Current Active Threats


New Report Reveals NikoWiper Malware That Targeted Ukraine Energy Sector
Date: 2023-02-01

ESET uncovered yet another wiper malware strain , dubbed NikoWiper, used by Russia affiliated Sandworm to attack a energy sector company in Ukraine, on October 2022. Not much is known about NikoWiper besides the fact that it is based on SDelete, a command line utility from Microsoft that is used for securely deleting files. According to researchers, the attack on the company took place around the same time as when Russian armed forces targeted Ukrainian energy infrastructure with missile strikes.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Sh1mmer Chromebook Exploit Unenrolls Managed Devices
Date: 2023-02-01

Researchers have discovered a new exploit dubbed Sh1mmer. The exploit allows users to install and bypass device restrictions by unenrolling in an enterprise-managed Chromebook. "The exploit requires a publicly leaked RMA shim that the Sh1mmer exploit will modify to allow users to manage the device's enrollment. The researchers say that the following Chromebook boards are known to have publicly released RMA shims brask, brya, clapper, coral, dedede, enguarde, glimmer, grunt, hana, hatch, jacuzzi, kukui, nami, octopus, orco, pyro, reks, sentry, stout, strongbad, tidus, ultima, volteer, zork. For those unfamiliar with RMA shims, they are disk images stored on USB devices that contain a combination of the ChromOS factory bundle components used to reinstall the operating system and manufacturer tools used to perform repair and diagnostics."

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Stops Selling Windows 10 Licenses a Day Early
Date: 2023-02-01

Marking an end to an era, Microsoft is no longer directly selling Windows 10 product keys on their website, instead redirecting users to Windows 11 product pages. This month, Microsoft began displaying an alert on their Windows 10 Home and Pro product pages, warning customers that January 31st would be the last day to purchase a license.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft: Over 100 Threat Actors Deploy Ransomware in Attacks
Date: 2023-02-01

Microsoft revealed today that its security teams are tracking over 100 threat actors deploying ransomware during attacks. In all, the company says it monitors over 50 unique ransomware families that were actively used until the end of last year. "Some of the most prominent ransomware payloads in recent campaigns include Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, & Royal," Microsoft said.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

QNAP Fixes Critical Bug Letting Hackers Inject Malicious Code
Date: 2023-01-31

QNAP recently released firmware updates to address a critical security vulnerability that could enable remote attackers to inject malicious code on QNAP NAS devices. Tracked as CVE-2022-27596, the flaw impacts QTS 5.0.1 and QuTS hero h5.0.1 versions of the operating system. According to the networking hardware company, the bug is related to a SQL injection flaw that could be exploited by threat actors to send specially crafted requests on vulnerable devices and modify legitimate SQL queries. QNAP says this flaw can be exploited in low-complexity attacks and does not require user interaction or privileges on the targeted devices.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Porsche Halts NFT Launch, Phishing Sites Fill the Void
Date: 2023-01-31

Porsche, the German automobile manufacturer specializing in high-performance vehicles, halted their anticipated NFT launch. The vehicle manufacturer produced its first NFT mint on January 23, 2023. A digital replica of one of their renowned 911 car, the ETH value on the NFT was around $1,500. Additionally, Porsche promised their NFT community 7,500 NFTs in their new collection.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Exploit Released for Critical VMware VRealize RCE Vulnerability
Date: 2023-01-31

The IT-ISAC operations team informed the membership of an ongoing bug in VMWare products. Fortunately, the company quickly acknowledged and released patches to address four security vulnerabilities in its vRealize log analysis tool last week. Two of these were rated critical in terms of severity using the CVSS scale, as successful exploitation could allow attackers to execute code remotely on compromised devices.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Attackers Used Malicious “verified” OAuth Apps to Infiltrate Organizations’ O365 Email Accounts
Date: 2023-01-31

Malicious third-party OAuth apps with an evident “Publisher identity verified” badge have been used by unknown attackers to target organizations in the UK and Ireland, Microsoft has shared. The attacks were first spotted by Proofpoint researchers in early December 2022, and involved three rogue apps impersonating SSO and online meeting apps. Targets in these organizations who have fallen for the trick effectively allowed these rogue apps to access to their O365 email accounts and infiltrate organizations’ cloud environments” (Help Net Security, 2023). “The potential impact to organizations includes compromised user accounts, data exfiltration, brand abuse of impersonated organizations, business email compromise (BEC) fraud, and mailbox abuse,” Proofpoint researchers explained.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Shady Reward Apps on Google Play Amass 20 Million Downloads
Date: 2023-01-30

Recently, in the Android app store, there has been an uptick in downloading activity-tracking applications. The applications advertise themselves as health-tracking apps such as pedometers, good-habit building apps, and health apps. These apps incentivize users to reach their goals on the app by promising users rewards. "According to a report by the Dr. Web antivirus, though, the rewards may be impossible to cash out or are only made available partially after forcing users to watch a large number of advertisements.
(Lucky Step – Walking Tracker – 10 million downloads WalkingJoy – 5 million downloads Lucky Habit: health tracker – 5 million downloads )

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ukraine: Sandworm Hackers Hit News Agency With 5 Data Wipers
Date: 2023-01-30

In a recent announcement from the Ukrainian Computer Emergency Response Team (CERT-UA), the agency stated that 5 different wiper malware were deployed on the network of Ukraine’s national news agency (Ukrinform) on January 17th. According to CERT-UA, “5 samples of malicious programs (scripts) were detected, the functionality of which is aimed at violating the integrity and availability of information (writing files/disks with zero bytes/arbitrary data and their subsequent deletion).” The list of wipers deployed includes:
  • CaddyWiper (Windows)
  • ZeroWipe (Windows)
  • SDelete (Windows)
  • AwfulShred (Linux)
  • BidSwipe (FreeBSD)
The threat actors allegedly deployed the wiper strains by creating a Windows group policy, suggesting that they had breached the news agency’s network beforehand. CERT-UA says that the actors gained remote access to Ukrinform’s network on December 7th, waiting a month to deploy the destructive malware. The attack was a partial success, with the wipers only managing to destroy files on a limited number of data storage systems. As such Ukrinform was able to continue its operations without any issues.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Titan Stealer: A New Golang-Based Information Stealer Malware Emerges
Date: 2023-01-30

Researchers at Uptycs uncovered a new Golang-based information stealer malware dubbed Titan Stealer which is being advertised by threat actors on Telegram. Titan Stealer is being advertised as a builder, enabling buyers to customize the malware binary to include specific functionalities and the kind of data to be exfiltrated from victim’s system. According to researchers, Titan Stealer is capable of stealing credentials from browsers and crypto wallets, FTP client details, screenshots, system information, grabbed files, and much more. Browsers targeted by the info stealer include Google Chrome, Mozilla Firefox, Microsoft Edge, Yandex, Opera, Brave, Vivaldi, 7 Star Browser, Iridium Browser, and others. Titan also targets crypto wallets like Armory, Armory, Bytecoin, Coinomi, Edge Wallet, Ethereum, Exodus, Guarda, Jaxx Liberty, and Zcash.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Massive Microsoft 365 Outage Caused by WAN Router IP Change
Date: 2023-01-30

Microsoft says this week's five-hour-long Microsoft 365 worldwide outage was caused by a router IP address change that led to packet forwarding issues between all other routers in its Wide Area Network (WAN). Redmond said that the outage resulted from DNS and WAN networking configuration issues caused by a WAN update and that users across all regions serviced by the impacted infrastructure were having problems accessing the affected Microsoft 365 services. The issue led to service impact in waves, peaking approximately every 30 minutes as shared on the Microsoft Azure service status page (this status page was also affected as it intermittently displayed "504 Gateway Time-out" errors.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Researchers to Release VMware vRealize Log RCE Exploit, Patch Now
Date: 2023-01-30

Security researchers with Horizon3's Attack Team will release an exploit targeting a vulnerability chain next week for gaining remote code execution on unpatched VMware vRealize Log Insight appliances. Now known as VMware Aria Operations for Logs, vRealize Log Insight makes it easier for VMware admins to analyze and manage terabytes of infrastructure and application logs.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Mimic Ransomware Abuses ‘Everything’ Windows Search Tool
Date: 2023-01-27

Security researchers discovered a new ransomware strain they named Mimic that leverages the APIs of the 'Everything' file search tool for Windows to look for files targeted for encryption. Discovered in June 2022 by researchers at cybersecurity company Trend Micro, the malware appears to target mainly English and Russian-speaking users. Some of the code in Mimic shares similarities with Conti ransomware, the source of which was leaked in March 2022 by a Ukrainian researcher.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Bitwarden Password Vaults Targeted in Google Ads Phishing Attack
Date: 2023-01-27

Bitwarden and other password managers are being targeted in Google ads phishing campaigns to steal users' password vault credentials. As the enterprise and consumers move to use unique passwords at every site, it has become essential to use password managers to keep track of all the passwords. However, unless you use a local password manager, like KeePass, most password managers are cloud-based, allowing users to access their passwords through websites and mobile apps. These passwords are stored in the cloud in "password vaults" that keep the data in an encrypted format, usually encrypted using users' master passwords.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Lexmark Warns of RCE Bug Affecting 100 Printer Models, POC Released
Date: 2023-01-27

Lexmark has released a security firmware update to fix a severe vulnerability that could enable remote code execution (RCE) on more than 100 printer models. The security issue is tracked as CVE-2023-23560 and, according to the company, it has a severity rating of 9.0. It is a server-side request forgery (SSRF) in the Web Services feature of Lexmark devices.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Iranian Group Cobalt Sapling Targets Saudi Arabia With New Persona
Date: 2023-01-27

The threat actor known as Cobalt Sapling has been spotted creating a new persona dubbed "Abraham's Ax" to target Saudi Arabia for political leverage. The findings come from cybersecurity experts at Secureworks' Counter Threat Unit (CTU), who published an advisory about the new threat earlier today.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hive Ransomware Dark Web Sites Seized by Law Enforcement
Date: 2023-01-26

Today, the Hive ransomware Tor payment and data leak sites were seized as part of an international law enforcement operation involving the US Department of Justice, FBI, Secret Service, Europol, and Germany's BKA and Polizei. The seizure notice on the Tor sites also lists a wide range of other countries involved in the law enforcement operation, including Canada, France, Lithuania, Netherlands, Norway, Portugal, Romania, Spain, Sweden, and the United Kingdom. Unlike previous seizure messages used by law enforcement, this image is an animated GIF rotating between a message in English and Russian, likely to be a warning for other ransomware gangs.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Exploit Released for Critical Windows CryptoAPI Spoofing Bug
Date: 2023-01-26

Researchers at Akamai published proof-of-concept exploit code for a critical Windows CryptoAPI vulnerability (CVE-2022-34689) discovered by the NSA and U.K.'s NCSC allowing MD5-collision certificate spoofing. “CryptoAPI is the de facto API in Windows for handling anything related to cryptography. In particular, it handles certificates — from reading and parsing them to validating them against verified certificate authorities (CAs). Browsers also use CryptoAPI for TLS certificate validation — a process that results in the lock icon everyone is taught to check.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

CISA: Federal Agencies Hacked Using Legitimate Remote Desktop Tools in Callback Attacks.
Date: 2023-01-26

The IT-ISAC distributed an attachment in our daily report yesterday detailing how threat actors currently use RMM (Remote Monitoring and Management) tools for malicious purposes. CISA discovered malicious activity within the networks of multiple federal civilian executive branch (FCEB) agencies using the EINSTEIN intrusion detection system after releasing a Silent Push report in mid-October 2022.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Experts Warn of a Surge of Attacks Exploiting a Realtek Jungle SDK RCE (CVE-2021-35394)
Date: 2023-01-26

Palo Alto Networks researchers reported that between August and October 2022 the number of attacks that attempted to exploit a Realtek Jungle SDK RCE (CVE-2021-35394) (CVSS score 9.8) accounted for more than 40% of the total number of attacks (Security Affairs, 2023). “Realtek Jungle SDK version v2.x up to v3.4.14B provides a diagnostic tool called ‘MP Daemon’ that is usually compiled as ‘UDPServer’ binary. The binary is affected by multiple memory corruption vulnerabilities and an arbitrary command injection vulnerability that can be exploited by remote unauthenticated attackers.” reads the description for this flaw.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Zacks Investment Research Data Breach Affects 820,000 Clients
Date: 2023-01-26

Zacks, an investment research company, fell victim to a data breach last year on December 28, 2022. Zack learned that an unknown third party had gained unauthorized access to customer records. They are one of the largest providers of independent stock, ETF, and mutual fund research in the United States. Their services include aiding investors with; stock buying decisions using financial data analytics. The data breach affected 820,000 users. The specific dataset that was apprehended consisted of Zack's Elite customers who joined between November 1999 and February 2005. The information included; in the data set consists of names, addresses, phone numbers, email addresses, and passwords used for Zacks.com. The research firm has found no evidence that any financial data had been; abstracted.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

CISA: Federal Agencies Hacked Using Legitimate Remote Desktop Tools in Callback Attacks.
Date: 2023-01-26

The IT-ISAC distributed an attachment in our daily report yesterday detailing how threat actors currently use RMM (Remote Monitoring and Management) tools for malicious purposes. CISA discovered malicious activity within the networks of multiple federal civilian executive branch (FCEB) agencies using the EINSTEIN intrusion detection system after releasing a Silent Push report in mid-October 2022.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Multiple Vulnerabilities in Google Chrome Could Allow for Arbitrary Code Execution
Date: 2023-01-25

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Successful exploitation of the most powerful of these vulnerabilities could allow for arbitrary code execution in the context of the logged-on user. Depending on the user's privileges, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those with administrative user rights.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ransomware Access Brokers Use Google Ads to Breach Your Network
Date: 2023-01-25

Researchers have discovered a new advertising campaign. DEV-0569 is responsible. The campaign utilizes Google Ads to spread malware, steal passwords, and breach networks for ransomware attacks. "Over the past couple of weeks, cybersecurity researchers MalwareHunterTeam, Germán Fernández, and Will Dormann have illustrated how Google search results have become a hotbed of malicious advertisements pushing malware. These ads pretend to be websites for popular software programs, like LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

VMware Fixes Critical Security Bugs in vRealize Log Analysis Tool
Date: 2023-01-25

On Tuesday, VMware addressed several vulnerabilities impacting its vRealize Log Insight, a log analysis and management tool. Two of the flaws have been rated critical in severity (CVSS: 9.8) and are tracked as CVE-2022-31703 and CVE-2022-31704. CVE-2022-31703 is related to a directory traversal vulnerability that can be leveraged for remote code execution (RCE) by injecting files into the operating system of impacted appliances. The other critical flaw, CVE-2022-31704 relates to a broken access control bug which can also be abused for RCE using a similar method.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

North Korean Hackers Turn to Credential Harvesting in Latest Wave of Cyberattacks Summary:
Date: 2023-01-25

A North Korean nation-state group notorious for crypto heists has been attributed to a new wave of malicious email attacks as part of a "sprawling" credential harvesting activity targeting a number of industry verticals, marking a significant shift in its strategy. The state-aligned threat actor is being tracked by Proofpoint under the name TA444, and by the larger cybersecurity community as APT38, BlueNoroff, Copernicium, and Stardust Chollima. TA444 is ‘utilizing a wider variety of delivery methods and payloads alongside blockchain-related lures, fake job opportunities at prestigious firms, and salary adjustments to ensnare victims,’ the enterprise security firm said in a report.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Apple Fixes Actively Exploited iOS Zero-Day on Older iPhones, iPads
Date: 2023-01-24

Apple recently backported fixes for older iPhones and iPads to address a remotely exploitable zero-day vulnerability that was disclosed last month. Tracked as CVE-2022-42856, the vulnerability is related to a type confusion weakness in Apple’s Webkit web browsing engine. A malicious threat can exploit the weakness to perform arbitrary code execution by tricking victims into visiting a maliciously crafted website under the attacker’s control.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Emotet Malware Makes a Comeback with New Evasion Techniques
Date: 2023-01-24

The Emotet malware operation has continued to refine its tactics in an effort to fly under the radar, while also acting as a conduit for other dangerous malware such as Bumblebee and IcedID. Attributed to a cybercrime group tracked as TA542 (aka Gold Crestwood or Mummy Spider), the virus has evolved from a banking trojan to a malware distributor since its first appearance in 2014. The malware-as-a-service (MaaS) is also modular, capable of deploying an array of proprietary and freeware components that can exfiltrate sensitive information from compromised machines and carry out other post-exploitation activities.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Use Golang Source Code Interpreter to Evade Detection
Date: 2023-01-24

Researchers have witnessed a Chinese-speaking hacking group dubbed Dragon Spark. "The attacks are tracked by SentinelLabs, whose researchers report that DragonSpark relies on a little-known open-source tool called SparkRAT to steal sensitive data from compromised systems, execute commands, perform lateral network movement, and more. The threat actors leverage compromised infrastructure in China, Taiwan, and Singapore to launch their attacks, while the intrusion vector observed by SentinelLabs is vulnerable MySQL database servers exposed online.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

CISA added Zoho ManageEngine RCE (CVE-2022-47966) to its Known Exploited Vulnerabilities Catalog
Date: 2023-01-24

We reported on this vulnerability throughout the last couple of weeks and urged companies to ensure that they’re patched, as POC was set to be released. CISA added the Zoho ManageEngine remote code execution flaw (CVE-2022-47966) to its Known Exploited Vulnerabilities Catalog. CVE-2022-47966 allows attackers to execute code remotely on vulnerable products without authentications. The bug impacts multiple Zoho products where SAML SSO is enabled in the ManageEngine configurations. The issue also affects products that had the feature enabled in the past. The company addressed the vulnerability on October 27, 2022.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Fanduels Warns of Data Breach After Customer Info Stolen in Vendor Hack
Date: 2023-01-23

The FanDuel sportsbook and betting site is warning customers that their names and email addresses were exposed in a January 2023 MailChimp security breach, urging users to remain vigilant against phishing emails. On January 13th, MailChimp confirmed they suffered a breach after hackers stole an employee's credentials using a social engineering attack. Using these credentials, the threat actors accessed an internal MailChimp customer support and administration tool to steal the "audience data" for 133 customers.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Over 19,000 End-of-life Cisco Routers Exposed to RCE Attacks
Date: 2023-01-23

Over 19,000 end-of-life Cisco VPN routers on the Internet are exposed to attacks targeting a remote command execution exploit chain. By chaining two security flaws disclosed last week, threat actors can bypass authentication (CVE-2023-20025) and execute arbitrary commands (CVE-2023-2002) on the underlying operating system of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Boldmove Linux Malware Used to Backdoor Fortinet Devices
Date: 2023-01-23

Last month, Fortinet disclosed a vulnerability in FortiOS SSL-VPN, warning customers to patch their appliances as attackers were observed exploiting it in the wild. The vulnerability tracked as CVE-2022-42475, relates to a heap-based buffer overflow in FortiOS SSL-VPN which could enable unauthenticated threat actors to execute arbitrary code and commands via specifically crafted requests. Fortinet silently fixed the bug in November, but didn’t publicly disclose details of the vulnerability until December. At the time, the company stated that it was aware of active exploitation surrounding this flaw but no further details were provided. Recently, Mandiant released a blog post, stating that suspected Chinese hackers exploited the flaw as a zero-day in December to target a European government and an African MSP and deploy a custom malware, dubbed Boldmove.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Riot Games Hacked, Delays Game Patches After Security Breach
Date: 2023-01-23

The video game developer Riot Games, recognized for publishing games such as League of Legends and Valorant, has been hacked. "The LA-based game publisher disclosed the incident in a Twitter thread on Friday night and promised to keep customers up-to-date with whatever an ongoing investigation discovers. " (Bleeping Computer, 2023). The company has stated that its development environment had been a victim of a social engineering attack. Multiple development teams have confirmed the security breach, including the League of Legends development team and Teamfight Tactics. However, there has been no indication that player data or personal information was compromised. One consequence of the attack; is Riot Games will be unable to release content leading to delays in the anticipated release date of the next major patch. The company's head of studio released a statement explaining that there will be no changes in the release plan of Patch 13.2; however, aspects of Patch 13.2 have the possibility of being moved to Patch 13.3, which debuts on February 8. The league team is attempting to hotfix what they can to deliver the planned and tested balance changes on time.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Over 19,000 End-of-life Cisco Routers Exposed to RCE Attacks
Date: 2023-01-23

Over 19,000 end-of-life Cisco VPN routers on the Internet are exposed to attacks targeting a remote command execution exploit chain. By chaining two security flaws disclosed last week, threat actors can bypass authentication (CVE-2023-20025) and execute arbitrary commands (CVE-2023-2002) on the underlying operating system of Cisco Small Business RV016, RV042, RV042G, and RV082 routers.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Roaming Mantis’ Android Malware Adds DNS Changer to Hack Wi-Fi Routers
Date: 2023-01-20

The Roaming Mantis malware distribution campaign has updated its Android malware to include a DNS changer that modifies DNS settings on vulnerable Wi-Fi routers to spread the infection to other devices. Starting in September 2022, researchers observed the 'Roaming Mantis' credential theft and malware distribution campaign using a new version of the Wroba.o/XLoader Android malware that detects vulnerable Wi-Fi routers based on their model and changes their DNS. The malware then creates an HTTP request to hijack a vulnerable Wi-Fi router's DNS settings, causing connected devices to be rerouted to malicious web pages hosting phishing forms or dropping Android malware.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ransomware Gang Steals Data From KFC, Taco Bell, and Pizza Hut Brand Owner
Date: 2023-01-20

Yum! Brands, the fast food brand operator of KFC, Pizza Hut, Taco Bell, and The Habit Burger Grill fast-food restaurant chains, has been targeted by a ransomware attack that forced the closure of 300 locations in the United Kingdom. Yum! Brands operates 53,000 restaurants across 155 countries and territories, with over $5 billion in total assets and $1.3 billion in yearly net profit.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New 'Hook' Android Malware Lets Hackers Remotely Control Your Phone
Date: 2023-01-20

A new Android malware named 'Hook' is being sold by cybercriminals, boasting it can remotely take over mobile devices in real-time using VNC (virtual network computing). The new malware is promoted by the creator of Ermac, an Android banking trojan selling for $5,000/month that helps threat actors steal credentials from over 467 banking and crypto apps via overlaid login pages. While the author of Hook claims the new malware was written from scratch, and despite having several additional features compared to Ermac, researchers at ThreatFabric dispute these claims and report seeing extensive code overlaps between the two families. ThreatFabric explains that Hook contains most of Ermac's code base, so it's still a banking trojan. At the same time, it includes several unnecessary parts found in the older strain that indicate it re-used code in bulk.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Google Ads Increasingly Pointing to Malware
Date: 2023-01-20

The FBI has recently warned the public about search engine ads pushing malware disguised as legitimate software – an old tactic that has lately resulted in too many malicious ads served to users searching for software, cracked software, drivers – anything that can be downloaded, really – via Google and Bing. Recently there has been an noticeable uptick in malicious ads being served by popular search engines. Mimicking popular open source tools via typosquatted domains, threat actors are luring victims into search engine ad links. HP threat researcher Patrick Schläpfer says that they have seen “a significant increase in malware distributed through malvertising, with multiple threat actors currently using this technique.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New ‘Blank Image’ Attack Hides Phishing Scripts in SVG Files
Date: 2023-01-20

Researchers identified a new phishing campaign known as “Blank Image”. The blank image attack was; observed in the wild. Where the technique used was to conceal empty SVG files inside HTML attachments impersonating DocuSign documents. The phishing email is sent, to proposed victims, as a document from DocuSign. Next, the recipient is; prompted to review and sign the document named "Scanned Remittance Advice[.]htm". However, if the receiver chooses the "View Completed Document" option, they are then directed to a legitimate DocuSign webpage. Be that as it may, if the user sets out to open the HTML attachment, then the ‘Blank Image’ attack commences.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

T-Mobile Hacked to Steal Data of 37 Million Accounts in API Data Breach
Date: 2023-01-20

T-Mobile disclosed a new data breach after a threat actor stole the personal information of 37 million current postpaid and prepaid customer accounts through one of its Application Programming Interfaces (APIs). While T-Mobile did not share how their API was exploited, threat actors commonly find flaws that allow them to retrieve data without authenticating first.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ukraine Links Data-Wiping Attack on News Agency to Russian Hackers
Date: 2023-01-19

Ukraine’s Computer Emergency Response Team recently linked a cyberattack targeting the country’s national news agency (Ukinform) to Sandworm, a group of Russian military hackers. It is currently unknown how the attackers breached the news agency’s network. However after gaining an initial foothold, CaddyWiper, a destructive wiper malware was launched onto the agency’s systems via the Windows group policy (GPO). CERT-U notes this type of attack chain is similar to that of Sandworm, whose activities are linked to the Russian Federation. In April 2022, Sandworm was observed using CaddyWiper against a large Ukrainian energy provider.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

A Couple of Bugs Can be Chained to Hack Netcomm Routers
Date: 2023-01-19

The vulnerabilities discovered in the Netcomm routers are a a stack based buffer overflow and an authentication bypass, respectively tracked as CVE-2022-4873 and CVE-2022-4874. Both issues impact the Netcomm router models NF20MESH, NF20, and NL1902 running software versions earlier than R6B035.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Illegal Solaris Darknet Market Hijacked by Competitor Kraken
Date: 2023-01-19

Solaris, a large darknet marketplace focused on drugs and illegal substances, has been taken over by a smaller competitor named 'Kraken,' who claims to have hacked it on January 13, 2022. The Tor site of Solaris currently redirects to Kraken, while blockchain monitoring experts at Elliptic report no movements in the cryptocurrency addresses associated with the site after January 13, 2022.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Avast Releases Free Bianlian Ransomware Decryptor
Date: 2023-01-18

Avast has released a free decryptor for the BianLian ransomware strain to help victims of the malware recover locked files without paying the hackers for a decryption key. The availability of a decryptor comes only about half a year after increased activity from BianLian ransomware over the summer of 2022 when the threat group breached multiple high-profile organizations.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

1,000 Ships Impacted by a Ransomware Attack on Maritime Software Supplier DNV
Date: 2023-01-18

A ransomware attack against the maritime software supplier DNV impacted approximately 1,000 vessels. About 1,000 vessels have been impacted by a ransomware attack against DNV, one of the major maritime software suppliers. DNV GL provides solutions and services throughout the life cycle of any vessel, from design and engineering to risk assessment and ship management. The Norwegian company provides services for 13,175 vessels and mobile offshore units (MOUs) amounting to 265.4 million gross tonnes, which represents a global market share of 21%.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Over 4,000 Sophos Firewall Devices Vulnerable to RCE Attacks
Date: 2023-01-18

In September 2022, Sophos released an advisory warning its customers of a critical remote code execution vulnerability (CVE-2022-3236) impacting its Sophos Firewall Webadmin and User Portal HTTP interfaces. Hotfixes were released in September for the impacted Firewall versions (v19.0 MR1 (19.0.1) and older), with official fixes being issued three months later in December 2022. According to a new report by VulnCheck vulnerability researcher Jacob Baines, out of more than 88,000 instances, around 6% or more than 4,000 are still running versions that haven't received a hotfix and are vulnerable to CVE-2022-3236 attacks.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Iranian Government Entities Under Attack by New Wave of BackdoorDiplomacy Attacks
Date: 2023-01-18

The threat actor known as BackdoorDiplomacy has been linked to a new wave of attacks targeting Iranian government entities between July and late December 2022. Palo Alto Networks Unit 42, which is tracking the activity under its constellation-themed moniker Playful Taurus, said it observed the government domains attempting to connect to malware infrastructure previously identified as associated with the adversary. Also known by the names APT15, KeChang, NICKEL, and Vixen Panda, the Chinese APT group has a history of cyber espionage campaigns aimed at government and diplomatic entities across North America, South America, Africa, and the Middle East at least since 2010.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

SecurityScorecard: Almost Half of Critical Manufacturing at Risk of Breach
Date: 2023-01-18

According to new research from SecurityScorecard titled “Addressing the Trust Deficit In Critical Infrastructure”, published on January 18, 2023. nearly half (48%) of critical manufacturing organizations are vulnerable to a breach. The report analyzed the current state of cyber resilience in the critical infrastructure sectors such as energy, chemical, healthcare, and others, as designated by the Cybersecurity and Infrastructure Security Agency (CISA). As part of the report, the 48% of the organizations analyzed received a rating of ”C”, “D” or “F” on SecurityScorecard’s security ratings platform. Security Scorecard says organizations with an “A” rating are 7.7 times less likely to sustain a breach that those with an “F” rating.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Malware Attack on CircleCI Engineer's Laptop Leads to Recent Security Incident
Date: 2023-01-18

On Friday, DevOps CircleCI disclosed that one of its engineers became infected with an info-stealing malware capable of stealing two-factor authentication-backed credentials, enabling threat actors to breach the company’s systems and data. CircleCI says the attack took place on December 16, 2022, and that the malware was able to go undetected by its antivirus software. According to CircleCI’s chief technology officer, Rob Zuber the malware was able to execute session cookie theft, enabling the attackers to impersonate the targeted employee in a remote location, and then escalate access to a subset of the company’s production systems. From here, the threat actors used the elevated privileges to steal data from the company’s database, which included customer environment variables, tokens, and keys. Although the data stolen was encrypted at rest, Zuber stated that the actors extracted encryption keys from a running process, enabling them to potentially access the encrypted data.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Exploit Cacti Critical Bug to Install Malware, Open Reverse Shells
Date: 2023-01-18

In early December 2022, a security advisory warned of a critical command injection vulnerability (tracked as CVE-2022-46169, severity rating 9.8 out of 10) in Cacti that could be exploited without authentication. Cacti is an operational and fault management monitoring solution for network devices that also provides graphical visualization. There are thousands of instances deployed across the world exposed on the web” (Bleeping Computer, 2023). Although the developer released an update for the flaw, there are currently more than 1,600 instances vulnerable to CVE-2022-46169, that hackers have already started to exploit.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Fortinet Observed Three Rogue PyPI Packages Spreading Malware
Date: 2023-01-17

Researchers at Fortinet recently discovered three malicious PyPI packages on January 10, 2023. These three packages are named “colorslib”, “httpslib”, and “libhttps”. All three packages were uploaded by the same actor, and have been downloaded a total of 550 times. The packages include complete descriptions, and they do not mimic the names of other projects; because of this developers are deceived into believing these packages are general resources with risk free-code. Nevertheless, the packages are capable of dropping info-stealing malware on developer systems.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

T95 Android TV Box Sold on Amazon Hides Sophisticated Malware
Date: 2023-01-17

Security researcher, Daniel Milisic, discovered that the T95 Android TV box he purchased on Amazon was infected with sophisticated pre-installed malware. This Android TV box model is available on Amazon and AliExpress for as low as $40. The device came with Android 10 (with working Play store) and an Allwinner H616 processor. Milisic purchased the T95 Android TV box to run Pi-hole, which is a Linux network-level advertisement and Internet tracker blocking application.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Researchers to Release POC Exploit for Critical Zoho RCE Bug, Patch Now
Date: 2023-01-17

It twas on Friday that security researchers with Horizon3's Attack Team warned admins that they created a proof-of-concept (POC) exploit for CVE-2022-47966. According to researchers, the vulnerability could be leveraged in 'spray and pray' attacks across the internet since remote code execution at NT AUTHORITY\SYSTEM which essentially gives an attacker complete control over the system. Vulnerable software versions include almost all ManageEngine products. Fortunately, Zoho has already patched the bugs in waves which started on October 27, 2022, by updating third-party modules to a more recent version.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

IcedID Malware Strikes Again: Active Directory Domain Compromised in Under 24 Hours
Date: 2023-01-13

A recent IcedID malware attack enabled the threat actor to compromise the Active Directory domain of an unnamed target less than 24 hours after gaining initial access, while also borrowing techniques from other groups like Conti to meet its goals. ‘Throughout the attack, the attacker followed a routine of recon commands, credential theft, lateral movement by abusing Windows protocols, and executing Cobalt Strike on the newly compromised host,’ Cybereason researchers said in a report published this week.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft: Cuba Ransomware Hacking Exchange Servers via OWASSRF Flaw
Date: 2023-01-13

Microsoft says Cuba ransomware threat actors are hacking Microsoft Exchange servers unpatched against a critical server-side request forgery (SSRF) vulnerability also exploited in Play ransomware attacks. Cloud computing provider Rackspace recently confirmed that Play ransomware used a zero-day exploit dubbed OWASSRF targeting this bug (CVE-2022-41080) to compromise unpatched Microsoft Exchange servers on its network after bypassing ProxyNotShell URL rewrite mitigations. According to Microsoft, the Play ransomware gang has abused this security flaw since late November 2022. The company advises customers to prioritize CVE-2022-41080 patching to block potential attacks. Redmond says that this SSRF vulnerability has also been exploited since at least November 17th by another threat group it tracks as DEV-0671 to hack Exchange servers and deploy Cuba ransomware payloads.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

RAT Malware Campaign Tries to Evade Detection Using Polyglot Files
Date: 2023-01-13

Operators of the StrRAT and Ratty remote access trojans (RAT) are running a new campaign using polyglot MSI/JAR and CAB/JAR files to evade detection from security tools. The campaign was spotted by Deep Instinct, which reports that the threat actors achieve moderate success in evading detection by anti-virus engines. This is notable considering how old and well-documented the two particular RATs are.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Exploit Control Web Panel Flaw to Open Reverse Shells
Date: 2023-01-13

A recently patched vulnerability in Control Web Panel (CWP), a tool for managing servers formerly known as CentOS Web Panel, is being leveraged in cyberattacks. The security vulnerability in question is being identified as CVE-2022-44877, which received a critical severity score of 9.8 out of 10. An attacker could execute code remotely without authentication on unpatched instances. It twas on January 3rd when researcher Numan Türle at Gais Cyber Security, who initially reported the issue around October last year, published a proof-of-concept (POC) exploit with a video demonstrating how the exploit works. After the release of the POC, it was only three days later when security researchers noticed hackers using the flaw to get remote access to unpatched systems and to find more vulnerable machines.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Royal Mail Cyberattack Linked to Lockbit Ransomware Operation
Date: 2023-01-13

Royal Mail, UK's largest mail delivery service, disclosed yesterday that they suffered and were recovering from a callous cyber attack. The attribute was initially unknown; however, today, reports suggest that the Lock bit Ransomware operators are responsible for the blitz that the left organization's computer systems immedicable. As a result, the company's shipping and logistics services were reposed, severely halting business operations, “Royal Mail is experiencing severe service disruption to our international export services following a cyber incident," disclosed Royal Mail in its service update.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Cisco Warns of Auth Bypass Bug With Public Exploit in EoL Routers
Date: 2023-01-12

On Wednesday, Cisco published an advisory to warn customers of several vulnerabilities impacting its end-of-life VPN routers. The first flaw, which is being tracked as CVE-2023-20025 (CVSS score: 9.0), is related to an authentication bypass vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082 Routers. Cisco says the flaw is due to improper validation of user input within incoming HTTP packets and can be exploited by sending specially crafted HTTP requests to the web-based management interface. Upon successful exploitation, a malicious threat actor could bypass authentication and gain root access to the targeted system.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors
Date: 2023-01-12

A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is a malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities. Given its use by multiple threat actors to drop a wide range of payloads such as SocGholish, Bumblebee, TrueBot, IcedID, and LockBit ransomware, it's believed to be a pay-per-install (PPI) botnet capable of serving next-stage malware.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors
Date: 2023-01-12

A new analysis of Raspberry Robin's attack infrastructure has revealed that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is a malware that has increasingly come under the radar for being used in attacks aimed at finance, government, insurance, and telecom entities. Given its use by multiple threat actors to drop a wide range of payloads such as SocGholish, Bumblebee, TrueBot, IcedID, and LockBit ransomware, it's believed to be a pay-per-install (PPI) botnet capable of serving next-stage malware.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Aflac, Zurich Policyholders in Japan Affected by Data Leaks
Date: 2023-01-12

Personal information for more than 1.3 million Aflac cancer insurance and almost 760,000 Zurich Insurance auto insurance policy holders is on the dark web following a hack on a third-party contractor. Neither company named the data leak site or third-party vendor involved with its breaches, so it is unclear if both incidents are related. Affected individuals from both hacks reside in Japan, "The incident, caused by a vulnerability in a file transfer server, originated with a subcontractor of a third-party vendor that Aflac Japan uses for marketing purposes. The data, which did not include personally identifiable information was posted on a dark website. This incident was confined to Aflac Japan and did not involve data related to U.S. operations or customers.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Scattered Spider Hackers Use Old Intel Driver to Bypass Security
Date: 2023-01-12

CrowdStrike reports that the Scattered Spider threat actor was seen attempting to exploit CVE-2015-2291, a high-severity vulnerability in the Intel Ethernet diagnostics driver that allows an attacker to execute arbitrary code with kernel privileges using specially crafted calls. Although the aforementioned CVE was fixed in 2015, by planting an older, still vulnerable version on the breached devices, the threat actors can leverage the flaw no matter what updates the victim has applied to the system.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Gootkit Malware Abuses VLC to Infect Healthcare Orgs with Cobalt Strike
Date: 2023-01-12

The Gootkit loader malware operators are running a new SEO poisoning campaign that abuses VLC Media Player to infect Australian healthcare entities with Cobalt Strike beacons. The campaigns goal is to deploy the Cobalt Strike post-exploitation toolkit on infected devices for initial access to corporate networks. From there, the remote operators can perform network scans, move laterally throughout the network, steal account credentials and files, and deploy more dangerous payloads such as ransomware.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

CISA Orders Agencies to Patch Exchange Bug Abused by Ransomware Gang
Date: 2023-01-11

The Cybersecurity and Infrastructure Security Agency (CISA) has added two more security vulnerabilities to its catalog of exploited bugs today. The first is a Microsoft Exchange elevation of privileges bug tracked as CVE-2022-41080 that can be chained with the CVE-2022-41082 ProxyNotShell bug to gain remote code execution.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Dark Pink Apt Group Targets Govt and Military With Custom Malware
Date: 2023-01-11

Attacks targeting government agencies and military bodies in multiple countries in the APAC region have been attributed to what appears to be a new advanced threat actor that leverages custom malware to steal confidential information. Security researchers are referring to this group as Dark Pink (Group-IB) or Saaiwc Group (Anheng Hunting Labs), noting that it employs uncommon tactics, techniques, and procedures.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Lorenz Ransomware Gang Plants Backdoors to Use Months Later
Date: 2023-01-11

Security researchers are warning that patching critical vulnerabilities allowing access to the network is insufficient to defend against ransomware attacks. Some gangs are exploiting the flaws to plan a backdoor while the window of opportunity exists and may return long after the victim applied the necessary security updates. One case is a Lorenz ransomware attack that reached completion months after the hackers gained access to the victim's network using an exploit for a critical bug in a telephony system. During an incident response engagement to a Lorenz ransomware attack, researchers at global intelligence and cyber security consulting company S-RM determined that the hackers had breached the victim network five months before starting to move laterally, steal data, and encrypt systems.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft January 2023 Patch Tuesday fixes 98 flaws, 1 Zero-Day
Date: 2023-01-11

As part of the January 2023 Patch Tuesday, Microsoft addressed 98 flaws, including a zero-day that is actively being exploited in attacks. Of the 98 flaws fixed, there was 39 Elevation of Privilege Vulnerabilities, 4 Security Feature Bypass Vulnerabilities, 33 Remote Code Execution Vulnerabilities, 10 Information Disclosure Vulnerabilities, 10 Denial of Service Vulnerabilities, and 2 Spoofing Vulnerabilities. 11 of the vulnerabilities are rated critical in severity, most of which relate to remote code execution and privilege escalation.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

StrongPity Hackers Target Android Users via Trojanized Telegram App
Date: 2023-01-11

The StrongPity APT hacking group is distributing a fake Shagle chat app that is a trojanized version of the Telegram for Android app with an added backdoor. Shagle is a legitimate random-video-chat platform allowing strangers to talk via an encrypted communications channel. However, the platform is entirely web-based, not offering a mobile app” (Bleeping Computer, 2023). Since 2021, StrongPity has been using a fake website to impersonate the actual Shagle website, with the goal of tricking victims into downloading malicious Android application. The malicious app can be used by the attacker to conduct espionage on targeted victims including, monitoring phone calls, collecting SMS text messages, and grabbing their contact lists for continued attacks. StrongPity, also known as Promethium or APT-C-41, has used trojanized applications in previous campaigns, including malicious versions of Notepad++, WinRAR, and TrueCrypt.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

AUTH0 Fixes RCE Flaw in Jsonwebtoken Library Used by 22,000 Projects
Date: 2023-01-11

Auth0 fixed a remote code execution vulnerability in the immensely popular 'JsonWebToken' open-source library used by over 22,000 projects and downloaded over 36 million times per month on NPM. The library is used in open source projects created by Microsoft, Twilio, Salesforce, Intuit, Box, IBM, Docusign, Slack, SAP, and many more.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft: Kubernetes Clusters Hacked in Malware Campaign via Postgresql
Date: 2023-01-10

It’s been reported that the Kinsing malware is now actively breaching Kubernetes clusters by leveraging known weaknesses in container images and misconfigured, exposed PostgreSQL containers. While these tactics aren't novel, Microsoft's Defender for Cloud team reports they have seen an uptick lately, indicating that the threat actors are actively looking for specific entry points.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

GitHub Makes It Easier to Scan Your Code for Vulnerabilities
Date: 2023-01-10

GitHub has introduced a new option to set up code scanning for a repository known as "default setup," designed to help developers configure it automatically with just a few clicks. While the CodeQL code analysis engine, which powers GitHub's code scanning, comes with support for many languages and compilers, the new option only shows up for Python, JavaScript, and Ruby repositories. Product marketing manager Walker Chabbott said that GitHub is working on expanding support to more languages over the next six months.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Rackspace Ransomware Attack was Executed by Using Previously Unknown Security Exploit
Date: 2023-01-10

The MS Exchange exploit chain recently revealed by Crowdstrike researchers is how the Play ransomware gang breached the Rackspace Hosted Exchange email environment, the company confirmed last week. The exploit chains CVE-2022-41082, a RCE flaw, and CVE-2022-41080, a privilege escalation vulnerability, to achieve unrestricted remote access to vulnerable MS Exchange setups.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Ends Windows 7 Extended Security Updates on Tuesday
Date: 2023-01-09

Windows 7 Professional and Enterprise editions will no longer receive extended security updates for critical and important vulnerabilities starting Tuesday, January 10, 2023. Microsoft launched the legacy operating system in October 2009. It then reached its end of support in January 2015 and its extended end of support in January 2020. The Extended Security Update (ESU) program was the last resort option for customers who still needed to run legacy Microsoft products past their end of support on Windows 7 systems.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Push Fake Pokemon NFT Game to Take Over Windows Devices
Date: 2023-01-09

Threat actors are using a well-crafted Pokemon NFT card game website to distribute the NetSupport remote access tool and take control over victims' devices. The website "pokemon-go[.]io," which is still online at the time of writing, claims to be home to a new NFT card game built around the Pokemon franchise, offering users strategic fun together with NFT investment profits.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Zoom Users At Risk In Latest Malware Campaign
Date: 2023-01-09

Cyble Research & Intelligence Labs (CRIL) recently identified a phishing campaign targeting Zoom application software to deliver the IcedID malware. IcedID, also known as BokBot, is a banking trojan that enables attackers to steal victims’ banking credentials. This malware primarily targets businesses and can be used to steal payment information. In addition, IcedID acts as a loader, allowing it to deliver other malware families or download additional modules. IcedID usually spreads via spam emails with malicious Office file attachments. However, in this campaign, the attackers employed a phishing website to deliver the IcedID payload, which is not a typical distribution method for IcedID. The TAs behind this campaign used a highly convincing phishing page that looked like a legitimate Zoom website to trick users into downloading the IcedID malware, which carries out malicious activities.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Russian Turla Hackers Hijack Decade-Old Malware Infrastructure to Deploy New Backdoors
Date: 2023-01-09

The Russian cyberespionage group known as Turla has been observed piggybacking on attack infrastructure used by a decade-old malware to deliver its own reconnaissance and backdoor tools to targets in Ukraine. Google-owned Mandiant, which is tracking the operation under the uncategorized cluster moniker UNC4210, said the hijacked servers correspond to a variant of a commodity malware called ANDROMEDA (aka Gamarue) that was uploaded to VirusTotal in 2013. ‘UNC4210 re-registered at least three expired ANDROMEDA command-and-control (C2) domains and began profiling victims to selectively deploy KOPILUWAK and QUIETCANARY in September 2022,’ Mandiant researchers said in an analysis published last week.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Bitdefender Releases Free MegaCortex Ransomware Decryptor
Date: 2023-01-06

Antivirus company Bitdefender has released a decryptor for the MegaCortex ransomware family, making it possible for victims of the once notorious gang to restore their data for free. The creation of the decryptor was the combined work of Bitdefender analysts and experts from Europol, the NoMoreRansom Project, and the Zürich Public Prosecutor's Office and Cantonal Police. Using the decryptor is pretty straightforward, as it's a standalone executable that doesn't require installation and offers to locate encrypted files on the system automatically. Moreover, the decryptor can back up the encrypted files for safety in case something goes wrong in the decryption process that could corrupt the files beyond recovery. Also, for those who attempted to decrypt their files previously with mixed success, the new decryptor offers an advanced setting to replace them with clean files.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Rackspace: Customer Email Data Accessed in Ransomware Attack
Date: 2023-01-06

Rackspace revealed on Thursday that attackers behind last month's incident accessed some of its customers' Personal Storage Table (PST) files which can contain a wide range of information, including emails, calendar data, contacts, and tasks. This update comes after Rackspace confirmed that the Play ransomware operation was behind the cyberattack that took down its hosted Microsoft Exchange environment in December. As discovered during the now-finished investigation led by cybersecurity firm Crowdstrike, the attackers gained access to the personal storage folders of 27 Rackspace customers.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Abuse Windows Error Reporting Tool to Deploy Malware
Date: 2023-01-06

Hackers are abusing the Windows Problem Reporting (WerFault.exe) error reporting tool for Windows to load malware into a compromised system's memory using a DLL sideloading technique. The use of this Windows executable is to stealthy infect devices without raising any alarms on the breached system by launching the malware through a legitimate Windows executable. The new campaign was spotted by K7 Security Labs, which could not identify the hackers, but they are believed to be based in China.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Zoho Warns About Critical Security Flaw Detected in ManageEngine Products
Date: 2023-01-06

Zoho, a business software provider, released a security advisory encouraging its customers to patch a critical security flaw affecting three ManageEngine products immediately, BleepingComputer reports. The SQL injection vulnerability, CVE-2022-47523, was found in Zoho's PAM360 privileged access management software, Password Manager Pro secure vault, and Access Manager Plus privileged session management solution.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

SpyNote Android Malware Infections Surge After Source Code Leak
Date: 2023-01-06

During the final quarter of 2021, researchers noted an increase in detections for SpyNote (SpyMax), an Android malware with spying capabilities. The increase in SpyNote infections is likely the result of a source code leak of another piece of malware called CypherRat. “CypherRat combined SpyNote's spying capabilities, such as offering remote access, GPS tracking, and device status and activity updates, with banking trojan features that impersonate banking institutions to steal account credentials” (Bleeping Computer, 2022). CypherRat was sold on private Telegram channels over the second half of 2021, but the author of the malware decided to publish the malwares source code to GitHub. Other threat actors have now leveraged the available source code to launch their own campaigns.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Use CAPTCHA Bypass to Make 20K Github Accounts in a Month
Date: 2023-01-05

A threat actor group out of South Africa known as 'Automated Libra' has been improving their techniques to make a profit by using cloud platform resources for cryptocurrency mining. According to Palo Alto Networks Unit 42, the threat actors use a new CAPTCHA solving system, follow a more aggressive use of CPU resources for mining, and mixe 'freejacking' with the "Play and Run" technique to abuse free cloud resources.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Zoho Urges Admins to Patch Critical ManageEngine Bug Immediately
Date: 2023-01-05

Zoho is urging customers to patch a critical security flaw impacting multiple ManageEngine products. Tracked as CVE-2022-47523, the flaw is related to a SQL injection vulnerability in the company’s Password Manager Pro secure vault, PAM360 privileged access management software, and Access Manager Plus privileged session management solution. According to Zoho, successful exploitation could enable threat actors to gain unauthenticated access to the backend database and execute queries to retrieve database table entries.
Below is a list of the impacted product versions:
Password Manager Pro 12200 and below
PAM360 5800 and below
Access Manager Plus 4308 and below

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Database of the Cricketsocial[.]com Platform Left Open Online
Date: 2023-01-05

CyberNews discovered that a database used by the platform was left open online, it contains a huge trove of data. The Social platform for the cricket community exposed over 100k entries of private customer data and credentials. The database, hosted by Amazon Web Services (AWS) in the US, contained admin credentials and private customer data, including email, phone numbers, names, hashed user passwords, dates of birth, and addresses.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Slack's Private GitHub Code Repositories Stolen over Holidays
Date: 2023-01-05

Slack in a statement this week, alerted users of an incident over the holiday’s which impacted some of its private GitHub code repositories. The incident involved a threat actors gaining access to Slack’s externally hosted GitHub repositories via stolen Slack employee tokens. While some of Slack's private code repositories were breached, Slack’s primary codebase and customer data remained unaffected, according to the company.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Fortinet Fixed Multiple Command Injection Bugs in Fortiadc and Fortitester
Date: 2023-01-05

Cybersecurity vendor Fortinet addressed several vulnerabilities impacting its products. The company also warned customers of a high-severity command injection flaw, tracked as CVE-2022-39947 (CVSS score of 8.6), affecting the Application Delivery Controller FortiADC. The CVE-2022-39947 flaw is an improper neutralization of special elements used in an OS Command vulnerability in FortiADC, it can potentially lead to arbitrary code execution via specifically crafted HTTP requests.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Rail Giant Wabtec Discloses Data Breach After Lockbit Ransomware Attack
Date: 2023-01-04

U.S. rail and locomotive company Wabtec Corporation has disclosed a data breach that exposed personal and sensitive information. Wabtec is a U.S.-based public company producing state-of-the-art locomotives and rail systems. The company employs approximately 25,000 people and has a presence in 50 countries, being the world's market leader in freight locomotives and a major player in the transit segment. The firm's 2021 financial results give a revenue figure of $7.8 billion, reporting a staggering 20% of the world's freight being moved by the 23,000 of Wabtec's locomotives in global operation.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Synology Fixes Maximum Severity Vulnerability in VPN Routers
Date: 2023-01-04

Taiwan-based NAS maker Synology has addressed a maximum (10/10) severity vulnerability affecting routers configured to run as VPN servers. The vulnerability, tracked as CVE-2022-43931, was discovered internally by Synology's Product Security Incident Response Team (PSIRT) in the VPN Plus Server software and was given a maximum CVSS3 Base Score of 10 by the company. VPN Plus Server is a virtual private network server that allows administrators to set up Synology routers as a VPN server to allow remote access to resources behind the router.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Shc Linux Malware Used to Deploy CoinMiner
Date: 2023-01-04

The ASEC analysis team recently discovered that a Linux malware developed with shell script compiler (shc) that threat actors used to install a CoinMiner. The experts believe attackers initially compromised targeted devices through a dictionary attack on poorly protected Linux SSH servers, then they installed multiple malware on the target system, including the Shc downloader, XMRig CoinMiner, and a Perl-based DDoS IRC Bot.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Thousands of Citrix Servers Still Unpatched for Critical Vulnerabilities
Date: 2023-01-03

According to NCC Group's Fox-IT research team, thousands of Citrix Application Delivery Controller (ADC) and Gateway endpoints remain vulnerable to two critical security flaws disclosed by the company over the last few months. The vulnerabilities in question are being tracked as CVE-2022-27510 and CVE-2022-27518 and have both received a CVSS score of 9.8, indicating a critical level of severity.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

New Linux Malware Uses 30 Plugin Exploits to Backdoor WordPress Sites
Date: 2023-01-03

A previously unknown Linux malware has been exploiting 30 vulnerabilities in multiple outdated WordPress plugins and themes to inject malicious JavaScript. According to a report by antivirus vendor Dr. Web, the malware targets both 32-bit and 64-bit Linux systems, giving its operator remote command capabilities. The main functionality of the trojan is to hack WordPress sites using a set of hardcoded exploits that are run successively, until one of them works.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Atlantic Council: Beyond Attribution: Seeking National Responsibility for Cyber Attacks
Date: 2023-01-03

Nations cannot use these levers of power against an individual stone-thrower, but can use them against the nation that abets him. For countries that are willing to cooperate to reduce the numbers of insecure systems, there should be offers of funding, training, education, and access to technology. If a nation repeatedly refuses to cooperate, states on the receiving ends of continuing attacks must have recourse to the traditional full spectrum of coercive policies, from démarches to sanctions in the UN Security Council, prosecution in international courts, and all the way to covert action and kinetic military force.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Seeking National Responsibility for Cyber Attack
Date: 2023-01-03

This paper accordingly introduced the spectrum of state responsibility to shift the discussion away from “attribution fixation,” to national responsibility for attacks in cyberspace. The global national security community needs to shift resources from the technical attribution problem to solving the responsibility problem. This re-establishes state-to-state symmetry and enables a wider range of options open to sovereign nations: diplomatic, intelligence, military, and economic responses.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ransomware Gang Apologizes, Gives SickKids Hospital Free Decryptor
Date: 2023-01-03

SickKids is a teaching and research hospital in Toronto that provides healthcare to sick children. On December 18th, the hospital suffered a ransomware attack that impacted internal and corporate systems, hospital phone lines, and the website. While the attack only encrypted a few systems, SickKids stated that the incident caused delays in receiving lab and imaging results and resulted in longer patient wait times.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

Ransomware Gang Cloned Victim’s Website to Leak Stolen Data
Date: 2023-01-03

On December 26, the threat actor published on their data leak site hidden on the Tor network that they had compromised a company in financial services. As the victim did not meet the threat actor’s demands, BlackCat published all the stolen files as a penalty. As a deviation from the usual process, the hackers decided to also leak the data on a site that mimics the victim's as far as the appearance and the domain name go.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

BlueNoroff Introduces New Methods Bypassing Mark of the Web (MoTW)
Date: 2023-01-03

BlueNoroff is a financially motivated threat actors who uses it’s cyber capabilities to generate profits. The group often targets a victims cryptocurrency assets, and since October has been using new malware strains that take advantage of Word documents and shortcut files for initial intrusion.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

FBI Recommends Ad Blockers as Cybercriminals Impersonate Brands in Search Engine Ads
Date: 2022-12-23

The Federal Bureau of Investigation (FBI) this week raised the alarm on cybercriminals impersonating brands in advertisements that appear in search engine results. The agency has advised consumers to use ad blockers to protect themselves from such threats. The attackers register domains similar to those of legitimate businesses or services and use those domains to purchase ads from search engine advertisement services, the FBI says in an alert. These nefarious ads are displayed at the top of the web page when the user searches for that business or service, and the user might mistake them for an actual search result.

Contact Us For Full Threat Report, Analyst Comments & Mitigation Steps

98% of orgs with Office 365 harbor malicious emails inside their mailboxes. Threats like ransomware, spear phishing, and account takeover put your organization and employees at significant risk. Find out what’s hiding in your inbox.


Via security assessment, we can quickly identify security gaps, patches and software updates that are out of date, then advise steps to fix.


Via short questionnaire, we'll help you determine whether weakness exist in the way you protect your confidential data. In a few minutes, we'll produce a comprehensive profile of strengths and vulnerabilities of your IT security. Let us show you where protections should be placed before those vulnerabilities are exploited.


LA-Cyber can directly submit suspicious URLs and files through the ISAO’s Cyber Forum for rapid analysis to determine if they are known or zero-day cybersecurity threats.



Suggested Pages

Readiness Pro: Privacy/Security Assessment & Policy Development Tool

Network Perimeter Security - Firewalls

Email Security

Security Awareness Training

Network Security, Monitoring & Patching

Cloud Based Backup & Recovery

Backup Tape Vaulting & Rotation Services

Air Gapping as a Service

Data Archiving

Data Destruction Services

Security Operations Center (SOC)

Data Storage and Media Updating

Server & Data Center Relocation Services

Breach Investigation & Notification Services

Forensic & Legal Investigations

Contact LACyber

LACyber's main office is located at 155 Great Arrow, Buffalo New York. Our main office phone number is (716) 871-7040.

Location:

155 Great Arrow, Buffalo, NY 14207

Call:

+1 716 871-7040

Captcha: Enter the word "Security"
Loading
Your message has been sent. Thank you!