt Strike hacked release versions with a total of 275 unique JAR files across these versions. Google Cloud Threat Intelligence (GCTI) researchers developed a set of YARA rules to detect hacked variants in the wild with a high degree of accuracy. The researchers noticed that each Cobalt Strike version contains approximately 10 to 100 attack template binaries The experts were able to locate versions of the Cobalt Strike JAR file starting with version 1.44 (which was released in 2012) up to the latest version at the time of publishing the analysis, Cobalt Strike 4.7.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Ransomware Encrypts Files, Then Steals Your Discord Account
Date: 2022-11-21

When a user logs into Discord with their credentials, the platform sends back a user authentication token saved on the computer. This token can then be used to log in as the user or to issue API requests that retrieve information about the associated account. Threat actors commonly attempt to steal these tokens because they enable them to take over accounts or, even worse, abuse them for further malicious attacks.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Netflix Phishing Emails Surge 78%
Date: 2022-11-18

Researchers from Egress detailed an increase in phishing campaigns spoofing the Netflix brand since October, noting a 78% increase in impersonation attacks against the brand. If employees use the same credentials for personal accounts like Netflix as their work accounts, campaigns like this may impact corporate systems and data, warned Egress. The group behind the attacks is using Unicode characters to bypass natural language processing (NLP) scanning, which will prevent traditional anti-phishing filters from catching it. “Unicode helps to convert international languages within browsers – but it can also be used for visual spoofing by exploiting international language characters to make a fake URL look legitimate,” Egress wrote.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Phishing Kit Impersonates Well-known Brands to Target US Shoppers
Date: 2022-11-18

A sophisticated phishing kit has been targeting North Americans since mid-September, using lures focused on holidays like Labor Day and Halloween. The kit uses multiple evasion detection techniques and incorporates several mechanisms to keep non-victims away from its phishing pages.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Atlassian Fixes Critical Command Injection Bug in Bitbucket Server
Date: 2022-11-18

Atlassian has released updates to address critical-severity updates in its centralized identity management platform, Crowd Server and Data Center, and in Bitbucket Server and Data Center, the company's solution for Git repository management. Both security vulnerabilities received a severity rating of 9 out of 10 (calculated by Atlassian) and affect multiple versions of the products.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Previously Unidentified ARCrypter Ransomware Expands Worldwide
Date: 2022-11-18

A previously unknown ‘ARCrypter’ ransomware that compromised key organizations in Latin America is now expanding its attacks worldwide. Threat actors behind the new ransomware family attacked a government agency in Chile last August, targeting both Linux and Windows systems and appending the “.crypt” extension on encrypted files. Back then, Chilean threat analyst Germán Fernández told BleepingComputer that the strain appeared entirely new, not connected to any known ransomware families. Researchers at BlackBerry have confirmed this via a report that identifies the family as ARCrypter and links it to a second attack against the Colombia National Food and Drug Surveillance Institute (Invima) in October.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

TLP: CLEAR - HIVE RANSOMWARE
Date: 2022-11-17

Today, CISA, the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) released joint Cybersecurity Advisory (CSA) #StopRansomware: Hive Ransomware to provide network defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with Hive ransomware variants. FBI investigations identified these TTPs and IOCs as recently as November 2022.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

FBI-Wanted Leader of the Notorious Zeus Botnet Gang Arrested in Geneva
Date: 2022-11-17

A Ukrainian national who has been wanted by the U.S for over a decade has been arrested by Swiss authorities for his role in a notorious cybercriminal ring that stole millions of dollars from victims' bank accounts using malware called Zeus. Vyacheslav Igorevich Penchukov, who went by online pseudonyms "tank" and "father," is said to have been involved in the day-to-day operations of the group. He was apprehended on October 23, 2022, and is pending extradition to the U.S. Details of the arrest were first reported by independent security journalist Brian Krebs.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

High Severity Vulnerabilities Reported in F5 BIG-IP and BIG-IQ Devices
Date: 2022-11-17

Cybersecurity firm Rapid7 recently disclosed two high-severity vulnerabilities in F5 BIG-IP and BIG-IQ devices which could enable complete device takeover upon successful exploitation. The first flaw which is being tracked as CVE-2022-41622 is related to a cross-site request forgery vulnerability in BIG-IP and BIG-IQ products and can allow a malicious threat actor to execute code remotely without authentication.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ukrainian CERT Discloses New Data-Wiping Campaign
Date: 2022-11-17

Ukrainian cyber-experts have discovered a new attack campaign by suspected Russian threat actors that compromises victims’ VPN accounts to access and encrypt networked resources. The country’s Computer Emergency Response Team (CERT) noted in a new statement that the so-called Somnia ransomware was being used by the FRwL (aka Z-Team), also identified as UAC-0118.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

U.S. Charges Russian Suspects With Operating Z-Library E-book Site
Date: 2022-11-17

Z-Library is described as "one of the world's largest public and free-to-access written content repositories, containing 11 million books and 84 million articles in a massive 220 TB database and as a volunteer-run project with no commercial direction. However, at some point, it started offering paid memberships in exchange for premium features.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Urges Devs to Migrate Away From .Net Core 3.1 ASAP
Date: 2022-11-17

Microsoft has urged developers still using the long-term support (LTS) release of .NET Core 3.1 to migrate to the latest .NET Core versions until it reaches the end of support (EOS) next month. The company warned customers on the Windows message center to upgrade to .NET 6 (LTS) or .NET 7 "as soon as possible" before .NET Core 3.1 (LTS) reaches EOS on December 13, 2022.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Study: Electronics Repair Technicians Snoop on Your Data
Date: 2022-11-16

When your computer or smartphone needs repairing, can you trust repair technicians not to access or steal your data? According to the results of recent research by scientists at the University of Guelph, Canada, you shouldn’t. Granted, they tested only 16 repair service providers with rigged devices, but in six cases, technicians snooped on customers’ data, and in two, they copied the data to external devices. Oh, and most of them tried to cover their tracks, either by removing evidence (e.g., by clearing items in the “Quick Access” or “Recently Accessed Files” on Microsoft Windows) or by trying not to generate it (e.g., by just zooming in on photo thumbnails).

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Rapperbot Campaign Targets Game Servers With DDoS Attacks
Date: 2022-11-16

Researchers from FortiGuard Labs discovered the previously undetected RapperBot IoT botnet in August, and reported that it is active since mid-June 2022. The bot borrows a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it implements a built-in capability to brute force credentials and gain access to SSH servers instead of Telnet as implemented in Mirai.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

North Korean Hackers Target European Orgs With Updated Malware
Date: 2022-11-16

North Korean hackers are using a new version of the DTrack backdoor to attack organizations in Europe and Latin America. DTrack is a modular backdoor featuring a keylogger, a screenshot snapper, a browser history retriever, a running processes snooper, an IP address and network connection information snatcher, and more. Apart from spying, it can also run commands to perform file operations, fetch additional payloads, steal files and data, and execute processes on the compromised device. The new malware version doesn't feature many functional or code changes compared to samples analyzed in the past, but it is now deployed far more widely.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data
Date: 2022-11-15

Researchers recently uncovered hundreds of databases on Amazon Relational Database Service (Amazon RDS) which are exposing personally identifiable information (PII). "Amazon RDS is a web service that makes it possible to set up relational databases in the Amazon Web Services (AWS) cloud. It offers support for different database engines such as MariaDB, MySQL, Oracle, PostgreSQL, and SQL Server.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

China-Based Campaign Uses 42,000 Phishing Domains
Date: 2022-11-16

Security researchers have uncovered a sophisticated phishing campaign using tens of thousands of malicious domains to spread malware and generate advertising revenue. Dubbed “Fangxiao,” the group directs unsuspecting users to the domains via WhatsApp messages telling them they’ve won a prize, according to security vendor Cyjax. The phishing site landing pages apparently impersonate hundreds of well-known brands including Emirates, Unilever, Coca-Cola, McDonald’s and Knorr. The victims will be redirected to advertising sites, which Fangxiao generates money from, en route to a fake survey where it's claimed they can win a prize.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Chinese Hackers Target Government Agencies and Defense Orgs
Date: 2022-11-15

A cyberespionage threat actor tracked as Billbug (a.k.a. Thrip, Lotus Blossom, Spring Dragon) has been running a campaign targeting a certificate authority, government agencies, and defense organizations in several countries in Asia. The most recent attacks were observed since at least March but the actor has been operating stealthily for more than a decade and it is believed to be a state-sponsored group working for China. Its operations have been documented by multiple cybersecurity companies over the past six years.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Whoosh Confirms Data Breach After Hackers Sell 7.2M User Records
Date: 2022-11-15

Whoosh is Russia's leading urban mobility service platform, operating in 40 cities with over 75,000 scooters. The Russian scooter-sharing service has confirmed a data breach after hackers started to sell a database containing the details of 7.2 million customers on a hacking forum. It was on Friday, when the threat actor began selling the stolen data on a hacking forum, which allegedly contains promotion codes that can be used to access the service for free, as well as partial user identification and payment card data.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Previously Undetected Earth Longzhi APT Group Is a Subgroup of APT41
Date: 2022-11-15

Early this year, Trend Micro investigated a security breach suffered by a company in Taiwan. Threat actors employed a custom Cobalt Strike loader in the attack. Further analysis, revealed that the same threat actor targeted multiple regions using a similar Cobalt Strike loader and has been active since 2020. The experts attributed the attacks to a new subgroup of the China-linked APT41 group, tracked as Earth Longzhi.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

SSVC: Prioritization of Vulnerability Remediation According to CISA
Date: 2022-11-15

The volume of newly discovered vulnerabilities continue to increase year after year. As threat actors become better at weaponizing vulnerabilities, it is becoming ever more important for organizations to make timely and well judged decisions in regards to vulnerability prioritization and remediation. While CISA regularly publishes it’s list of most exploited vulnerabilities and regularly updates the Known Exploited Vulnerabilities Catalog, it still remains a challenge for organizations to understand which security holes should be plugged first. To combat these challenges, CISA has been updating and promoting the Stakeholder-Specific Vulnerability Categorization (SSVC) system.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Fixes Windows DirectAccess Connectivity Issues
Date: 2022-11-14

Microsoft has resolved a known issue causing connectivity problems for Windows customers using the DirectAccess service to access their organizations remotely without using a virtual private network (VPN). According to Redmond, DirectAccess might not reconnect automatically after the impacted device experience connectivity issues. Scenarios that could lead to this known issue include switching between access points or Wi-Fi networks and temporarily losing network connectivity. The problems affect enterprise endpoints where admins have deployed Windows updates released since mid-October.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Kmsdbot, a New Evasive Bot for Cryptomining Activity and DDoS Attacks
Date: 2022-11-14

The malware was employed in cryptocurrency mining campaigns, KmsdBot supports multiple architectures, including as Winx86, Arm64, and mips64, x86_64, and does not stay persistent to avoid detection. The malicious code was used in attacks targeting multiple sectors including the gaming industry, technology industry, and luxury car manufacturers. The first DDoS attack observed by Akamai targeted a gaming company named FiveM, which allows gamers to host custom private servers for Grand Theft Auto Online. The malware employed specific targeted attacks along with generic Layer 4 and Layer 7 attacks.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ukraine Says Russian Hacktivists Use New Somnia Ransomware
Date: 2022-11-14

Russian hacktivists have infected multiple organizations in Ukraine with a new ransomware strain called 'Somnia,' encrypting their systems and causing operational problems. The Computer Emergency Response Team of Ukraine (CERT-UA) has confirmed the outbreak via an announcement on its portal, attributing the attacks to 'From Russia with Love' (FRwL), also known as 'Z-Team,' whom they track as UAC-0118. The group previously disclosed creating the Somnia ransomware on Telegram and even posted evidence of attacks against tank producers in Ukraine. However, until today, Ukraine has not confirmed any successful encryption attacks by the hacking group.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Multiple High-Severity Flaws Affect Widely Used OpenLiteSpeed Web Server Software
Date: 2022-11-14

Palo Alto Networks’ Unit 42 research team recently disclosed multiple vulnerabilities in the open-source OpenLiteSpeed Web Server as well as its enterprise version (LiteSpeed Web Server) which could be exploited to achieve remote code execution. In total, three vulnerabilities were uncovered, two of high severity and one of which has been rated medium in severity.
The vulnerabilities include:
  • Remote Code Execution (CVE-2022-0073) (CVSS 8.8)
  • Privilege Escalation (CVE-2022-0074) (CVSS 8.8)
  • Directory Traversal (CVE-2022-0072) (CVSS 5.8)

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Canadian Food Retail Giant Sobeys Hit by Black Basta Ransomware
Date: 2022-11-14

Grocery stores and pharmacies belonging to Canadian food retail giant Sobeys have been experiencing IT systems issues since last weekend. Sobeys is one of two national grocery retailers in Canada, with 134,000 employees servicing a network of 1,500 stores in all ten provinces under multiple retail banners, including Sobeys, Safeway, IGA, Foodland, FreshCo, Thrifty Foods, and Lawtons Drugs.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ukraine Arrests Fraud Ring Members Who Made €200 Million per Year
Date: 2022-11-10

Ukraine's cyber police and Europol have identified and arrested five key members of an international investment fraud ring estimated to have caused losses of over €200 million per year. The operation of the investment scheme was spread across multiple European countries, including Ukraine, Germany, Spain, Latvia, Finland, and Albania. The scammers operate call centers and offices in these countries, as required to trick prospective investors into initiating a series of fake investments. The criminals created an extensive network of fake websites posing as cryptocurrency, stocks, bonds, futures, and options investment portals to promote the operation.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Abused the Windows Credential Roaming in an Attack Against a Diplomatic Entity
Date: 2022-11-10

The attack stands out for the use of the Windows Credential Roaming feature. Credential Roaming was introduced by Microsoft in Windows Server 2003 SP1 and is still supported on Windows 11 and Windows Server 2022. The feature is used to roam certificates and other credentials with the user within a domain. APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

High-Severity Flaw Reported in Critical System Used by Oil and Gas Companies
Date: 2022-11-10

Security researchers at Claorty recently disclosed details of a vulnerability in a system used across oil and gas organizations. Tracked as CVE-2022-0902 (CVSS score: 8.1), the flaw is related to a path traversal vulnerability in ABB Totalflow flow computers and remote controllers. “Flow computers are special-purpose electronic instruments used by petrochemical manufacturers to interpret data from flow meters and calculate and record the volume of substances such as natural gas, crude oils, and other hydrocarbon fluids at a specific point in time. These gas measurements are critical not only when it comes to process safety, but are also used as inputs when bulk liquid or gas products change hands between parties, making it imperative that the flow measurements are accurately captured”.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

15,000 sites hacked for massive Google SEO poisoning campaign
Date: 2022-11-10

Hackers are conducting a massive black hat search engine optimization (SEO) campaign by compromising almost 15,000 websites to redirect visitors to fake Q&A discussion forums. The attacks were first spotted by Sucuri, who says that each compromised site contains approximately 20,000 files used as part of the search engine spam campaign, with most of the sites being WordPress. The researchers believe the threat actors' goal is to generate enough indexed pages to increase the fake Q&A sites' authority and thus rank better in search engines.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Google Reveals Spyware Vendor's Use of Samsung Phone Zero-Day Exploits
Date: 2022-11-10

Google Project Zero has disclosed the details of three Samsung phone vulnerabilities that have been exploited by a spyware vendor since being designated with zero-day status. The flaws, tracked as CVE-2021-25337, CVE-2021-25369 and CVE-2021-25370, have been chained and exploited against Android phones, but they impact custom Samsung components. The security holes have been described as an arbitrary file read/write issue via a custom clipboard content provider, a kernel information leak, and a use-after-free in the display processing unit driver.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Malicious extension lets attackers control Google Chrome remotely
Date: 2022-11-09

A new Chrome browser botnet named 'Cloud9' has been discovered in the wild using malicious extensions to steal online accounts, log keystrokes, inject ads and malicious JS code, and enlist the victim's browser in DDoS attacks. The Cloud9 browser botnet is effectively a remote access trojan (RAT) for the Chromium web browser, including Google Chrome and Microsoft Edge, allowing the threat actor to remotely execute commands. The malicious Chrome extension isn't available on the official Chrome web store but is instead circulated through alternative channels, such as websites pushing fake Adobe Flash Player updates. This method appears to be working well, as researchers at Zimperium reported today that they have seen Cloud9 infections on systems across the globe.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Citrix urges admins to patch critical ADC, Gateway auth bypass
Date: 2022-11-09

On Tuesday Citrix released security updates to address three flaws impacting Citrix ADC and Citrix Gateway one of which is a critical authentication bypass vulnerability. Successful exploitation of these flaws could enable threat actors to gain unauthorized access to the targeted device, perform remote desktop takeover, and bypass login brute force protections.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

VMware Fixes Three Critical Auth Bypass Bugs in Remote Access Tool
Date: 2022-11-09

VMware has released security updates to address three critical severity vulnerabilities in the Workspace ONE Assist solution that enable remote attackers to bypass authentication and elevate privileges to admin. Workspace ONE Assist provides remote control, screen sharing, file system management, and remote command execution to help desk and IT staff remotely access and troubleshoot devices in real time from the Workspace ONE console.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Patch Tuesday Updates Fix 6 Actively Exploited Zero-Days
Date: 2022-11-09

11 vulnerabilities are rated as Critical and 53 are rated Important in severity. This month Microsoft addressed a couple of vulnerabilities in MS Exchange that are currently being exploited in the wild. “They were expected last month, but they are finally here (along with several other Exchange fixes). These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. At some point later, they were detected in the wild. Microsoft has released several different mitigation recommendations, but the best advice is to test and deploy these fixes.” reads the announcement published by ZDI. “There were some who doubted these patches would be released this month, so it’s good to see them here.”

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Advanced RAT AgentTesla Most Prolific Malware in October
Date: 2022-11-09

CheckPoint Researchers released their Global Threat Index for October 2022, which features metrics from millions of CheckPoint threat intel sensors, installed across customer networks, endpoints, and mobile devices. The researchers found that AgentTesla accounted for nearly a fifth (16%) of total global detections in October. The report revealed that “AgentTesla was the most widespread malware, impacting 7% of organizations. The advanced RAT malware works as a keylogger and information stealer capable of collecting the victim’s keystrokes, taking screenshots and exfiltrating credentials.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Amadey Bot Spotted Deploying LockBit 3.0 Ransomware on Hacked Machines
Date: 2022-11-08

The Amadey malware is being used to deploy LockBit 3.0 ransomware on compromised systems, researchers have warned. ‘Amadey bot, the malware that is used to install LockBit, is being distributed through two methods: one using a malicious Word document file, and the other using an executable that takes the disguise of the Word file icon,’ AhnLab Security Emergency Response Center (ASEC) said in a new report published today.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Laplas Clipper Malware Targeting Cryptocurrency Users via SmokeLoader
Date: 2022-11-08

Cryptocurrency users are being targeted with a new clipper malware strain dubbed Laplas by means of another malware known as SmokeLoader. SmokeLoader, which is delivered by means of weaponized documents sent through spear-phishing emails, further acts as a conduit for other commodity trojans like SystemBC and Raccoon Stealer 2.0, according to an analysis from Cyble. Observed in the wild since circa 2013, SmokeLoader functions as a generic loader capable of distributing additional payloads onto compromised systems, such as information-stealing malware and other implants. In July 2022, it was found to deploy a backdoor called Amadey. Cyble said it discovered over 180 samples of the Laplas since October 24, 2022, suggesting a wide deployment.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

China is Likely Stockpiling and Deploying Vulnerabilities, says Microsoft
Date: 2022-11-08

Microsoft has asserted that China's offensive cyber capabilities have improved, thanks to a law that has allowed Beijing to create an arsenal of unreported software vulnerabilities. China's 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity. The rules mean Beijing can use local research to hoard vulnerability information.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Robin Banks Phishing Service for Cybercriminals Returns with Russian Server
Date: 2022-11-07

According to a new report from cybersecurity firm IronNet, Robin Banks has returned after relocating its attack infrastructure to DDoS-Guard, a Russian provider of bulletproof hosting services. Robin Banks is a phishing-as-a-service platform that was uncovered back in July 2022. The platform offers ready-made phishing kits that have been used to target customers of well-known banks and online services including Citibank, Bank of America, Capital One, Wells Fargo, PNC, U.S. Bank, etc.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

British Govt Is Scanning All Internet Devices Hosted in UK
Date: 2022-11-07

The United Kingdom's National Cyber Security Centre (NCSC), the government agency that leads the country's cyber security mission, is now scanning all Internet-exposed devices hosted in the UK for vulnerabilities. The goal is to assess UK's vulnerability to cyber-attacks and to help the owners of Internet-connected systems understand their security posture.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Crimson Kingsnake gang impersonates law firms in BEC attacks
Date: 2022-11-04

A business email compromise (BEC) group named 'Crimson Kingsnake' has emerged, impersonating well-known international law firms to trick recipients into approving overdue invoice payments. The threat actors impersonate lawyers who are sending invoices for overdue payment of services supposedly provided to the recipient firm a year ago. This approach creates a solid basis for the BEC attack, as recipients may be intimidated when receiving emails from large law firms like the ones impersonated in the scams.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Cisco Addressed Several High-severity Flaws in Its Products
Date: 2022-11-04

Cisco addressed multiple vulnerabilities impacting some of its products, including high-severity flaws in identity, email, and web security products. The most severe vulnerability addressed by the IT giant is a cross-site request forgery (CSRF) flaw, tracked as CVE-2022-20961 (CVSS score of 8.8), that impacts the Identity Services Engine (ISE). An unauthenticated, remote attacker can exploit the vulnerability to perform arbitrary actions on a vulnerable device. The root cause of the issue is the insufficient CSRF protections for the web-based management interface of an affected device.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Attackers Leverage Microsoft Dynamics 365 to Phish Users
Date: 2022-11-04

Attackers are abusing Microsoft Dynamics 365 Customer Voice to evade email filters and deliver phishing emails into Microsoft users’ inboxes, Avanan researchers are warning. Microsoft Dynamics 365 is a suite of enterprise resource planning (ERP) and customer relationship management (CRM) applications. Customer Voice is one of these applications, and it’s used for collecting data and feedback from customers via surveys, phone calls, etc. The attackers have created Microsoft Dynamics 365 Customer Voice accounts and are using them to send out phishing emails telling recipients that they have received a voicemail. To the end user, this looks like a voicemail from a customer, which would be important to listen to. Clicking on it is the natural step.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Lockbit Ransomware Claims Attack on Continental Automotive Giant
Date: 2022-11-03

LockBit allegedly stole some data from Continental's systems, and they are threatening to publish it on their data leak site if the company doesn't give in to their demands within the next 22 hours. The gang has yet to make any details available regarding what data it exfiltrated from Continental's network or when the breach occurred. Ransomware gangs commonly publish data on their leak sites as a tactic to scare their victims into negotiating a deal or into returning to the negotiation table. Since LockBit says that it will publish "all available" data, this indicates that Continental is yet to negotiate with the ransomware operation or it has already refused to comply with the demands.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Black Basta Ransomware Gang Linked to the FIN7 Hacking Group
Date: 2022-11-03

Security researchers at Sentinel Labs have uncovered evidence that links the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as "Carbanak." When analyzing tools used by the ransomware gang in attacks, the researchers found signs that a developer for FIN7 has also authored the EDR (Endpoint Detection and Response) evasion tools used exclusively by Black Basta since June 2022.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

OPERA1ER APT Hackers Targeted Dozens of Financial Organizations in Africa
Date: 2022-11-03

A French-speaking threat actor dubbed OPERA1ER has been linked to a series of more than 30 successful cyber attacks aimed at banks, financial services, and telecom companies across Africa, Asia, and Latin America between 2018 and 2022. According to Singapore-headquartered cybersecurity company Group-IB, the attacks have led to thefts totaling $11 million, with actual damages estimated to be as high as $30 million. Some of the more recent attacks in 2021 and 2021 have singled out five different banks in Burkina Faso, Benin, Ivory Coast, and Senegal. Many of the victims identified are said to have been compromised twice, and their infrastructure subsequently weaponized to strike other organizations.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hundreds of U.S. news sites push malware in supply-chain attack
Date: 2022-11-03

Threat actors are using the compromised infrastructure of an undisclosed media company to deploy the SocGholish JavaScript malware framework (also known as FakeUpdates) on the websites of hundreds of newspapers across the U.S. ‘The media company in question is a firm that provides both video content and advertising to major news outlets. [It] serves many different companies in different markets across the United States,’ Sherrod DeGrippo, VP of threat research and detection at Proofpoint, told BleepingComputer. The threat actor behind this supply-chain attack (tracked by Proofpoint as TA569) has injected malicious code into a benign JavaScript file that gets loaded by the news outlets' websites.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Dozens of PyPI Packages Caught Dropping ‘w4sp’ Info-Stealing Malware
Date: 2022-11-03

Researchers have discovered over two dozen Python packages on the PyPI registry that are pushing info-stealing malware. Most of these contain obfuscated code that drops "W4SP" info-stealer on infected machines, while others make use of malware purportedly created for "educational purposes" only. Researchers have identified over two dozen Python packages on the PyPI registry that imitate popular libraries but instead drop info-stealers after infecting machines. The packages, listed below, are typosquats—that is, threat actors publishing these have intentionally named them similar to known Python libraries in hopes that developers attempting to fetch the real library make a spelling error and inadvertently retrieve one of the malicious ones.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Emotet Botnet Starts Blasting Malware Again After 5 Month Break
Date: 2022-11-03

Emotet is a malware infection distributed through phishing campaigns containing malicious Excel or Word documents. When users open these documents and enable macros, the Emotet DLL will be downloaded and loaded into memory. Once loaded, the malware will search for and steal emails to use in future spam campaigns and drop additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks. While Emotet was considered the most distributed malware in the past, it suddenly stopped spamming on June 13th, 2022. Researchers from the Emotet research group Cryptolaemus reported that at approximately 4:00 AM ET on November 2nd, the Emotet operation suddenly came alive again, spamming email addresses worldwide.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

CISA Message on OpenSSL 3.0.7 Release
Date: 2022-11-03

To follow-up on Monday’s message, OpenSSL has released a security advisory to address the two vulnerabilities (CVE-2022-3602 and CVE-2022-3786), affecting OpenSSL versions 3.0.0 through 3.0.6. Both CVE-2022-3602 and CVE-2022-3786 can cause a denial of service. According to OpenSSL, a cyber threat actor leveraging CVE-2022-3786, "can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution," allowing them to take control of an affected system.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Sandstrike Spyware Infects Android Devices via Malicious VPN App
Date: 2022-11-03

Threat actors are using newly discovered spyware known as SandStrike and delivered via a malicious VPN application to target Android users. They focus on Persian-speaking practitioners of the Baháʼí Faith, a religion developed in Iran and parts of the Middle East. The attackers are promoting the malicious VPN app as a simple way to circumvent censorship of religious materials in certain regions. To spread it, they use social media accounts to redirect potential victims to a Telegram channel that would provide them with links to download and install the booby-trapped VPN.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Dropbox Breach: Hackers Unauthorizedly Accessed 130 GitHub Source Code Repositories
Date: 2022-11-03

On Tuesday, Dropbox disclosed it was the victim of a phishing campaign that enabled unidentified threat actors to gain unauthorized access to 130 of its source code repositories on GitHub. The repositories allegedly contained copies of modified third-party libraries used by Dropbox, internal prototypes, and some tools and configuration files used by the file hosting service’s security team.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ransomware Research: 17 Leaked Databases Operated by Threat- Actors Threaten Third Party Organization
Date: 2022-11-03

Ransomware remains a serious threat to organizations, Deep Instinct, a New York-based deep learning cybersecurity specialist, said in its recently released 2022 Interim Cyber Threat Report. It’s no surprise, the company said, as there are currently 17 leaked databases operated by threat actors who are leveraging the data for attacks on third-party companies, most notably social engineering, credential theft, and triple-extortion attacks.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

OpenSSL Update: Fixes for Two ‘High’ Severity Vulnerabilities Released
Date: 2022-11-02

OpenSSL released patches for two vulnerabilities that have caused widespread concern among cybersecurity experts and researchers over the last week and a half. OpenSSL is a commonly used code library that allows secured internet communication.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

VMware Warns of the Public Availability of CVE-2021-39144 Exploit Code
Date: 2022-11-01

VMware warned of the existence of a public exploit targeting a recently addressed critical remote code execution (RCE) vulnerability, tracked as CVE-2021-39144 (CVSS score of 9.8), in NSX Data Center for vSphere (NSX-V). VMware NSX is a network virtualization solution that is available in VMware vCenter Server. The remote code execution vulnerability resides in the XStream open-source library. Unauthenticated attackers can exploit the vulnerability in low-complexity attacks without user interaction.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Selling Access to 576 Corporate Networks for $4 Million
Date: 2022-11-01

A new report shows that hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000, fueling attacks on the enterprise. The research comes from Israeli cyber-intelligence firm KELA which published its Q3 2022 ransomware report, reflecting stable activity in the sector of initial access sales but a steep rise in the value of the offerings. Although the number of sales for network access remained about the same as in the previous two quarters, the cumulative requested price has now reached $4,000,000. For comparison, the total value of initial access listings in Q2 2022 was $660,000, recording a drop in value that coincided with the summer ransomware hiatus that hurt demand. In the third quarter of 2022, KELA's analysts observed 110 threat actors posting 576 initial access offerings totaling a cumulative value of $4,000,000. The average selling price of these listings was $2,800, while the median selling price reached a record figure of $1,350.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

FTC Takes Enforcement Action Against EdTech Giant Chegg
Date: 2022-11-01

The Federal Trade Commission (FTC) has taken legal action against EdTech player Chegg, alleging the firm has failed to protect its customers after suffering four data breaches since 2017. The FTC’s proposed order alleged Chegg took “shortcuts” with the personal data of millions of its students and will mandate enhanced data security, limits to data collection, improved access controls and more autonomy for students to delete their own data. The California-based company – which sells online tutoring and online scholarship search services, among other things – collects a large amount of personal and financial information on its customers. This includes their religious affiliation, date of birth, sexual orientation, disabilities, Social Security numbers and medical data, the FTC said.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft fixes critical RCE flaw affecting Azure Cosmos DB
Date: 2022-11-01

Analysts at Orca Security recently disclosed that they found a critical vulnerability affecting Azure Cosmos DB that could allow an unauthenticated threat actor to read and write access to containers. The flaw which has been dubbed CoMiss, resides in Azure Cosmos DB built-in Jupyter Notebooks that integrate into the Azure portal and Azure Cosmos DB accounts for querying, analyzing, and visualizing NoSQL data and results easier.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Former British Prime Minister Liz Truss ‘s phone was allegedly hacked by Russian spies
Date: 2022-10-31

The personal mobile phone of British Prime Minister Liz Truss was hacked by cyber spies suspected of working for the Kremlin, the Daily Mail reported. According to the British tabloid, the cyber-spies are believed to have gained access to top-secret exchanges with key international partners as well as private conversations with his friend, the British Conservative Party politician Kwasi Kwarteng.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Github Flaw Could Have Allowed Attackers to Takeover Repositories of Other Users
Date: 2022-10-31

The vulnerability was discovered by Checkmarx, which is called the attack technique RepoJacking. The method potentially allowed attackers to infect all applications and code in the repository. The vulnerability could allow an attacker to take control over a GitHub repository and potentially infect all applications and other code relying on it with malicious code. If not explicitly tended, all renamed usernames on GitHub were vulnerable to this flaw, including over 10,000 packages on the Go, Swift, and Packagist package managers.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

CROSS-SECTOR CYBERSECURITY PERFORMANCE GOALS
Date: 2022-10-31

In July 2021, President Biden signed a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems. This memorandum required CISA, in coordination with the National Institute of Standards and Technology (NIST) and the interagency community, to develop baseline cybersecurity performance goals that are consistent across all critical infrastructure sectors. These voluntary cross-sector Cybersecurity Performance Goals (CPGs) are intended to help establish a common set of fundamental cybersecurity practices for critical infrastructure, and especially help small- and medium-sized organizations kickstart their cybersecurity efforts.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

ConnectWise Recover and R1Soft Server Backup Manager Critical Security Release
Date: 2022-10-31

ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted by due to, "Improper Neutralization of Special Elements in Output Used by a Downstream Component." If exploit an attacker could execute remote code or directly access confidential data.

Affected versions ConnectWise Recover: Recover v2.9.7 and earlier versions are impacted. R1Soft: SBM v6.16.3 and earlier versions are also impacted.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Raspberry Robin Operators Selling Cybercriminals Access to Thousands of Endpoints
Date: 2022-10-28

The Raspberry Robin worm is becoming an access-as-a-service malware for deploying other payloads, including IcedID, Bumblebee, TrueBot (aka Silence), and Clop ransomware. It is "part of a complex and interconnected malware ecosystem, with links to other malware families and alternate infection methods beyond its original USB drive spread," the Microsoft Security Threat Intelligence Center (MSTIC) said in a detailed write-up. Raspberry Robin, also called QNAP Worm owing to the use of compromised QNAP storage servers for command-and-control, is the name given to a malware by cybersecurity company Red Canary that spreads to Windows systems through infected USB drives.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Google Fixes Seventh Chrome Zero-Day Exploited in Attacks This Year
Date: 2022-10-28

On Thursday, Google released security updates to address a high-severity zero-day bug that it says is actively being exploited in the wild. Tracked as CVE-2022-3723, the vulnerability is related to a type confusion bug in the Chrome V8 Javascript engine. Type confusion bugs occur when a program allocates a resource, object, or variable using a type and then accesses it using a different, incompatible type, resulting in out-of-bounds memory access. As such, a malicious threat actor could use this access to read sensitive information, cause crashes, and execute arbitrary code.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

API Attacks Have Emerged as the #1 Threat Vector in 2022
Date: 2022-10-28

Gartner released new statistics this week on API attacks. According to the researchers, APIs have become the leading attack vector for enterprise web applications. As more organizations move their operations to cloud based services, data is being moved with APIs. ”Organizations are using APIs to build complex applications that serve as the foundation for their business models since they offer an effective way to leverage the data and functionality delivered by an organization’s digital applications and services. They are becoming more popular due to their ability to provide connectivity between disparate systems. For example, an API for a bank can allow you to access your account information from a mobile app or website. In addition, companies may use APIs for internal processes, such as billing or inventory management.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Android Malware Droppers With 130K Installs Found on Google Play
Date: 2022-10-28

A set of Android malware droppers were found infiltrating the Google Play store to install banking trojans pretending to be app updates. Malware droppers are a challenging category of apps to stop because they do not contain malicious code themselves and thus can more easily pass Google Play reviews when submitted to the store. At the same time, they do not raise suspicion among the users as they provide the advertised functionality, and malicious behavior is conducted behind the scenes. Researchers at Threat Fabric, who discovered the new set of droppers, report a rise in the use of droppers for Android malware distribution precisely because they can offer a stealthy pathway to infecting devices. This is particularly important considering the ever-increasing restrictions and safeguards introduced with each major Android release, preventing malware from abusing permissions, fetching malicious modules from external resources, or using the Accessibility service to perform unlimited actions on the device.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Use Microsoft IIS Web Server Logs to Control Malware
Date: 2022-10-28

The Cranefly hacking group, aka UNC3524, uses a previously unseen technique of controlling malware on infected devices via Microsoft Internet Information Services (IIS) web server logs. Microsoft Internet Information Services (IIS) is a web server that hosts websites and web applications. It’s also used by other software, such as Outlook on the Web (OWA) for Microsoft Exchange, to host management apps and web interfaces.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Developing Situation: Calix GigaCenter Under Attack - Calix Official Statement
Date: 2022-10-28

Calix GigaCenter and GigaHub premises systems with remote access enabled are vulnerable to a SOCKS5 Proxy exploit. The exploit uses command injection via the HTTP API to download a script which then installs the SOCKS5 Proxy. The proxy will continue running after a reboot.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

OpenSSL to Fix the Second Critical Flaw Ever
Date: 2022-10-27

The OpenSSL Project announced that it is going to release updates to address a critical vulnerability in the open-source toolkit. Experts pointed out that it is the first critical vulnerability patched in toolkit since September 2016.

The OpenSSL project team would like to announce the forthcoming release of OpenSSL version 3.0.7. This release will be made available on Tuesday 1st November 2022 between 1300-1700 UTC.” reads the announcement. “OpenSSL 3.0.7 is a security-fix release. The highest severity issue fixed in this release is CRITICAL.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Notorious ‘Bestbuy’ Hacker Arraigned for Running Dark Web Market
Date: 2022-10-27

A notorious British hacker was arraigned on Wednesday by the U.S. Department of Justice for allegedly running the now defunct 'The Real Deal" dark web marketplace. The 34-year-old defendant Daniel Kaye (aka Bestbuy, Spdrman, Popopret, UserL0ser) allegedly ran the illicit services market between early 2015 and November 2016 when The Real Deal shut down. Kaye also allegedly trafficked Twitter and Linked accounts and conspired with a threat actor known as TheDarkOverlord to sell stolen Social Security numbers. He laundered the cryptocurrency obtained while operating The Real Deal using the Bitmixer[.]io Bitcoin mixer service to hide the illicit gains from law enforcement's blockchain tracing analysis efforts.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Developing Situation: Calix GigaCenter Under Attack - Calix Statement
Date: 2022-10-27

Calix development is, and has been, investigating this issue and working on fixes that include remediating systems impacted as well as preventing exploitation of other systems. The problem is understood and a fix is forthcoming. When it is available, customers will be advised via account teams, service bulletins and proactive alerts. This community post will also be updated with information as it becomes available.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Developing Situation: Calix GigaCenter Under Attack
Date: 2022-10-27

We received reports this morning that some Calix GigaCenters were under attack. According to reports, Calix GigaCenter routers that have default or compromised credentials are being attacked. In one case, a service provider reported that 10% of their GigaCenters (844E) rebooted overnight. Another service provider reported that their DNS server’s cache was exhausted impacting DNS resolution.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

VMware Releases Patch for Critical RCE Flaw in Cloud Foundation Platform
Date: 2022-10-26

On Tuesday, VMware released security updates to address a critical flaw in the VMware Cloud Foundation Product, a hybrid cloud platform that is used to run enterprise apps in private or public environments. Tracked as CVE-2021-39144, the vulnerability is related to a remote code execution flaw that resides in XStream, an open-source library used by Cloud Foundation.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

RomCom Hackers Circulating Malicious Copy of Popular Software to Target Ukrainian Military
Date: 2022-10-26

The threat actor behind a remote access trojan called RomCom RAT has been observed targeting Ukrainian military institutions as part of a new spear-phishing campaign that commenced on October 21, 2022. The development marks a shift in the attacker's modus operandi, which has been previously attributed to spoofing legitimate apps like Advanced IP Scanner to drop backdoors on compromised systems.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Two Flaws in Cisco Anyconnect Secure Mobility Client for Windows Actively Exploited
Date: 2022-10-26

Cisco is warning of exploitation attempts targeting two security flaws, CVE-2020-3153 (CVSS score: 6.5) and CVE-2020-3433 (CVSS score: 7.8), in the Cisco AnyConnect Secure Mobility Client for Windows. Both vulnerabilities are dated 2020 and are now patched.

  • The CVE-2020-3153 flaw resides in the installer component of AnyConnect Secure Mobility Client for Windows; an authenticated local attacker can exploit the flaw to copy user-supplied files to system-level directories with system-level privileges.
  • The CVE-2020-3433 vulnerability resides in the interprocess communication (IPC) channel of the Cisco AnyConnect Secure Mobility Client for Windows. An authenticated a local attacker can exploit the issue to perform a DLL hijacking attack. To use this vulnerability, the attacker would need to have valid credentials on the Windows system.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft: Server Manager Disk Resets Can Lead to Data Loss
Date: 2022-10-26

Microsoft warns that a newly acknowledged issue can lead to data loss when resetting virtual disks using the Server Manager management console. Server Manager helps IT admins manage Windows-based servers from their desktops without requiring a Remote Desktop connection or physical access to the servers. Because of this issue, admins attempting to reset (or clear) a virtual disk might accidentally reset the wrong disk, leading to data corruption. They will also see "Failed to reset disk" errors in the Task Progress dialog window, with the 'Found multiple disks with the same ID. Please update your storage driver and then try again.' error message.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Malicious Clicker Apps in Google Play Have 20M+ Installs
Date: 2022-10-25

Security researchers at McAfee have discovered 16 malicious clicker apps available in the official Google Play store that were installed more than 20 million times. One of these apps, DxClean, has more than five million times, and its user rating was 4.1 out of 5 stars. Clicker apps are adware software that loads ads in invisible frames or the background and clicks them to generate revenue for the threat actors behind the campaign. Threat actors have concealed the malicious code in practical utility applications like Flashlight (Torch), QR readers, Camara, Unit converters, and Task managers. Upon executing the clicker apps, they will download the configuration from a remote server and register the FCM listener to receive the push messages.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Apple Releases Patch for New Actively Exploited iOS and iPadOS Zero-Day Vulnerability
Date: 2022-10-25

On Monday, Apple released security updates to address a zero-day flaw in iOS and iPadOS which is actively being exploited in the wild. Tracked as CVE-2022-42827, the vulnerability is related to an out-of-bounds write bug in the kernel that could be exploited by a malicious threat actor to execute arbitrary code with the highest privileges.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hive Claims Ransomware Attack on Tata Power, Begins Leaking Data
Date: 2022-10-25

Hive ransomware group has claimed responsibility for a cyber attack disclosed by Tata Power this month. A subsidiary of the multinational conglomerate Tata Group, Tata Power is India's largest integrated power company based in Mumbai. In screenshots seen by BleepingComputer, Hive operators have posted data they claim to have stolen from Tata Power, indicating that the ransom negotiations failed.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Exploited Windows Zero-day Lets JavaScript Files Bypass Security Warnings
Date: 2022-10-25

“A new Windows zero-day allows threat actors to use malicious stand-alone JavaScript files to bypass Mark-of-the-Web security warnings. Threat actors are already seen using the zero-day bug in ransomware attacks. Windows includes a security feature called Mark-of-the-Web (MoTW) that flags a file as having been downloaded from the Internet and, therefore, should be treated with caution as it could be malicious.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Medibank Data Breach: More Customers Affected, Attacker Got in via Stolen Credentials
Date: 2022-10-25

Australian private health insurance provider Medibank has revealed that the hack and data breach it discovered over two weeks ago has affected more customers than initially thought, “We have received a series of additional files from the criminal. We have been able to determine that this includes: a copy of the file received last week containing 100 ahm policy records (including personal and health claims data); a file of a further 1,000 ahm policy records (including personal and health claims data); and files which contain some Medibank and additional ahm and international student customer data. It has become clear that the criminal has taken data that now includes Medibank customer data, in addition to that of ahm and international student customers,” the company said.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

US Charges Two Chinese Agents in Huawei Obstruction Case
Date: 2022-10-25

The US has announced another blockbuster set of charges against Chinese nationals in three cases, including one in which two agents are said to have paid bribes for inside information on the federal prosecution of Huawei. The US Department of Justice (DoJ) unveiled the charges yesterday and, although Huawei is not named, widespread reports claim it is the telco at the center of the case. The US filed a string of charges of racketeering and conspiracy to steal trade secrets against the firm in 2019 and 2020.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Daixin Team Targets Health Organizations With Ransomware, US Agencies Warn
Date: 2022-10-24

CISA, the FBI, and the Department of Health and Human Services (HHS) warned that the Daixin Team cybercrime group is actively targeting U.S. businesses, mainly in the Healthcare and Public Health (HPH) Sector, with ransomware operations. The Daixin Team is a ransomware and data extortion group that has been active since at least June 2022. The group focused on the HPH Sector with ransomware operations that aimed at deploying ransomware and exfiltrating personal identifiable information (PII) and patient health information (PHI) threatening to release the stolen data if a ransom is not paid.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Botnet Distributing Self-Unlocking Password-Protected RAR Files to Drop Malware
Date: 2022-10-24

The notorious Emotet botnet has been linked to a new wave of malspam campaigns that take advantage of password-protected archive files to drop CoinMiner and Quasar RAT on compromised systems. In an attack chain detected by Trustwave SpiderLabs researchers, an invoice-themed ZIP file lure was found to contain a nested self-extracting (SFX) archive, the first archive acting as a conduit to launch the second. While phishing attacks like these traditionally require persuading the target into opening the attachment, the cybersecurity company said the campaign sidesteps this hurdle by making use of a batch file to automatically supply the password to unlock the payload

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Thousands of GitHub Repositories Deliver Fake PoC Exploits With Malware
Date: 2022-10-24

Researchers at the Leiden Institute of Advanced Computer Science found thousands of repositories on GitHub that offer fake proof-of-concept (PoC) exploits for various vulnerabilities, some of them including malware. GitHub is one of the largest code hosting platforms, and researchers use it to publish PoC exploits to help the security community verify fixes for vulnerabilities or determine the impact and scope of a flaw. According to the technical paper from the researchers at Leiden Institute of Advanced Computer Science, the possibility of getting infected with malware instead of obtaining a PoC could be as high as 10.3%, excluding proven fakes and prankware.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Typosquat Campaign Mimics 27 Brands to Push Windows, Android Malware
Date: 2022-10-24

A massive, malicious campaign is underway using over 200 typosquatting domains that impersonate twenty-seven brands to trick visitors into downloading various Windows and Android malware. Typosquatting is an old method of tricking people into visiting a fake website by registering a domain name similar to that used by genuine brands. The domains used in this campaign are very close to the authentic ones, featuring a single letter position swap or an additional "s," making them easy for people to miss. The malicious websites are clones of the originals or at least convincing enough, so there's not much to give away the fraud.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Alert (AA22-294A) Daixin Team, Ransomware Attacks
Date: 2022-10-21

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Department of Health and Human Services (HHS) are releasing this joint CSA to provide information on the “Daixin Team,” a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health (HPH) Sector, with ransomware and data extortion operations.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware
Date: 2022-10-21

The vulnerability is tracked as CVE-2021-3493 and it’s related to the OverlayFS file system implementation in the Linux kernel. It allows an unprivileged local user to gain root privileges, but it only appears to affect Ubuntu. CVE-2021-3493 has been exploited in the wild by a stealthy Linux malware named Shikitega, which researchers at AT&T Alien Labs detailed in early September. Shikitega is designed to target endpoints and IoT devices running Linux, allowing the attacker to gain full control of the system. It has also been used to download a cryptocurrency miner onto the infected device.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Health System Data Breach Due to Meta Pixel Hits 3 Million Patients
Date: 2022-10-21

Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3,000,000 patients. The incident was caused by the improper use of Meta Pixel on AAH's websites, where patients log in and enter sensitive personal and medical information. Meta Pixel is a JavaScript tracker that helps website operators understand how visitors interact with the site, helping them make targeted improvements. However, the tracker also sends sensitive data to Meta (Facebook) and is then shared with a massive network of marketers who target patients with advertisements that match their conditions.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

BlackByte Ransomware Uses New Data Theft Tool for Double-Extortion
Date: 2022-10-21

A BlackByte ransomware affiliate is using a new custom data stealing tool called 'ExByte' to steal data from compromised Windows devices quickly. Data exfiltration is believed to be one of the most important functions in double-extortion attacks, with BleepingComputer told that companies are more commonly paying ransom demands to prevent the leak of data than to receive a decryptor. Due to this, ransomware operations, including ALPHV and LockBit, are constantly working on improving their data theft tool.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

98% of orgs with Office 365 harbor malicious emails inside their mailboxes. Threats like ransomware, spear phishing, and account takeover put your organization and employees at significant risk. Find out what’s hiding in your inbox.


Via security assessment, we can quickly identify security gaps, patches and software updates that are out of date, then advise steps to fix.


Via short questionnaire, we'll help you determine whether weakness exist in the way you protect your confidential data. In a few minutes, we'll produce a comprehensive profile of strengths and vulnerabilities of your IT security. Let us show you where protections should be placed before those vulnerabilities are exploited.


LA-Cyber can directly submit suspicious URLs and files through the ISAO’s Cyber Forum for rapid analysis to determine if they are known or zero-day cybersecurity threats.



Suggested Pages

Readiness Pro: Privacy/Security Assessment & Policy Development Tool

Network Perimeter Security - Firewalls

Email Security

Security Awareness Training

Network Security, Monitoring & Patching

Cloud Based Backup & Recovery

Backup Tape Vaulting & Rotation Services

Air Gapping as a Service

Data Archiving

Data Destruction Services

Security Operations Center (SOC)

Data Storage and Media Updating

Server & Data Center Relocation Services

Breach Investigation & Notification Services

Forensic & Legal Investigations

Contact LACyber

LACyber's main office is located at 155 Great Arrow, Buffalo New York. Our main office phone number is (716) 871-7040.

Location:

155 Great Arrow, Buffalo, NY 14207

Call:

+1 716 871-7040

Captcha: Enter the word "Security"
Loading
Your message has been sent. Thank you!