From Trust to Trickery: Brand Impersonation Over the Email Attack Vector

Cisco researchers have discovered various techniques used by cybercriminals to embed and deliver brand logos within emails, targeting users through brand impersonation. This widespread threat leverages the familiarity and trust associated with well-known brand logos to solicit sensitive information, particularly in phishing emails where attackers aim to deceive recipients into revealing credentials or other valuable information.

Inside Operation Diplomatic Specter: Chinese APT Group's Stealthy Tactics Exposed

A Chinese APT group has been targeting governmental entities in the Middle East, Africa, and Asia since late 2022 as part of a cyber espionage campaign named Operation Diplomatic Specter. According to researchers from Palo Alto Networks Unit 42, this group has conducted long-term espionage against at least seven government entities, employing sophisticated email exfiltration techniques.

Threat Actor Claiming Access to AWS, Azure, & GitHub API Keys

According to a post on X (formerly known as Twitter), a threat actor is claiming to have gained access to a handful of API keys for major cloud service providers, including Amazon Web Services (AWS), Microsoft Azure, GitHub, etc. The actor who goes by the alias “carlos_hank,” stated that these keys are “fresh and all working,” with high permissions that can be used to compromise entire cloud infrastructures.

Chinese Hackers Rely on Covert Proxy Networks to Evade Detection

Chinese-backed threat actors, including groups like Volt Typhoon, are increasingly using proxy networks known as operational relay boxes for cyber espionage, according to a Mandiant report published on May 22. ORBs, similar to botnets, are mesh networks comprising compromised devices like virtual private servers, Internet of Things devices, smart devices, and routers.

Iranian MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel

An Iranian threat actor affiliated with one of the Iranian intelligence agencies has been observed conducting destructive wiping attacks that target Albania and Israel. Cybersecurity firm Check Point is tracking the activity under the moniker Void Manticore, which is also known as Storm-842 (formerly DEV-0842) by Microsoft. The techniques, tactics, and procedures (TTPs) employed by Void Manticore are relatively straightforward and simple, involving hands-on efforts using basic, mostly publicly available tools.

Critical Fluent Bit Flaw Impacts All Major Cloud Providers

A critical vulnerability in Fluent Bit has been identified, impacting major cloud providers and numerous tech giants by exposing them to denial-of-service and remote code execution attacks. Fluent Bit, a popular logging and metrics solution for Windows, Linux, and macOS, is embedded in major Kubernetes distributions.

Ransomware and AI-Powered Hacks Drive Cyber Investment

The surge in sophisticated cyber-attacks has led to significant financial implications for businesses. Ransomware attacks, in particular, have become increasingly prevalent and costly. These attacks involve encrypting a victim's data and demanding payment, typically in cryptocurrency, for its release.

New Android Banking Trojan Mimics Google Play Update App

Cyble Research and Intelligence Labs has uncovered a new banking trojan dubbed “Antidot” targeting Android devices by posing as a Google Play update application. Users who install the application are presented with a counterfeit Google Play update page that contains a “continue” button designed to redirect to the Android device's Accessibility settings. I

Springtail: New Linux Backdoor Added to Toolkit

Symantec's Threat Hunter Team recently uncovered a new Linux backdoor, Linux.Gomir, developed by the North Korean Springtail espionage group, linked to a recent campaign against South Korean organizations. This group, also known as Kimsuky, has a history of targeting South Korean public sector organizations and was previously identified in attacks dating back to 2014.

Botnet Sent Millions of Emails in LockBit Black Ransomware Campaign

ew Jersey's Cybersecurity and Communications Integration Cell (NJCCIC) disclosed that it uncovered a new LockBit campaign where actors are sending millions of phishing emails with the help of the Phorpiex botnet to infect potential victims with LockBit Black, an encryptor that was likely built using the LockBit 3.0 builder that was leaked by a disgruntled developer on Twitter in September 2022.

Mallox Ransomware Deployed Via MS-SQL Honeypot Attack

An instance involving a MS-SQL honeypot has shed light on the sophisticated tactics employed by cyber-attackers relying on Mallox ransomware. The honeypot, set up by researchers at Sekoia, was targeted by an intrusion set utilizing brute force techniques to deploy the Mallox ransomware via PureCrypter to exploit various MS-SQL vulnerabilities. Upon analyzing Mallox samples, the researchers identified two distinct affiliates using different approaches.

Hackers Use DNS Tunneling to Scan and Track Victims

Threat actors are using DNS tunneling to track when targets open phishing emails and click malicious links, as well as to scan networks for vulnerabilities. DNS tunneling involves encoding data or commands within DNS queries, turning DNS into a covert communication channel. The attackers use various encoding methods, such as Base16, Base64, or custom algorithms, to transmit data via DNS records like TXT, MX, CNAME, and Address records.

Ongoing Campaign Bombards Enterprises with Spam Emails and Phone Calls

Cybersecurity researchers at Rapid7 have uncovered an ongoing social engineering campaign that barrages enterprises with spam emails with the goal of obtaining initial access to their environments for follow-on exploitation. The social engineering tactics involve overwhelming a potential victim's email with junk mail, calling the victim user, and offering them assistance with the issue.

Government's Addiction to Contractors Is Creating a Data Crisis

The rapid advancement of artificial intelligence and the proliferation of data worldwide, estimated to reach 200 zettabytes, have ushered in an era of unprecedented technological growth. However, despite this data abundance, there exists a crisis in accessing research data, with the government and private sector being identified as primary contributors to the problem.

North Korean Hackers Deploy New Golang Malware 'Durian' Against Crypto Firms

The North Korean APT group Kimsuky has been observed by Kaspersky deploying a previously undocumented Golang-based malware dubbed Durian in targeted cyberattacks against two South Korean cryptocurrency firms. Kaspersky states that Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files.

'The Mask' Espionage Group Resurfaces After 10-Year Hiatus

Careto, also known as "The Mask," resurfaced after a lengthy hiatus, launching a cyber-espionage campaign targeting organizations primarily in Latin America and Central Africa. This APT group was initially active from 2007 to 2013, during which it targeted a diverse range of victims across 31 countries, including prominent entities like government institutions, diplomatic offices, energy companies, research institutions, and private equity firms.

GoTo Meeting Loads Remcos RAT via Rust Shellcode Loader

There has been a notable rise in cyber threats exploiting legitimate software platforms to propagate malicious payloads. Among these threats is the Remcos RAT, a sophisticated remote access tool favored by cybercriminals. Cyber attackers have leveraged trusted applications like GoTo Meeting to facilitate the deployment of the Remcos RAT, employing advanced techniques to evade detection and compromise systems.

Widely Used Telit Cinterion Modems Open to SMS Takeover Attacks

Security researchers at Kaspersky's ICS CERT division revealed a series of eight vulnerabilities, including CVE-2023-47610 through CVE-2023-47616, in Telit Cinterion cellular modems, prevalent across industrial, healthcare, and telecommunications sectors. The most severe flaw, CVE-2023-47610, enables remote code execution via SMS, granting attackers unauthorized access to the modem's operating system without authentication.

In the Shadow of Venus: Trinity Ransomware's Covert Ties

CRIL (Cyble Research and Intelligence Labs) has uncovered a new ransomware variant dubbed Trinity, notable for its utilization of a double extortion tactic. This method involves exfiltrating victim data before initiating encryption and subsequently demanding ransom payments. The threat actors behind Trinity operate victim support and data leak sites, enhancing their coercive capabilities (T1486).

GhostStripe Attack Haunts Self-Driving Cars by Making Them Ignore Road Signs

A group of researchers, primarily from Singapore-based universities, has demonstrated the feasibility of attacking autonomous vehicles by exploiting their reliance on camera-based computer vision systems. Dubbed GhostStripe, the attack manipulates the sensors used by brands like Tesla and Baidu Apollo, which rely on complementary metal oxide semiconductor (CMOS) sensors.

New 'LLMjacking' Attack Exploits Stolen Cloud Credentials

The Sysdig Threat Research Team recently conducted a study on a new cyber attack termed “LLMjacking”, which specifically targets cloud-hosted large language model services by exploiting stolen cloud credentials. These credentials were obtained from a vulnerable version of Laravel (CVE-2021-3120).

Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

A new version of the malware loader, Hijack Loader, has been spotted by researchers at Zscaler which comes with an updated set of anti-analysis techniques to fly under the radar. In total, the latest variant comes with 7 new modules. Notably, one of these modules is designed to bypass User Account Control (UAC), a security feature on Windows designed to prevent unauthorized changes to the operating system.

Massive Webshop Fraud Ring Steals Credit Cards From 850,000 People

BogusBazaar, the vast network of fake online shops, was discovered by Security Research Labs GmbH to have successfully deceived over 850,000 individuals in the United States and Europe. This operation, which has been active for three years since 2021, has aimed to process around $50 million in fraudulent purchases by stealing credit card information and attempting fake transactions. The operations of BogusBazaar involves the creation of over 75,000 fake webshops.

New Attack Leaks VPN Traffic Using Rogue DHCP Servers

"TunnelVision" is a newly discovered cyber threat that exploits a vulnerability in the Dynamic Host Configuration Protocol to bypass the encryption of VPNs. This attack method, outlined in a report by Leviathan Security, enables malicious actors to intercept and surveil unencrypted data while maintaining the facade of a secure VPN connection.

China-Linked Attackers Successfully Targeting Network Security Devices, Worrying Officials

At the RSA Conference in San Francisco, cybersecurity experts revealed concerns about China-linked espionage groups exploiting zero-day vulnerabilities to infiltrate US critical infrastructure and businesses. Charles Carmakal from Mandiant Consulting highlighted how these attackers target network security devices that lack endpoint detection and response capabilities, such as routers and firewalls.

Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

Over 52,000 out of 90,310 hosts with Tinyproxy services are vulnerable to a severe security flaw CVE-2023-49606, which exposes them to potential remote code execution. This vulnerability, with a CVSS score of 9.8 out of 10, affects Tinyproxy versions 1.10.0 and 1.11.1. The vulnerability arises from a use-after-free bug triggered by a specially crafted HTTP Connection header.

China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

ArcaneDoor, a cyber espionage campaign targeting network devices from multiple vendors, including Cisco, has been linked to China-linked actors based on findings from Censys. The campaign, attributed to a sophisticated state-sponsored actor known as UAT4356 or Storm-1849, began around July 2023 and continued with the first confirmed attack using custom malware named Line Runner and Line Dancer in January 2024.

Lockbit's Seized Site Comes Alive to Tease New Police Announcements

Law enforcement agencies, collaborated in a significant operation named Operation Cronos. This operation successfully dismantled the infrastructure of the LockBit ransomware group on February 19th. It involved seizing 34 servers that hosted the data leak website, along with data stolen from victims, cryptocurrency addresses, 1,000 decryption keys, and the affiliate panel used by LockBit.

New 'Cuckoo' Persistent macOS Spyware Targeting Intel and Arm Macs

The discovery of Cuckoo highlights the ongoing arms race between cybersecurity researchers and malicious actors. This malware's sophistication, from its ability to evade detection to its multifaceted information-gathering capabilities, showcases the level of expertise adversaries have attained in crafting highly effective threats.

Hackers Target New NATO Member Sweden with Surge of DDoS Attacks

According to metrics collected by network performance management provider Netscout, distributed denial of service attacks (DDoS) targeting Sweden surged in volume between 2023 and 2024 as the country was in the process of joining NATO. Netscout notes that DDoS attacks against Swedish organizations started picking up significantly in late 2023 with 730 Gbps attacks.

Top Threat Actors, Malware, Vulnerabilities and Exploits

The recent report from Picussecurity outlines threats, malware, vulnerabilities, and exploits for the first week of May. Critical vulnerabilities, including CVE-2024-27322 in R Programming Language and three in Judge0, pose significant risks. Malware activities involve Wpeeper Android malware utilizing compromised WordPress sites and the Dev Popper campaign targeting developers with a Python RAT.

Senators Reprimand UnitedHealth CEO in Ransomware Hearing

During a government hearing on Wednesday, senators strongly criticized UnitedHealth Group CEO Andrew Witty for the organization's inadequate security measures leading up to the February ransomware attack on Change Healthcare, a subsidiary. Witty confirmed a $22 million ransom payment and acknowledged potential data theft affecting one-third of Americans.

New "Goldoon" Botnet Targets D-Link Routers With Decade-Old Flaw

A newly discovered botnet named Goldoon has emerged, specifically targeting D-Link routers by exploiting a critical security flaw known as CVE-2015-2051. This flaw, with a high CVSS score of 9.8, impacts D-Link DIR-645 routers, allowing malicious actors to execute arbitrary commands remotely via specially crafted HTTP requests.

New Cuttlefish Malware Infects Routers to Monitor Traffic For Credentials

Lumen Technologies' Black Lotus Labs has uncovered a new malware dubbed ‘Cuttlefish' that has been observed infecting enterprise-grade and small office/home office routers to monitor data passing through them and steal authentication information. The malware supports various router architectures with builds for ARM, i386, i386_i686, i386_x64, mips32, and mips64.

Food and Ag-ISAC Alert: Pro-Russian Hacktivists Targeting HMI Vulnerabilities in OT Networks

Threat actors continue to target operational technology as a means to disrupt critical infrastructure networks, or to deliver malware as a just-in-case measure for increasing global conflicts. Earlier this year we reported on IRGC-Affiliated Cyber Actors targeting Israeli produced programmable logic controllers (PLCs) to disrupt the water sector. We also highlighted reports of Chinese (PRC) state-Sponsored actors compromising and maintaining persistent access to U.S. critical infrastructure with strategic and destructive malware.

Kapeka: A New Toolkit in the Arsenal of SandStorm

Kapeka, also known as KnuckleTouch, emerged around mid-2022 but gained formal tracking in 2024 due to its involvement in limited-scope attacks, notably in Eastern Europe. It's associated with the Sandstorm Group, operated by Russia's Military Unit 74455, known for disruptive cyber activities, particularly targeting Ukraine's critical infrastructure.

New Latrodectus Malware Attacks Use Microsoft, Cloudflare Themes

Latrodectus, also known as Unidentified 111 and IceNova, is a Windows malware downloader that acts as a backdoor, allowing threat actors to gain unauthorized access to compromised systems. The malware was initially discovered by Walmart's security team and later analyzed by cybersecurity firms such as ProofPoint and Team Cymru.

Threat Actor Profile: SideCopy

Operation SideCopy is a sophisticated cyber operation originating from Pakistan and primarily targeting Indian defense forces and personnel. Since its inception in early 2019, the threat group has demonstrated a high level of adaptability, continuously evolving its malware modules to avoid detection and maintain operational effectiveness. Notably, SideCopy closely monitors antivirus detections and promptly updates its modules in response.

China-Linked 'Muddling Meerkat' Hijacks DNS to Map Internet on Global Scale

A newly discovered cyber threat known as Muddling Meerkat has been actively engaging in sophisticated DNS activities since October 2019. This threat is believed to have affiliations with the People's Republic of China due to its utilization of DNS open resolvers from Chinese IP space and its potential control over the Great Firewall, which is known for censoring internet access and manipulating internet traffic in and out of China.

Over 1,400 CrushFTP Servers Vulnerable To Actively Exploited Bug

Last Friday, CrushFTP disclosed details of critical severity server-side template injection vulnerability in its file transfer software that is being actively exploited in attacks in the wild. Tracked as CVE-2024-4040, the flaw could enable actors to perform a virtual file system escape to read any file on the server's file system, gain administrative privileges, and perform remote code execution to effectively compromise unpatched systems.

Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Palo Alto Networks has issued remediation guidance for a critical security flaw, CVE-2024-3400, impacting PAN-OS, which is actively being exploited. This flaw allows unauthenticated remote shell command execution and has been observed in multiple versions of PAN-OS. Dubbed "Operation MidnightEclipse," the exploit involves dropping a Python-based backdoor named UPSTYLE, enabling execution of commands through crafted requests.

CISA: Cisco and CrushFTP Vulnerabilities Need Urgent Patches

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for federal civilian agencies to patch three critical vulnerabilities within a week. These vulnerabilities include two affecting Cisco products (CVE-2024-20353 and CVE-2024-20359) and one impacting CrushFTP, a popular file transfer tool. The exploits are being actively utilized by state-sponsored threat actors, posing significant risks to network security.

Nespresso Domain Hijacked in Phishing Attack Targeting Microsoft Logins

Perception Point researchers have identified a new phishing campaign utilizing compromised accounts to target users through an open redirect vulnerability discovered within a Nespresso domain. Nespresso is a coffee manufacturer. This redirect method allows attacks to bypass standard endpoint detection security measures assuming that these measures do not check for hidden or embedded links.

Autodesk Hosting PDF Files Used in Microsoft Phishing Attacks

A campaign has been uncovered by researchers at Netcraft, where actors are using compromised email accounts to send phishing emails to existing contacts. These emails contain shortened URL links (generated using the autode[.]sk URL shortener) that lead to malicious PDF documents hosted on Autodesk Drive, a data-sharing platform.

Advanced Cyber Threats Impact Even the Most Prepared

This blog post from MITRE highlights a recent cyber intrusion they experienced, emphasizing the evolving tactics of foreign nation-state cyber adversaries. The breach, discovered in April 2024, involved the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPNs and subsequent lateral movement into their VMware infrastructure.

DPRK Hacking Groups Breach South Korean Defense Contractors

The National Police Agency in South Korea has issued an urgent warning regarding ongoing cyberattacks targeting defense industry entities by North Korean hacking groups. The police discovered several instances of successful breaches involving the hacking groups Lazarus, Andariel, and Kimsuky, all linked to the North Korean hacking apparatus.

LOCKBIT Black's Legacy: Unraveling the DragonForce Ransomware Connection

Key takeaways from the Cyble Research & Intelligence Labs (CRIL) report on DragonForce ransomware reveal significant insights. CRIL identified DragonForce ransomware as being based on LOCKBIT Black ransomware, suggesting that the threat actors behind DragonForce utilized a leaked builder of LOCKBIT Black to generate their binary. This discovery was made after an X user shared the download link for the LockBit ransomware builder in September 2022. DragonForce ransomware surfaced in November 2023, employing double extortion tactics and targeting victims worldwide.

Hackers Hijack Antivirus Updates to Drop Guptiminer Malware

GuptiMiner, a malware tool reportedly used by North Korean hackers, has recently come into the spotlight due to its sophisticated capabilities and the manner in which it has been deployed. The attack vector involves exploiting vulnerabilities in the update mechanism of eScan antivirus software, allowing the attackers to plant backdoors and deploy cryptocurrency miners on targeted networks.

Ransomware Double-Dip: Re-Victimization in Cyber Extortion

In the realm of cyber extortion, re-victimization often stems from a combination of desperation and strategic maneuvering by threat actors. For instance, repeat attacks against victims may exploit persistent vulnerabilities that were not adequately addressed or leverage new entry points, such as phishing campaigns or compromises in third-party services.

Cybercriminals Pose as LastPass Staff to Hack Password Vaults

LastPass has disclosed details of a campaign targeting its customers using the CryptoChameleon phishing kit. CryptoChameleon is a phishing-as-a-service that enables threat actors to easily generate fake SSO or other login sites impersonating the legitimate sites of companies to steal credentials and other information that can be used for authentication.

Quishing Attacks Jump Tenfold, Attachment Payloads Halve

Quishing attacks, a type of phishing that exploits QR codes, has seen siginificant rise from 0.8% in 2021 to 10.8% in 2024, according to the latest finding from Egress. At the same time, the report notes a substantial decline in attachment-based payloads, which decreased by half from 72.7% to 35,7%. Impersonation attacks continue to be a prevalent threat, with 77% if them masquerading as well-known brands such as DocuSign and Microsoft.

Ransomware Victims Who Pay a Ransom Drops to Record Low

The latest trends in ransomware paint a complex picture of evolving dynamics within the cybercriminal ecosystem. Coverware's report highlights a notable decrease in ransom payments, with only 28% of victims opting to pay in the first quarter of 2024, marking a significant drop from previous periods. This shift is attributed to improved resilience among businesses, allowing them to recover from attacks without succumbing to ransom demands.

Hackers Target Middle East Governments with Evasive "CR4T" Backdoor

In February 2024, Kaspersky discovered a new malware campaign targeting government entities in the Middle East actively employing over 30 DuneQuixote dropper samples. The droppers come in the form of either using a regular malware dropper or abusing a legitimate tool named “Total Commander” which both carry malicious code to download additional malware using a backdoor method Kaspersky has named “CR4T”.

FIN7 Targets American Automaker's IT Staff In Phishing Attacks

Researchers at BlackBerry have disclosed details of a spear-phishing campaign identified in late 2023 that targeted a large automotive manufacturer based in the United States. The campaign has been attributed to a financially motived threat actor called FIN7 and initiated with spear-phishing emails targeting highly privileged employees in the IT department of the unnamed U.S. based manufacturer.

Hackers Hijack OpenMetadata Apps in Kubernetes Cryptomining Attacks

Security researchers at Microsoft recently discovered a malware campaign exploiting new critical vulnerabilities in OpenMetadata to compromise Kubernetes environments, gain access to Kubernetes workloads and abuse them for malicious cryptomining activity. OpenMetadata is an open-source platform designed to manage metadata across various data sources. It serves as a central repository for users to discover, understand, and govern their data.

StopRansomware-Akira-Ransomware

This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.

Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware

Threat actors are actively targeting unpatched Atlassian servers using a critical security vulnerability known as CVE-2023-22518, which has a CVSS score of 9.1. This vulnerability affects the Atlassian Confluence Data Center and Server, allowing attackers to reset Confluence and create an administrator account without authentication. Once they gain this level of access, threat actors can assume control of the affected systems.

Cisco Duo Warns Third-Party Data Breach Exposed SMS MFA Logs

Cisco Duo recently sent out a notice warning that some of their customer's VoIP and SMS logs for multi-factor authentication messages were stolen by hackers in a cyberattack on the vendor's telephony providers. According to Cisco Duo, an unnamed provider who handles the company's SMS and VOIP multi-factor authentication messages was compromised on April 1, 2024. In this case, the actor was able to obtain employee credentials via a phishing attack which were then used to gain access to the telephony provider's systems.

PuTTY SSH Client Flaw Allows Recovery of Cryptographic Private Keys

The discovery of CVE-2024-31497 in PuTTY versions 0.68 through 0.80 unveils a critical vulnerability that exposes cryptographic private keys to potential recovery by attackers. This flaw stems from PuTTY's method of generating ECDSA nonces, introducing a bias that weakens the security of private key generation, particularly on the NIST P-521 curve.

Open Source Leaders Warn of XZ Utils-Like Takeover Attempts

The OpenSSF and OpenJS Foundations have issued a warning to open source maintainers regarding a series of social engineering attacks reminiscent of the xz Utils campaign. These attacks involve suspicious emails sent to the OpenJS Foundation Cross Project Council, requesting urgent updates to popular JavaScript projects under the pretext of addressing critical vulnerabilities.

Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

Professionals in the vulnerability management community warned that the lasting issues of the US National Vulnerability Database (NVD) could lead to a major supply chain security crisis. 50 cybersecurity professionals consolidated to sign and send an open letter on April 12th to several members of the US Congress including the Secretary of Commerce which addressed the ongoing issues with NVD.

7 Top IT Challenges in 2024

In recent years, AI, cybersecurity, and digital transformation have emerged as pivotal themes shaping the landscape of IT. Organizations must stay ahead of the curve, understanding the evolving dynamics, reasons behind them, and how to adapt.

AT&T Data Breach: Impact Extends to 51 Million Customers

AT&T has confirmed a data breach impacting 51 million former and current customers, after previously denying ownership of the leaked data. The breach, initially reported in 2021 by threat actor ShinyHunters and later by 'MajorNelson', exposed personal information including names, email addresses, phone numbers, social security numbers, and AT&T account details. Although AT&T claims no financial data or call history was compromised, the breach still poses significant risks to affected individuals.

From PDFs to Payload: Bogus Adobe Acrobat Reader Installers Distribute Byakugan Malware

A new malware variant known as Byakuan is being distributed through fake Adobe Reader installers. This malicious campaign was initially uncovered by AnhLab Security Intelligence researchers and further analyzed by Fortinet Fortiguard Labs. The attack begins with a PDF file written in Portuguese, which, upon opening, displays a blurred image and prompts the user to click on a link to download the Adobe Reader application to view the content.

RDP Abuse Present in 90% of Ransomware Breaches

Researchers at Sophos have observed a significant rise in Remote Desktop Protocol exploitation within ransomware attacks, based on their analysis of 150 incident response cases from 2023. They found that RDP abuse featured in a staggering 90% of these cases, allowing threat actors to gain unauthorized remote access to Windows environments.

AI Hallucinated Packages Fool Unsuspecting Developers

A recent report from Lasso Security, has raised concerns about software developers potentially using nonexistent or hallucinated software packages when relying on chatbots to build applications. The report, based on continued research by Bar Lanyado from Lasso, builds upon previous findings that demonstrated how large language models can inadvertently recommend packages that do not actually exist.

Indian Government Rescues 250 Citizens Forced into Cybercrime in Cambodia

The Indian government has confirmed that it has rescued and repatriated around 250 Indian citizens who were held captive in Cambodia and coerced into executing cyber scams that target people in India. These victims of human trafficking were carefully lured by crime racket agents under the guise of employment opportunities, but these victims were forced into “cyber slavery” instead.

Inc Ransom Claims to Be Behind 'Cyber Incident' at UK City Council

The cybercriminal group INC Ransom has claimed responsibility for the ongoing cybersecurity incident at Leicester City Council, marking the first involvement of an established cybercrime gang in the local authority's IT troubles. According to a post on INC Ransom's leak blog, they assert having stolen 3 TB of council data before deleting it shortly after publication.

AT&T Resets Passcodes for 7.6 Million Customers Following Dark Web Data Leak

AT&T has reset passcodes for 7.6 million current customers and 65.4 million former subscribers following a data leak discovered on the dark web. The leaked information, dating back to 2019 and earlier, varies in content, potentially including full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, and AT&T account numbers.

Exposing a New BOLA Vulnerability in Grafana

Palo Alto Network's Unit 42 researchers uncovered and disclosed a new Broken Object Level Authorization (BOLA) vulnerability that affects Grafana versions from 9.5.0 to 9.5.18, from 10.0.0 to 10.0.13, from 10.1.0 to 10.1.9, from 10.2.0 to 10.2.6, and from 10.3.0 to 10.3.5. Grafana is an established open-source data visualization and monitoring solution with almost 60,000 stars on GitHub that helps organizations drive business processes.

DinodasRAT Linux Implant Targeting Entities Worldwide

Kaspersky has disclosed details of a new Linux version of DinodasRAT that it discovered in early October 2023 after a publication from ESET. Also known as XDealer, the trojan is a multi-backdoor written in C++ that enables actors to surveil and harvest sensitive data from targeted systems.

Hackers Developing Malicious LLMs After WormGPT Falls Flat

Researchers have noted that cybercriminals are increasingly interested in developing malicious large language models due to the limitations of existing tools like WormGPT. Ransomware and malware operators are also showing interest in this trend. The demand for AI talent has risen as previous tools like WormGPT failed to meet cybercriminals' needs.

Agent Tesla's New Ride: The Rise of a Novel Loader

SpiderLabs has disclosed details of a new campaign that utilized a novel loader to ultimately deploy Agent Tesla on targeted systems. Researchers note that they identified a phishing email on March 8, 2024, which contained a seemingly harmless archive masquerading as a legitimate payment receipt from a bank.

Street Newspaper Appears to Have Big Issue with Qilin Ransomware Gang

The parent company of The Big Issue, a renowned street newspaper supporting homeless people, is facing a cybersecurity crisis initiated by the Qilin ransomware gang. The gang has claimed to have stolen 550 GB of sensitive company data, including personal information like driving licenses, salary details of executives, and even passport and bank details of key figures within the organization.

Sketchy NuGet Package Likely Linked to Industrial Espionage Targets Developers

Threat hunters have identified a potentially nefarious package named SqzrFramework480 within the NuGet package manager. This package is suspected to target developers using tools from a Chinese industrial technology firm known for manufacturing industrial and digital equipment. The package, uploaded by a user named "zhaoyushun1999," contains a DLL file named "SqzrFramework480[.]dll" that exhibits several concerning behaviors.

N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing Cyberattacks

The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging CHM files as attack vectors in the delivery phase to deploy malware for harvesting sensitive data. Kimsuky has been active for over 10 years and is notorious for targeting entities in South Korea, North America, Europe, and Asia, gathering intelligence relative to North Korea's interests.

Russia Hackers Using TinyTurla-NG to Breach European NGO's Systems

Cisco Talos has provided updated details on a new campaign where the Russian espionage group Turla deployed their custom backdoor dubbed TinyTurla-NG to infect multiple systems in the compromised network of a European non-government organization (NGO). While it's unclear how exactly the group gained initial access, Turla in the past has initiated drive-by compromises and employed phishing lures to obtain a foothold into victim environments.

Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect

Mandiant's investigation reveals a sophisticated cyber threat campaign attributed to a Chinese threat actor group named UNC5174, also known by the alias "Uteus." The group employs a combination of novel and known vulnerabilities to target a wide range of organizations globally, including U.S. defense contractors, government entities, research institutions, and NGOs.

Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability

Ivanti has revealed a critical remote code execution vulnerability affecting Standalone Sentry and has urged customers to promptly apply the available patches for protection against potential cyber threats. Tracked as CVE-2023-41724 with a CVSS score of 9.6 this flaw allows unauthenticated attackers to execute arbitrary commands on the appliance's operating system within the same network.

New ‘Loop DoS' Attack May Impact up to 300,000 Online Systems

Researchers at CIPSPA Helmholtz-Center for Information Security have discovered a new denial-of-service attack known as ‘Loop DoS', which targets application layer protocols and exploits a vulnerability in the UDP. This attack can cause an indefinite communication loop between network services, resulting in a significant increase in traffic.

AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials

Juniper Threat Labs has released details on a Python-based tool, dubbed AndroxGh0st, designed to target Laravel applications and steal sensitive data. Laravel is an open-source PHP web application development framework that is used for designing web applications such as e-commerce platforms, APIs, content management systems, etc.

New AcidPour data wiper targets Linux x86 Network Devices

SentinelLab's security researcher Tom Hegel has spotted a new destructive malware dubbed AcidPour, which seems to be a variant of the AcidRain data wiper that was used to target satellite communications provider Viasat back in 2022. In a series of threads on X (formerly known as Twitter), Juan Andres Guerrero Saade, AVP of Research for SentinelLabs, provided details regarding the new data wiper, noting that it is designed to target Linux x86 IoT and networking devices.

Chinese Earth Krahang Hackers Breach 70 Orgs in 23 Countries

Trend Micro has released details surrounding a campaign that has been ongoing since early 2022. The campaign has been attributed to a Chinese APT group dubbed ‘Earth Krahang,' who according to researchers has breached 70 organizations and targeted at least 116 entities across 45 countries since initiating operations.

Conversation Overflow' Cyberattacks Bypass AI Security to Target Execs

A novel cyberattack method called "Conversation Overflow" has recently surfaced, showcasing cybercriminals' attempts to bypass AI- and ML-enabled security platforms through sophisticated techniques. This attack tactic, analyzed by SlashNext researchers, is observed in multiple incidents, indicating a deliberate effort to evade advanced cybersecurity defenses.

Malware Analysis Report

The report provides an analysis of a njRAT (Remote Access Trojan) sample discovered in October 2023. The malware, written in .NET, allows attackers to remotely control infected machines. Basic static analysis reveals key file information and suspicious strings indicating registry manipulation, network communication, and process control.

Kaspersky Reports Phishing Attacks Grew By 40 Percent in 2023

A new report from Kaspersky noted that its anti-phishing system was able to deter over 709 million attempts to access phishing and scam websites in 2023, highlighting a 40 percent increase over 2022. A spike in phishing activity was observed between May and June, where actors used travel-related lures including counterfeit airline tickets and fake hotel deals to gain potential victims.

Increase in the Number of Phishing Messages Pointing to IPFS and to R2 Buckets

Credential-stealing phishing remains a persistent threat, with threat actors continually evolving their tactics. While various methods for hosting phishing pages exist, including third-party services and email attachments, traditional approaches involving internet-connected servers remain common. A recent trend observed involves an increase in phishing campaigns utilizing IPFS (InterPlanetary File System) and R2 buckets, a Cloudflare object storage service, to host malicious content.

McDonald's IT Systems Outage Impacts Restaurants Worldwide

The recent global IT outages experienced by McDonald's restaurants have caused significant disruptions to operations across multiple countries. These outages, which commenced overnight, have led to widespread difficulties in order-taking and payment processing, prompting some stores to close temporarily.

Third-Party ChatGPT Plugins Could Lead to Account Takeovers

Researchers have discovered vulnerabilities in third-party plugins for OpenAI's ChatGPT, which could be exploited by attackers to gain unauthorized access to sensitive data. Salt Labs published research revealing security flaws in ChatGPT and its ecosystem, allowing attackers to install malicious plugins without user consent and take over accounts on platforms like Github.

Ande Loader Malware Targets Manufacturing Sector in North America

Blind Eagle, also known as APT-C-36, has been observed utilizing a loader malware named Ande Loader to distribute remote access trojans (RATs) like Remcos RAT and NjRAT. The attacks primarily target Spanish-speaking users in the manufacturing industry based in North America. These malicious activities are executed through phishing emails containing RAR and BZ2 archives, serving as the initial vectors of infection.

US Govt Probes if Ransomware Gang Stole Change Healthcare Data

The U.S. Department of Health and Human Services is investigating whether protected health information was stolen in a ransomware attack that hit UnitedHealthcare Group (UHG) subsidiary Optum, which operates the Change Healthcare platform, in late February. This investigation is coordinated by HHS' Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA) rules that protect patients' health information from being disclosed without their knowledge or consent.

What a Cluster: Local Volumes Vulnerability in Kubernetes

A high-severity vulnerability, CVE-2023-5528, with a CVSS score of 7.2, has been discovered by Akamai security researcher Tomer Peled in Kubernetes. This vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster, posing a significant threat. It can be exploited via malicious YAML files, potentially leading to full takeover of Windows nodes.

Russia's Foreign Intelligence Service Alleges US Is Plotting to Interfere in Presidential Election

Russia's Foreign Intelligence Service (SVR) alleges that the US is plotting to interfere in its upcoming presidential election scheduled this month. According to SVR, US nation-state actors plan to launch cyber attacks against Russian voting systems to disrupt operations and interfere with the vote-counting process, as reported by Reuters. “According to information received by the Foreign Intelligence Service of the Russian Federation, the administration of J. Biden is setting a task for American NGOs to achieve a decrease in turnout,” reads a statement issued by the SVR and reported by Reuters.

Alert: Cybercriminals Deploying VCURMS and STRRAT Trojans via AWS and GitHub Summary:

A recent phishing scheme has been detected distributing remote access trojans like VCURMS and STRRAT through a malicious Java-based downloader. The attackers utilized public services like AWS and Github to host malware, employing a commercial protector to evade detection. An unusual element of the campaign is VCURMS' use of a Proton Mail email address for communication with a C2 server.

Cloud Account Attacks Surged 16-Fold in 2023

According to Red Canary's 2024 Threat Detection Report, cloud account threats surged by 16 times in 2023, with attackers adopting new strategies tailored for cloud environments. Attacks exploiting T1078.004: Cloud Accounts, a technique outlined by MITRE ATT&CK for cloud account compromises, rose to become the fourth most prevalent method used by threat actors, a significant increase from its 46th position in 2022.

Secure Cloud Business Applications: Hybrid Identity Solutions Guidance

Identity management for a traditional on-premises enterprise network is usually handled by an on-premises directory service (e.g., Active Directory). When organizations leverage cloud solutions and attempt to integrate them with their on-premises systems (creating a “hybrid” environment), identity management can become significantly more complex.

Over 12 Million Auth Secrets and Keys Leaked on GitHub in 2023

A new report from GitGuardian notes that GitHub users accidentally leaked 12.8 million authentication and sensitive secrets during 2023, highlighting a 28 percent increase over the previous year. The IT sector accounted for the most secrets leaked (65.9%), followed by education, science, retail, manufacturing, etc. T

Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption

Despite a decrease in the number of publicly claimed ransomware attacks, ransomware activity remains a significant threat, with attackers adapting to disruption and refining their tactics. Vulnerability exploitation has emerged as the primary infection vector, with attackers targeting known vulnerabilities in public-facing applications. LockBit, Noberus, and Clop are among the most prolific ransomware operations, with LockBit being the largest threat, followed by Noberus and Clop.

Typosquatting Wave Shows No Signs of Abating

In the ever-evolving landscape of cybersecurity threats, one tactic stands out for its enduring effectiveness: typosquatting. Since the dawn of the commercial internet, threat actors have leveraged this deceptive strategy to impersonate legitimate businesses, exploiting users' inattention and human errors to propagate malware, steal data, and pilfer funds.

Three-Quarters of Cyber Incident Victims Are Small Businesses

A new report from Sophos highlighted that over three-quarters of cyber incidents in 2023 impacted small businesses. Ransomware in particular made up a good chunk of these incidents with groups like LockBit, Akira, BlackCat, and Play leading the forefront in terms of the attacks observed against small businesses. Sophos notes that tactics employed by ransomware groups evolved as 2023 progressed, including the employment of remote encryption, where these actors have been observed abusing unmanaged devices on organizations' networks to attempt files on other systems via network file access.

Researchers Expose Microsoft SCCM Misconfigurations Usable in Cyberattacks

Security researchers have created a knowledge base repository for attack and defense techniques based on improperly setting up Microsoft's Configuration Manager, which could allow an attacker to execute payloads or become a domain controller. Configuration Manager (MCM), formerly known as System Center Configuration Manager (SCCM, ConfigMgr), has been around since 1994 and is present in many Active Directory environments, helping administrators manage servers and workstations on a Windows network.

Magnet Goblin Hackers Use 1-Day Flaws to Drop Custom Linux Malware

A financially motivated hacking group exploits newly disclosed 1-day vulnerabilities to infiltrate public-facing servers, deploying custom malware on both Windows and Linux systems. These vulnerabilities, publicly disclosed but not yet patched, are swiftly leveraged by threat actors before security updates can be applied. Analysts identified rapid exploitation of these vulnerabilities, sometimes within a day of a proof of concept exploit being released.

NSA Launches Top 10 Cloud Security Mitigation Strategies

As businesses transition towards hybrid and multi-cloud environments, the prevalence of cloud misconfigurations and security vulnerabilities has emerged as a significant concern. Cyber threat actors are capitalizing on these vulnerabilities, targeting misconfigured or inadequately secured cloud systems.

Dropbox Used to Steal Credentials and Bypass MFA in Novel Phishing Campaign

Security company Darktrace shared details around a new phishing campaign leveraging legitimate Dropbox infrastructure to bypass multi-factor authentication (MFA). Darktrace notes in their report that while it is common for attackers to exploit the trust of users by mimicking common services, this campaign took things a step further and actually used the legitimate cloud storage platform.

Switzerland: Play Ransomware Leaked 65,000 Government Documents

Switzerland's National Cyber Security Centre (NCSC) has released details surrounding a ransomware attack on Xplain which impacted thousands of sensitive government files. Xplain is a Swiss technology and software solutions company, which supports various government departments, administrative units, and even the country's military.

'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs

During a keynote presentation this week at CPX 2024 in Las Vegas, the vice president of research at Check Point, Maya Horowitz, highlighted the resurgence of USBs used by Nation-state actors to compromise highly secured government organizations and critical infrastructure facilities. According to Horowitz, three major threat groups employed USBs as their primary initial infection vector in 2023: Chinese Nation-state group Mustang Panda, Russian APT group Gamaredon, and the actors behind the Raspberry Robin worm.

NSA's Zero-Trust Guidelines Focus on Segmentation

The US National Security Agency (NSA) has released guidelines for zero-trust network security, aiming to provide a structured approach towards its adoption. Despite the increasing recognition of zero trust as a vital security strategy, its implementation remains slow, necessitating clear guidance and support.

New Python-Based Snake Info Stealer Spreading Through Facebook Messages

Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that's designed to capture credentials and other sensitive data. "The credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram," Cybereason researcher Kotaro Ogino said in a technical report.

FBI Releases 2023 Internet Crime Report

The report issued on March 6, 2024, highlights the escalating cybercrime landscape in the United States, with a record number of complaints received by the Internet Crime Complaint Center (IC3) in 2023. Key points include a substantial increase in financial losses, with investment fraud, Business Email Compromise (BEC), and ransomware standing out as significant threats.

Critical TeamCity Bugs Endanger Software Supply Chain

Critical vulnerabilities have been uncovered in the on-premises deployments of JetBrains TeamCity, a widely used Continuous Integration/Continuous Deployment (CI/CD) pipeline tool. These vulnerabilities, known as CVE-2024-27198 and CVE-2024-27199, pose significant risks as they could enable threat actors to gain administrative control over TeamCity servers.

ScreenConnect Flaws Exploited to Drop New ToddlerShark Malware

Late last month, ConnectWise addressed two flaws impacting its remote access software ScreenConnect, which could be exploited by actors to bypass authentication (CVE-2024-1709) and execute code remotely (CVE-2024-1708). Since then, several threat actors have abused the flaws, particularly CVE-2024-1709, in the wild to deploy various payloads including ransomware (Black Basta, Bl00dy, LockBit), remote access trojans, info stealers, and much more.

Stealthy GTPDOOR Linux Malware Targets Mobile Operator Networks

Security researcher HaxRob discovered a previously unknown Linux backdoor named GTPDOOR, designed for covert operations within mobile carrier networks. The threat actors behind GTPDOOR are believed to target systems adjacent to the GPRS roaming eXchange (GRX), such as SGSN, GGSN, and P-GW, which can provide the attackers direct access to a telecom's core network.

Content Farm Impersonates 60+ Major News Outlets

Researchers at Bleeping Computer have discovered a content farm that masquerades as reputable news sources, including a couple major news outlets. These sites plagiarize articles without attribution, essentially stealing content from credible news organizations and research institutes.

TA577 Exploits NTLM Authentication Vulnerability

Proofpoint cybersecurity researchers have uncovered a new tactic employed by cybercriminal threat actor TA577, revealing a previously unseen objective in their operations. The group was found using an attack chain aimed at stealing NT LAN manager (NTLM) authentication information, which could potentially be used for sensitive data gathering and further malicious activities.

Blackcat Ransomware Turns off Servers Amid Claim They Stole $22 Million Ransom

BleepingComputer has uncovered new developments regarding the ALPHV/BlackCat ransomware gang's activities. According to reports, the gang has taken the drastic step of shutting down its servers amidst accusations of defrauding an affiliate out of a staggering $22 million. This affiliate is believed to have been responsible for the attack on Optum's Change Healthcare platform.

Hackers Stole ‘Sensitive' Data From Taiwan Telecom Giant: Ministry

Last Friday, Taiwan's Ministry of National Defense confirmed an attack on the country's largest telecom company, Chunghwa Telecom, enabling hackers to steal sensitive information including military and government contracts. The actors have advertised the data stolen on the dark web, allegedly claiming to have exfiltrated 1.7 TeraBytes of data from Chunghwa Telecom.

Five Eyes Warn of Ivanti Vulnerabilities Exploitation, Detection Tools Insufficient

On February 29, government agencies from the Five Eyes countries, comprising Australia, Canada, New Zealand, the UK, and the US, issued an urgent warning regarding the active exploitation of vulnerabilities found in Ivanti products. These vulnerabilities, which include CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, affect all supported versions of Ivanti gateways, spanning from 9.x to 22.x.

Cybercriminals Harness AI for New Era of Malware Development

Observations made by researchers at Group-IB showcase cybercriminals increasingly harnessing the power of artificial intelligence to develop more advanced and potent malware, as evidenced by the escalating number of ransomware attacks and the collaborative efforts between ransomware groups and initial access brokers.

New Phishing Kit Leverages SMS, Voice Calls to Target Cryptocurrency Users

A new phishing kit has emerged, targeting cryptocurrency users by impersonating login pages of prominent cryptocurrency services, with a focus on mobile devices. The kit allows attackers to create fake single sign-on (SSO) pages, using a combination of email, SMS, and voice phishing to deceive victims into divulging sensitive information, including usernames, passwords, and even photo IDs.

'Savvy Seahorse' Hackers Debut Novel DNS CNAME Trick

A newly discovered threat actor, known as Savvy Seahorse, is orchestrating an investment scam by leveraging a sophisticated traffic distribution system (TDS) that exploits the Domain Name System (DNS). Savvy Seahorse impersonates reputable brands like Meta and Tesla through Facebook ads in multiple languages, enticing victims to create accounts on a fake investing platform.

Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28's MooBot Threat

A joint advisory from cybersecurity and intelligence agencies highlight the MooBot threat targeting users of Ubiquiti EdgeRouters. This botnet, orchestrated by Russia's APT28, has been operational since at least 2022 and has been employed in various cyber operations globally. APT28, known for its affiliation with Russia's Main Directorate of the General Staff, has been active since 2007 and is notorious for its sophisticated cyber campaigns.

Black Basta, bl00dy Ransomware Gangs Join ScreenConnect Attacks

The Black Basta and Bl00dy ransomware groups have recently been identified as participants in a wave of attacks targeting vulnerable ScreenConnect servers. These attacks exploit a critical authentication bypass vulnerability (CVE-2024-1709), which enables threat actors to create administrative accounts on internet-exposed servers.

China Launches New Cyber-Defense Plan for Industrial Networks

China's Ministry of Industry and Information Technology (MIIT) has unveiled a comprehensive strategy aimed at bolstering data security within the nation's industrial sector. This initiative, slated for completion by the end of 2026, is designed to mitigate major risks posed by cyber threats to over 45,000 companies operating in various industrial verticals.

Change Healthcare Cyber-Attack Leads to Prescription Delays Summary:

Health tech firm Change Healthcare was hit with a cyberattack on February 21, 2024, leading to a disruption of a number of its systems and services. According to Change Healthcare numerous applications across areas such as pharmacy, medical records, dental, payment services, and patient engagement are still experiencing connectivity issues. In particular, pharmacies have reported being unable to process patient prescriptions, preventing individuals from getting their medications on time.

New ScreenConnect RCE Flaw Exploited in Ransomware Attacks

Last week enterprise IT giant ConnectWise released patches to address a maximum-severity flaw impacting its remote access software, ScreenConnect. Tracked as CVE-2024-1709, the bug pertains to an authentication bypass that could potentially enable attackers to gain access to confidential information or critical systems.

X Protests Forced Suspension of Accounts on Orders of India's Government

and government regulation in the digital age, particularly in countries like India where social and political tensions often spill over into online platforms. The global government affairs team at X, previously known as Twitter, has taken action to suspend certain accounts and posts within India as per directives received from the country's government.

Unmasking I-Soon | The Leak That Revealed China's Cyber Operations

The leak from I-Soon, a company contracting for various Chinese government agencies including the Ministry of Public Security, Ministry of State Security, and People's Liberation Army, occurred over the weekend of February 16th. The source of the leak and motives behind it remain unknown, but it offers unprecedented insight into the operations of a state-affiliated hacking contractor.

LockBit Ransomware Secretly Building Next-Gen Encryptor Before Takedown

Researchers at Trend Micro have uncovered details on a new LockBit sample that the actors were secretly building prior to law enforcement's takedown of the group's infrastructure earlier this week. The new sample dubbed LockBit-NG-Dev, is written in the .NET programming language and appears to be compiled with CoreRT, whereas previous LockBit samples were written in C++.

'Lucifer' Botnet Turns Up the Heat on Apache Hadoop Servers

A new iteration of the Lucifer botnet has emerged, specifically aimed at organizations utilizing Apache Hadoop and Apache Druid big data technologies. The variant combines the insidious traits of cryptojacking and distributed denial of service capabilities, posing a significant threat to vulnerable systems.

LockBit Leaks Expose Nearly 200 Affiliates and Bespoke Data-Stealing Malware

This article provides an update on recent revelations regarding the LockBit ransomware group. Law enforcement authorities have disclosed that nearly 200 "affiliates" have registered with the group over the past two years. Affiliates are individuals who participate in the gang's ransomware-as-a-service model, utilizing LockBit's tools in exchange for a share of the profits obtained from victims.

Warning of North Korean Cyber Threats Targeting the Defense Sector

The Bundesamt für Verfassungsschutz (BfV) of Germany and the National Intelligence Service (NIS) of the Republic of Korea (ROK) have issued a joint Cyber Security Advisory (CSA) to alert about cyber campaigns likely conducted by North Korean actors targeting the defense sector. North Korea's focus on military strength drives them to steal advanced defense technologies globally, using cyber espionage as a cost-effective method.

Cactus Ransomware Gang Claims The Theft Of 1.5tb Of Data From Energy Management And Industrial Autom

The Cactus ransomware group, who claimed responsibility for an attack on Schneider Electric, says they have stolen 1.5TBs of data from the energy management and industrial automation company. According to reports, the companies Sustainability Business division was targeted on January 17th. Impacts were felt as the companies cloud services faced outages, however, other divisions of the company were not impacted.

US Gov Dismantled The Moobot Botnet Controlled by Russia-Linked APT28

n January 2024, a court-authorized operation was able to take down Moobot Botnet, a network of hundreds of small office/home office (SOHO) routers under the control of the Russia-linked group APT28. This court order enabled law enforcement to use the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.

Over 13,000 Ivanti gateways vulnerable to actively exploited bugs

This year, Ivanti has disclosed several vulnerabilities impacting its Connect Secure, Policy Secure, and ZTA gateways. Tracked as CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888, these flaws range from high to critical in severity and pertain to a case of authentication bypass, server-side-request forgery, arbitrary command execution, and command injection. S

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

Cisco Talos disclosed details of a three-month-long campaign where Russia-linked threat actor Turla has been targeting Polish non-governmental organizations with a new backdoor dubbed TinyTurla-NG. This campaign has been ongoing since December 18, 2023, with researchers suspecting that the activity may have actually commenced in November 2023 based on malware compilation dates.

U.S. Internet Leaked Years of Internal, Customer Emails

A Minnesota-based Internet Service Provider U.S. Internet Corp has suffered a significant data leak. Specifically, a business unit called Securence, which specializes in providing filtered, secure email services to business, educational institutions and government agencies worldwide was accidently publishing more than a decade's worth of it's own internal emails, and that of thousands of clients, in plain text on the Internet where anyone could view it.

MFA and Software Supply Chain Security: It's No Magic Bullet

In a recent article from ReversingLabs, the importance of Multifactor Authentication (MFA) in securing software development environments, particularly in light of recent high-profile attacks such as SolarWinds, Codecov, and Kaseya. The report highlights how attackers target developer accounts to manipulate code, access secrets, and wreak havoc on organizations and their customers.

Warzone RAT Infrastructure Seized

On February 9, 2024, the Justice Department announced the seizure of internet domains selling the Warzone RAT malware, a sophisticated Remote Access Trojan. Domains including www[.]warzone[.]ws were seized, with two suspects arrested in Malta and Nigeria for selling the malware. The operation, led by the FBI and supported by Europol and J-CAT, aimed to disrupt cybercriminals using the malware.

FCC Makes AI-Generated Voices in Robocalls Illegal

The Federal Communications Commission (FCC) has made AI-generated voices in robocalls illegal under the Telephone Consumer Protection Act (TCPA), with a Declaratory Ruling that took effect immediately. This ruling aims to combat the rising trend of robocall scams that use AI-generated voices to deceive consumers, imitate celebrities, and spread misinformation.

Notorious Bumblebee Malware Re-emerges with New Attack Methods

The Bumblebee malware, known for its role as an initial access broker facilitating the download and execution of additional payloads like Cobalt Strike and Meterpreter, has made a comeback with fresh tactics after a period of dormancy. Proofpoint researchers observed a significant shift in the attack chain, diverging from previous Bumblebee patterns.

Bank of America Customer Data Stolen in Data Breach

Bank of America is warning its customers of a data breach exposing their personal information after one of its third-party service providers, Infosys McCamish System (IMS) fell victim to a cyber attack in November of last year. LockBit claimed responsibility for the attack, listing IMS on its data leak site on November 4.

Rhysida Ransomware Cracked, Free Decryption Tool Released

A group of researchers from Kookmin University and the Korea Internet and Security Agency (KISA) uncovered an implementation vulnerability enabling them to reconstruct encryption keys and decrypt data locked by Rhysida ransomware. “Rhysida ransomware employed a secure random number generator to generate the encryption key and subsequently encrypt the data.

Exploitation of Another Ivanti VPN Vulnerability Observed

Last week, Ivanti disclosed a new vulnerability impacting its Connect Secure, Policy Secure, and ZTA gateway appliances. Tracked as CVE-2024-22024, the flaw impacts the SAML component of these appliances and can be exploited by actors to gain access to restricted resources without authentication. At the time of the disclosure, Ivanti noted that it had no evidence to suggest that the flaw was being actively exploited.

Raspberry Robin Keeps Riding the Wave of Endless Zero-days

Researchers from Checkpoint have released a new report on the evolution of Raspberry Robin malware. The latest strains are stealthier and implement various 1-day exploits that are deployed on specific vulnerable systems. 1-day exploits are similar to zero-day exploits, but have a public disclosure and/or patch available by the vendor. Even though a patch may be available, threat actors will exploit these vulnerabilities soon after disclosure, before victims have installed the patch.

Ransomware Payments Reached Record $1.1 billion in 2023

In 2023, ransomware payments soared to a record $1.1 billion, reversing the declining trend in 2022. According to researchers from Chainalysis, this trend is likely attributed to the escalating attacks against major institutions and critical infrastructure and Clop's massive MOVEit campaign, which compromised dozens of organizations across the globe.

Lessons from the Mercedes-Benz Source Code Exposure

Mercedes-Benz faced a significant security breach when a private key was mistakenly left online, resulting in the exposure of sensitive internal data. The breach, discovered by RedHunt Labs security researchers, exposed critical internal information, intellectual property, and sensitive credentials. M

Verizon Insider Data Breach Hits over 63,000 Employees

Verizon Communications issued an advisory this week that an insider data breach has impacted almost half it's workforce, exposing sensitive employee personal identifiable information (PII). A data breach notification shared with the Office of the Maine Attorney General reveals that a Verizon employee gained unauthorized access to a file containing sensitive employee information on September 21, 2023.

Hackers Steal Data of 2 Million in SQL Injection, XSS Attacks

A group known as ‘Resume Looters' has conducted SQL injection attacks on 65 legitimate job listing and retail websites, compromising the personal data of over two million job seekers, mainly in the APAC region, The group targeted sites in Australia, Taiwan, China, Thailand, India, and Vietnam to steal names, email addresses, phone numbers, employment history, education and other information.

Beware: Fake Facebook Job Ads Spreading 'Ov3r_Stealer' to Steal Crypto and Credentials

A new campaign has been uncovered by Trustwave SpiderLabs where actors are using Facebook job advertisements to trick unsuspecting end users into installing a novel Windows-based stealer malware codenamed Ov3r_Stealer. For its part, Ov3r_Stealer is capable of siphoning IP address-based location, hardware info, passwords, cookies, credit card information, auto-fills, browser extensions, crypto wallets, Microsoft Office documents, and a list of antivirus products installed on the compromised host.

US to Roll Out Visa Restrictions on People Who Misuse Spyware to Target Journalists, Activists

Yesterday, the Biden administration announced it would be rolling out a new policy to impose visa restrictions on foreign individuals involved in the misuse of commercial spyware. This includes those who have used spyware to target individuals such as journalists, activists, perceived dissidents, members of marginalized communities, or the family members of those who are targeted.

US Condemns Iran, Issues Sanctions for Cyber-Attacks on Critical Infrastructure

The US issues new sanctions against Iran after “destabilizing and potentially escalatory” cyber attacks against US critical infrastructure. The remarks were made in a statement that announced sanctions against six Iranians for last year's cyber-attack against Unitronics, an Israeli manufacturer of programmable logic controllers used in the water sector and other critical infrastructure organizations. Several organizations in the water sector were impacted by a group of hacktivists called the CyberAv3ngers.

Dirtymoe (Purplefox) Affected More Than 2000 Computers in Ukraine

The Government Computer Emergency Response Team of Ukraine (CERT-UA) took action under the law to assist a state-owned enterprise facing significant damage from the DIRTYMOE (PURPLEFOX) malicious program, affecting over 2,000 computers in the Ukrainian internet segment. Analysis of malware samples and reference to reports from Avast and Trendmicro aided in understanding the threat's intricacies.

New Windows Event Log zero-Day Flaw Gets Unofficial Patches

Temporary patches have been released to address a new Windows-zero flaw dubbed EventLogCrasher that lets attackers remotely crash the Event Log service on devices within the same Windows domain. According to security researcher Florian, who discovered and reported the flaw, Microsoft tagged the flaw as “not meeting servicing requirements” and said it's a duplicate of a bug that was disclosed in 2022 (no further details were provided).

US Shorts China's Volt Typhoon Crew Targeting America's Criticals

According to Reuters, the US Justice Department and FBI have reportedly taken action against Chinese state-sponsored hackers attempting to infiltrate American critical infrastructure. Over several months, law enforcement conducted operations authorized by a court order, to disable parts of the Chinese hacking campaign. This campaign, known as Volt Typhoon, was revealed in May 2023 after it was found that the hackers accessed US critical infrastructure networks as far back as 2021.

ICS Ransomware Danger Rages Despite Fewer Attacks

In a recent report provided by Dragos, despite the takedown of prominent ransomware groups, the remaining threat actors have evolved their tactics and maintained the exploitation of zero-day vulnerabilities. This has allowed them to inflict more damage on industrial control systems (ICS) with fewer attacks, as highlighted in Dragos' latest industrial ransomware analysis for the last quarter of 2023.

Microsoft Teams Phishing Pushes DarkGate Malware Via Group Chats

AT&T's cybersecurity research team has uncovered a new wave of phishing attacks that abuse Microsoft Teams group chat requests to distribute malicious attachments designed to infect targeted systems with DarkGate malware. In total, attackers have used what seems to be a compromised team user (or domain) to send over 1,000 malicious group chat invites to unsuspecting users.

New ZLoader Malware Variant Surfaces with 64-bit Windows Compatibility

Rsearchers at Zscaler have uncovered a new campaign that is delivering a new variant ZLoader malware to targeted systems. This variant is said to have been in development since September 2023 and contains significant changes to the loader module, which added RC4 encryption, updated the domain generation algorithm, and is now compiled for 64-bit Windows operating systems for the first time.

Energy Giant Schneider Electric Hit by Cactus Ransomware Attack

Energy management and automation giant Schneider Electric recently suffered from a ransomware attack that targeted its Sustainability Business division, which provides services to enterprise organizations, advising on renewable energy solutions and helping them navigate complex climate regulatory requirements for companies worldwide.

Rust Payloads Exploiting Ivanti Zero-Days Linked to Sophisticated Sliver Toolkit

Recent findings suggest that payloads discovered on compromised Ivanti Connect Secure appliances may originate from a single, highly skilled threat actor, according to incident response provider Synacktiv. A malware analysis by Synacktiv reveals that the 12 Rust payloads found in relation to two Ivanti Connect Secure VPN zero-day vulnerabilities share nearly identical code, suggesting a common origin.

Ukraine: Hack Wiped 2 Petabytes of Data from Russian Research Center

Ukraine's Ministry of Defense says that pro-Ukrainian hacktivists have breached the Russian Center for Space Hydrometeorology (Planeta), and have wiped 2 petabytes of data from their systems. Planeta is a state funded research center that uses space satellite data, ground radars, and ground stations to provide accurate predictions about weather, climate, natural disasters, extreme phenomena, and volcanic monitoring.

A Cyber Insurer's Perspective on How to Avoid Ransomware

In 2023, the cybersecurity landscape saw a resurgence of ransomware attacks, with a 27% increase in frequency during the first half of the year compared to the second half of 2022. May witnessed the highest number of ransomware claims in a single month in Coalition history. Ransomware also became the leading contributor to the overall increase in claims frequency, comprising 19% of all reported claims.

Top 3 Data Breaches of 2023, and What Lies Ahead in 2024

In summary the reports says that the surge in cloud migration, coupled with AI and machine learning, accelerated data use and storage in 2023. This led to significant breaches, with notable incidents including the MOVEit ransomware attack impacting 62 million individuals globally, the ICMR breach exposing 81.5 million Indian citizens' data, and 23andMe's unauthorized access compromising 9 million user accounts.

FBI: Tech support scams now use couriers to collect victims' money

cyber criminals to collect money and valuables from victims of tech support and government impersonation scams. Many of the victims are senior citizens who are being targeted by scammers posing as employees of technology companies, financial institutions, or the U.S. government These victims are told by the actors that their financial accounts have been compromised or are under threat. T

Malicious PyPI Packages Slip WhiteSnake InfoStealer Malware onto Windows Machines

Researchers at Fortinet uncovered a Python Package Index (PyPI) malware author who goes by the ID “WS” uploading malicious packages to PyPI, designed to infect developers with WhiteSnake Stealer. Several packages were identified including nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends, and TestLibs111, which researchers estimate to have impacted over 2000 victims.

ChatGPT Cybercrime Surge Revealed in 3000 Dark Web Posts

Kaspersky researchers are warning of a notable surge in dark web discussions related to the use of ChatGPT and other Large Language Models (LLMs) to bolster cyber attacks. Nearly 3000 dark web posts were identified, focusing on a spectrum of cyber-threats, from creating malicious chatbot versions to exploring alternative projects like XXXGPT and FraudGPT. While the chatter apparently peaked in March of last year, there have been continued ongoing discussions about exploiting AI technologies for illegal activities.

Browser Phishing Threats Grew 198% Last Year

Based on Menlo Security's browser security report for 2023, browser-based phishing attacks increased a whopping 198% in the second half of 2023. In general phishing attacks seem to have evolved in the last couple of years. According to researchers, they identified 11,000 zero-hour phishing attacks in a span of 30 days.

Thousands of GitLab Instances Unpatched Against Critical Password Reset Bug

Two weeks ago, GitLab released patches to address a critical password reset vulnerability. Tracked as CVE-2023-7028, the bug can be exploited by actors to send password reset messages to unverified email addresses under their control. If the target organization does not have two-factor authentication, an actor in this case could initiate a potential account takeover by resetting the password. Patches for the bug

Malicious Traffic Distribution System Spotted by Researchers

Researchers have uncovered the growing professionalization to the cybercrime ecosystem, highlighting an online redirection of service, VexTrio, as a major traffic broker for various threat groups. VexTrio operates malicious traffic distribution systems, accessing victims based on factors like device type and location, redirecting them to malicious sites based on client requirements.

The Number of Patient Records Exposed in Data Breaches Doubled in 2023

According to a new report from cybersecurity firm Fortified Health Security, 116 million records were compromised across 655 breaches. In 2023, the number of patient records exposed in data breaches doubled in comparison to 2022, despite the number of breaches declining slightly. This is likely due to an increase in the number of large data breaches, where 16 breaches exposed more than two million patient records each.

Kasseika Ransomware Uses Antivirus Driver to Kill Other Antiviruses

A new ransomware strain, dubbed Kasseika, that was uncovered in December 2023 has joined the list of ransomware gangs to employ Bring Your Own Vulnerable Driver (BYOVD) tactics to disable antivirus software on targeted systems. BYOVD attacks work by either implanting or abusing a vulnerable driver in victim environments to carry out malicious operandi.

Google Pixel Phones Unusable After January 2024 System Update

According to recent reports Google Pixel smartphone owners are experiencing issues after installing the January 2024 Google Play system update. Problems include being unable to access internal storage, open the camera, take screenshots, or open apps. The issue affects various Pixel models, indicating it's not specific to a particular hardware architecture.

Exploit Code Released For Critical Fortra GoAnywhere Bug

Exploit code has been released for a critical vulnerability in Fotra GoAnywhere MFT, a managed file transfer solution. Researchers from Horizon3 released exploit details for CVE-2024-0204, a critical authentication bypass vulnerability which was patched by Fortra on December 4, 2023, but only publicly revealed by the vendor on Monday.

Mandiant Publishes Guide: Defend Against the Latest Active Directory Certificate Services Threats

Active Directory Certificate Services (AD CS) is a server role that enables organizations to leverage public key infrastructure (PKI) as part of their on-premises services to issue and use digital certificates for authenticating identities and endpoints in Active Directory environments. As highlighted by SpecterOps in 2021, AD CS has become a prime target and leverage point in the overall attack chain to achieve post-compromise objectives.

Black Basta Ransomware Group Claims Hack of UK Water Utility Southern Water

The Black Basta ransomware group has added the UK's Southern Water as a victim on their Tor based data leak site, and have threated to publish stolen data if ransom demands are not met by February 29, 2024. “Southern Water is a private utility company responsible for collecting and treating wastewater in Hampshire, the Isle of Wight, West Sussex, East Sussex and Kent, and for providing public water supply to approximately half of this area” (Security Affairs, 2024). The company provides water to a large portion of the UK, and employs over 6,000 people.

Attackers Can Steal NTLM Password Hashes via Calendar Invites

A patched vulnerability (CVE-2023-35636) in Microsoft Outlook, allowing theft of NTLM v2 hashes, can be exploited through specially crafted email headers. Security researcher Dolev Taler and Varonis Threat Labs disclosed two additional unpatched vulnerabilities of “moderate” severity for obtaining NTLM v2 hashes.

loanDepot Says Ransomware Gang Stole Data of 16.6 Million People

Mortgage lender loanDepot has confirmed that approximately 16.6 million individuals had their personal information stolen in a ransomware attack disclosed earlier this month. The attack, which occurred on January 6, led to the shutdown of some systems, affecting recurring automatic payments and causing delays in payment history updates. The company, acknowledging the breach as a ransomware incident, mentioned that files on compromised devices were encrypted by malicious actors.

Senior Microsoft Employee's Email Account Breached in Cyber Attack

Microsoft revealed this week that they were potentially targeted by the Russian state-sponsored hacking group Midnight Blizzard. The group targeted a senior employee at the company by utilizing a password spray attack to infiltrate a legacy non-production test tenant account. This allowed them to gain access to the email accounts of Microsoft's leadership team and employees in cybersecurity and legal departments.

Thieves Steal 35.5M Customers' Data from Vans Sneakers Maker

VF Corporation, the parent company of brands like Vans and North Face, disclosed that 35.5 million customers were impacted when criminals breached their systems in December. The announcement, made in an SEC filing, didn't specify the type of information accessed. However, VF Corp assured that social security numbers, bank details, and payment card information were not compromised, as they are not stored in its IT systems. The company also stated that there is no evidence of consumer passwords being accessed, though the investigation is ongoing.

Over 178K SonicWall Firewalls Vulnerable to DoS, Potential RCE Attacks

Security researchers at Bishop Fox have identified over 178,000 SonicWall next-generation firewalls with the management interface exposed online are vulnerable to two stack-based buffer overflow flaws. Tracked as CVE-2022-22274 and CVE-2023-0656, these two vulnerabilities are essentially the same and can be exploited by unauthenticated actors to perform denial of service and even remote code execution.

Hacker Spins Up 1 Million Virtual Servers to Illegally Mine Crypto

Last week, Europol announced the arrest of a 29-year-old Ukrainian national for using hacked accounts to create 1 million servers used in a worldwide crypto jacking scheme to illegally mine cryptocurrency. This individual is suspected to have been active since 2021 and is known for hijacking cloud computing resources for crypto-mining. Starting in 2021, the hacker infected one of the world's largest e-commerce companies and used automated tools to brute force the passwords of 1,500 accounts of a subsidiary of the e-commerce company.

Protecting MSPs and Mid-Market Companies from ‘FalseFont' Backdoor Attacks

A new backdoor named "FalseFont" has been discovered, attributed to the Iranian hacking group Peach Sandstorm. This backdoor poses a significant threat to Managed Service Providers (MSPs) and mid-market companies, particularly those with limited cybersecurity measures. Peach Sandstorm is a global threat actor known for sophisticated cyberattacks since 2013, targeting sectors like defense, aerospace, and energy.

Finland Warns of Akira Ransomware Wiping NAS and Tape Backup Devices

The Finish National Cybersecurity Center recently sent out an advisory warning of an uptick in Akira Ransomware activity. In the latest set of attacks, Akira actors are going after network-attached storage devices as well as tape devices and wiping backups saved, making it difficult for victims to recover files. As a result, the agency recommends organizations switch to offline backups instead and distribute backups across various locations to prevent unauthorized access.

Atomic Stealer Gets an Upgrade - Targeting Mac Users with Encrypted Payload

Researchers at Malwarebytes have uncovered an updated version of Atomic Stealer, an information stealer designed to target macOS systems. The update was made in mid December, 2023, where authors behind the malware introduced a new payload encryption routine designed to hide certain strings that were previously used for detection and identifying the C2 server.

Cisco Says Critical Unity Connection Bug Lets Attackers Get Root

Cisco patched a critical vulnerability tracked as CVE-2024-20272 in their Unity Connection product. The flaw could allow an unauthenticated attacker to remotely gain root privileges on unpatched devices. Unity Connection is a fully virtualized messaging and voicemail solution for email inboxes, web browsers, Cisco Jabber, Cisco Unified IP Phone, smartphones, or tablets with high availability and redundancy support.

Alert: Water Curupira Hackers Actively Distributing PikaBot Loader Malware

Water Curupira, a threat actor, distributed the Pikabot loader malware in spam campaigns throughout 2023. Trend Micro reported that PikaBot's phishing attacks used a loader and a core module to gain remote access and execute commands via a connection to their server. This activity occurred from Q1 to June, earlier campaigns by cybercrime group TA571 and TA577 targeting victims with Qakbot.

'Swatting' Becomes Latest Extortion Tactic in Ransomware Attacks

Cybercriminals are now using “swatting” to pressure hospitals into paying ransom demands by targeting their patients. Swatting involves making false police reports and prompting armed responses to victims' homes. These criminals aim to coerce hospitals into paying by threatening patients, like in the Fred Hutchinson Cancer Center case, cybercriminals stole medical records and threatened to use swatting tactics on patients if their ransom demands weren't met.

Crooks Pose as Researchers to Retarget Ransomware Victims

Victims of Royal and Akira ransomware are being targeted by actors masquerading as cybersecurity researchers offering to delete the files stolen by the two ransomware gangs. According to Artic Wolf Labs, who have tracked several interactions, these actors contact victims stating they will hack into the server infrastructure of the original ransomware groups involved to delete the exfiltrated data.

NoaBot: Latest Mirai-Based Botnet Targeting SSH Servers for Crypto Mining

Security researchers at Akamai have uncovered a new crypto-mining campaign that has been active since the beginning of 2023. These attacks include the use of a new Mirai-based botnet dubbed ‘NoaBot' which comes with various capabilities including a wormable self-spreader and an SSH key backdoor designed to download and execute additional binaries and spread itself to other systems.

Malware Takedowns Show Progress, But Fight Against Cybercrime Not Over

In its 2023 Adversary Infrastructure Report, published on January 9, 2024, Recorded Future analyzed the effect of three malware takedown operations that took place in 2023 or before: The March 2023 attempt to take down unlicensed versions of commercial red-teaming product Cobalt Strike, a joint project between Microsoft, the Health Information Sharing and Analysis Center (Health-ISAC), and Fortra, the software company that owns Cobalt Strike In the cases of Cobalt Strike and QakBot, law enforcement operations had a significant impact in the short term and malicious activity linked with the two tools dropped drastically in the month following the operation.

Ukrainian “Blackjack” Hackers Take Out Russian ISP

A group linked to Ukraine's SBU has allegedly launched a destructive cyber-attack against a Moscow ISP in retaliation to Russia's takedown of Kyivstar last month. According to reports, the group called “Blackjack” deleted 20 TBs of data at M9 Telecom, leaving some residents of Moscow without Internet service.

.NET Hooking – Harmonizing Managed Territory

For malware researchers, analysts, or reverse engineers, Checkpoint says the ability to alter the functionality of certain parts of code is a crucial step. Manipulating processes for code execution works well for non-managed native code, but becomes more challenging when dealing with managed code. By altering the functionality of managed code, specifically for applications that run on top of .NET, Checkpoint says the open-source library Harmony is the best option.

NoName on Rampage! Claims DDoS Attacks on Ukrainian Government Sites

The NoName ransomware group recently posted a list of their latest DDoS attack victims on their data leak site. Many of these victims include Ukrainian entities such as Accordbank, Zaporizhzhya Titanium-Magnesium Plant, State Tax Service, Central Interregional Tax Administration, Western Interregional Tax Administration, and the Main Directorate of the State Tax Service in Kyiv.

Stealthy AsyncRAT Malware Attacks Targets US Infrastructure For 11 Months

Security researchers have uncovered a new campaign that has been delivering AsyncRAT malware to select targets for the last 11 months using hundreds of unique loader samples and more than 100 domains. The campaign was initially discovered by a security researcher from Microsoft, Igal Lytzki, who spotted attacks last summer that were delivered over hijacked email threads.

Zeppelin ransomware source code sold for $500 on hacking forum

A threat actor who goes by the name ‘RET' is claiming to have access to the source code as well as a builder for the Zeppelin ransomware. Both are being advertised for sale on an underground forum for 500$, with screenshots to prove the legitimacy of the package. In the post, the actor claims to have simply cracked a builder version for the ransomware strain and had acquired the package without a license.

Russian Hackers Penetrated Ukraine Telecoms Giant for Months

Russian hackers were inside Ukrainian telecoms giant Kyivstar's system from at least May last year in a cyberattack that should serve as a "big warning" to the West, Ukraine's cyber spy chief told Reuters. The attack, one of the most dramatic since Russia's full-scale invasion nearly two years ago, knocked out services provided by Ukraine's biggest telecoms operator for some 24 million users for days from Dec. 12.

Ivanti Warns Critical EPM Bug Lets Hackers Hijack Enrolled Devices

Ivanti recently fixed a critical remote code execution (RCE) vulnerability in its Endpoint Management software (EPM). The flaw allows an unauthenticated attackers to hijack enrolled devices or the core server. The service helps manage client devices running a wide range of platforms from Windows and macOS to Chrome OS and other IoT operating systems.

Hacker Hijacks Orange Spain RIPE Account to Cause BGP Havoc

Orange Spain suffered an internet outage today after a hacker breached the company's RIPE account to misconfigure BGP routing and an RPKI configuration. The routing of traffic on the internet is handled by Border Gateway Protocol (BGP), which allows organizations to associate their IP addresses with autonomous system (AS) numbers and advertise them to other routers they are connected to, known as their peers.

Palestinian Hackers Hit 100 Israeli Organizations in Destructive Attacks

Cyber Toufan, a sophisticated threat actor claiming to be formed of Palestinian state cyber warriors, has managed to target over 100 entities in Israel in the last couple of months. These series of attacks have been fueled by geopolitical tensions between Israel and Hamas, a pro-Palestinian militant group. The latest intrusions carried out by Cyber Toufan have led to the exfiltration of large amounts of data which is being released to the public web.

CISA Warns of Actively Exploited Bugs in Chrome and Excel Parsing Library

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities catalog. The first is CVE-2023-7101, affecting the open-source Perl library Spreadsheet::ParseExcel, with a remote code execution flaw. This vulnerability was exploited by Chinese hackers in late December, targeting Barracuda ESG appliances. Mitigations were applied, and an update was released on December 29, 2023.

Nearly 11 Million SSH Servers Vulnerable to New Terrapin Attacks

Shadowservers has released new vulnerability metrics surrounding the recently discovered Terrapin vulnerabilities that threaten the integrity of some SSH connections. The Terrapin flaws target the SSH protocol, affecting both clients and servers, and was developed by academic researchers from Ruhr University Bochum in Germany.

Experts Warn of JinxLoader: Loader Used to Spread FormBook and XLoader

Researchers from Palo Alto Networks and Symantec warned of a new Go-based malware loader called JinxLoader, which is being used to deliver next-stage payloads such as Formbook and XLoader. The name of the threat comes from a League of Legends character. Palo Alto Networks’s Unit 42 first observed the malware in November 2023 reporting that it has been advertised on the hacking forum Hackforums since April 30, 2023.

Microsoft: Hackers Target Defense Firms With New FalseFont Malware

Yesterday, Microsoft posted a series of tweets on X (formerly known as Twitter) stating that it observed Iranian cyber-espionage group APT33 deploy a new backdoor dubbed FalseFont in attacks targeting organizations in the Defense Industrial Base (DIB) sector. According to the tech giant, FalseFont was first observed in attacks as early as November 2023.

Malware Leveraging Public Infrastructure Like GitHub on the Rise

Researchers from ReversingLabs have observed an increase in threat actors using GitHub open source development platform to host malware. The use of public services as command-and-control (C2) infrastructure isn’t a revolutionary technique for malicious actors, but the researchers highlight two novel techniques deployed on GitHub.

Justice Secretary in Deepfake General Election Warning

UK Secretary of State for Justice, Robert Buckland, has voiced concerns about the threat of deepfakes to British democracy prior to upcoming elections. He cited that there is a “clear and present danger” regarding deepfakes and noted how they can be used to potentially erode trust in information and sway opinions. Buckland highlighted that with AI being easily accessible and the sheer scale of generative AI, individuals can create and share content rapidly

Fake Delivery Websites Surge By 34% in December

With many shoppers rushing to order Christmas gifts, scammers are taking advantage of this opportunity by creating phishing sites impersonating delivery services. According to Group-IB, these fake delivery sites have surged by 34% in December alone, with the company identifying 587 sites designed to look like legitimate postal operators and delivery companies in the first 10 days of December.

Fake F5 BIG-IP Zero-Day Warning Emails Push Data Wipers

Israel’s National Cyber Directorate (INCD) recently disclosed a new phishing campaign that is distributing Windows and Linux data wipers via emails pretending to be a warning about a zero-day vulnerability in F5 BIG-IP devices. According to INCD, the emails push out an executable named F5UPDATER[.]exe for Windows users, while a shell script named update[.]sh is used for Linux users.

Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant Summary:

Yesterday, the U.S Justice Department announced the disruption of the BlackCat ransomware group, which to date has managed to target the computer networks of more than 1,000 victims, including those that support U.S. critical infrastructure (government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities).

New Go-Based JaskaGO Malware Targeting Windows and macOS Systems

AT&T Alien Labs has uncovered a new Go-based information stealer malware dubbed JaskaGo designed to target both Windows and Apple macOS systems. According to researchers, the info-stealer comes equipped with an extensive array of commands from its C2 server that enable actors to execute shellcode, enumerate running processes, harvest information from the victim system, and download additional payloads.

New Go-Based JaskaGO Malware Targeting Windows and macOS Systems

AT&T Alien Labs has uncovered a new Go-based information stealer malware dubbed JaskaGo designed to target both Windows and Apple macOS systems. According to researchers, the info-stealer comes equipped with an extensive array of commands from its C2 server that enable actors to execute shellcode, enumerate running processes, harvest information from the victim system, and download additional payloads.

Novel Terrapin Attack Uses Prefix Truncation to Downgrade the Security of SSH Channels

Secure Shell Protocol (SSH) was developed in early 1995, after a password sniffer was used to discover passwords store in plain text on Finland’s Helsinki University of Technology. SSH was one of the first network tools to route traffic through an impregnable tunnel fortified with a still-esoteric feature known as "public key encryption, SSH quickly caught on around the world.

What To Do When Receiving Unprompted MFA OTP Codes

This article highlights common methods cybercriminals use to bypass multi-factor authentication, specifically receiving unprompted one-time passcodes (OTP). Receiving an OTP sent as an email or text should be a cause for concern as it likely means your credentials have been stolen.

New Pierogi++ Malware by Gaza Cyber Gang Targeting Palestinian Entities

Researchers at SentinelOne have uncovered an updated version of a backdoor dubbed Pierogi which is being used by the Gaza Cyber Gang, a pro-Hamas threat actor, to target Palestinian entities. The new variant, referred to as Pierogi++, is written in the C++ programming language. Similar to its predecessor, Pierogi++ is designed to take screenshots, execute commands, and download other payloads.

Threat of Violence Likely Heightened Throughout Winter

The FBI issued an advisory that they are closely monitoring threats to public safety during the holiday season, which may be amplified by the ongoing Israel-Hamas conflict. The FBI, Department of Homeland Security (DHS), and National Counterterrorism Center (NCTC) are issuing this Public Service Announcement to highlight elements posing potential threats in the United States from a variety of actors during the winter season.

BianLian, White Rabbit, and Mario Ransomware Gangs Spotted in a Joint Campaign

Based on a recent Digital Forensics & Incident Response (DFIR) engagement with a law enforcement agency (LEA) and one of the leading investment organizations in Singapore (and other victims), Resecurity (USA) has uncovered a meaningful link between three major ransomware groups. Resecurity’s HUNTER (HUMINT) unit spotted the BianLian, White Rabbit, and Mario ransomware gangs collaborating in a joint extortion campaign targeting publicly-traded financial services firms.

Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet

The US cybersecurity landscape faces a critical challenge with the emergence of a highly resilient botnet operated by the Chinese-backed Volt Typhoon group. This botnet has ingeniously repurposed end of life Small Office/Home Office (SOHO) routers from Cisco, Netgear, and Fortinet, and set up a Tor-like covert data transfer network to perform malicious operations. Notably, these routers, lacking security updates, now serve as a central element in Volt Typhoon’s penetration strategy across critical sectors like communications, manufacturing and government.

Microsoft Seized the US Infrastructure of the Storm-1152 Cybercrime Group

Microsoft recently announced that it seized multiple domains used by the cybercrime group Storm-1152 to sell fraudulent Outlook accounts. According to the vendor, Storm-1152 has registered over 750 million fraudulent Microsoft accounts, enabling the group to generate millions of dollars in sales. After obtaining a court order from the Southern District of New York on December 7, 2023.

BazarCall Attacks Abuse Google Forms to Legitimize Phishing Emails

Email security firm Abnormal uncovered a new wave of BazarCall attacks abusing Google Forms to target users. First documented in 2021, BazarCall is a type of phishing attack that utilizes fake payment/subscription invoices in emails impersonating known brands. In this case, victims are notified that their account has been charged and should contact customer support if they don’t recognize the transaction. Rather than including a link in the email, the actors will leave behind a phone number that the victim can call.

Cozy Bear Hackers Target JetBrains TeamCity Servers in Global Campaign

In a joint advisory published on December 13, 2023, six security and intelligence agencies in the US, the UK and Poland warned that Cozy Bear has been exploiting an authentication bypass vulnerability in TeamCity (CVE-2023-42793) since at least September 2023. If compromised, access to a TeamCity server would provide malicious actors with access to that software developer’s source code, signing certificates, and the ability to subvert software compilation and deployment processes. The access could also be used to conduct software supply chain attacks.

Vulnerabilities Now Top Initial Access Route For Ransomware

Cybersecurity insurance provider Corvus reports that ransomware actors are switching tactics and are choosing to exploit vulnerabilities rather than leverage phishing emails to breach victim organizations. Analyzing metrics from claims data this year, Corvus was able to examine threat actor activity. The company claims that vulnerability exploitation rose as an initial access method from nearly 0% of ransomware claims in H2 2022 to almost a third in the first half of 2023.

Russia Set to Ramp Up Attacks on Ukraine’s Allies This Winter

A new report by Cyjax warns of an increase in cyberattacks from Russia targeting Ukraine and its allies as the Winter season approaches. According to researchers, Russia’s missile production is struggling to keep pace with its tactical, operational, and strategic usage, due to economic sanctions and a shortage of workers.

What To Do If Your Company Was Mentioned on Darknet?

This article examines different scenarios where your company may be mentioned on the darkweb, and what you can do to navigate and mitigate the potential risks associated. Specifically, the article focuses on the sale of compromised accounts, internal databases and documents, as well as access to corporate infrastructure, and the sale of personal identifiable information like ID photos, drivers licenses, etc.

Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign

A new blog post from IBM’s X-Force highlights APT28’s, a group of Russian military hackers, use of Israel-Hamas conflict lures to deliver Headlace malware. For its part, Headlace is a multi-component malware that includes a dropper, a VBS launcher, and a backdoor using MSEdge in headless mode, designed to download second-stage payloads and exfiltrate credentials as well as other sensitive details.

Ukraine's Largest Phone Operator Hack Tied to War With Russia

Ukraine’s largest mobile network operator Kyivstar was impacted by a cyber event that lead to significant shutdowns. The company, which is owned by Amsterdam-based Veon, announced on December 12th, that a powerful cyber attack caused technical failure, which impacted Internet access and mobile communications for customers.

Privilege Elevation Exploits Used in Over 50% Of Insider Attacks

A report published by Crowdstrike researchers indicates that insider threats are escalating, with Crowdstrike’s report indicating a surge in unauthorized actions using privilege escalation flaws. Approximately 55% of these threats leverage privilege scalation exploits, while 45% stem from downloading risky tools or misusing them.

AutoSpill Attack Steals Credentials from Android Password Managers

Security researchers developed a new attack, which they named AutoSpill, to steal account credentials on Android during the autofill operation. In a presentation at the Black Hat Europe security conference, researchers from the International Institute of Information Technology (IIIT) at Hyderabad said that their tests showed that most password managers for Android are vulnerable to AutoSpill, even if there is no JavaScript injection.

Toyota Warns Customers of Data Breach Exposing Personal, Financial Info

Toyota Financial Services recently warned its customers about a data breach, where actors were able to gain unauthorized access to some of its systems in Europe and Africa, allowing the actors to steal sensitive personal and financial data. Medusa ransomware has claimed responsibility for the attack, demanding a 8 million ransomware be paid in exchange for the data stolen.

ALPHV/BlackCat Site Downed After Suspected Police Action

Last Friday, cyber security firm RedSense disclosed on X (formerly known as Twitter) that BlackCat Ransomware’s Tor data leak site had been taken down after police action. As of writing no official disclosure from law enforcement authorities has been published to the public regarding such a takedown.

Iran Threatens Israel's Critical Infrastructure With 'Polonium' Proxy

An Iranian proxy hacking group named Polonium, operating from Lebanon poses a serious threat to Israel’s critical infrastructure. Despite being less known than other hacking groups, Polonium has intensified its attacks, targeting multiple Israeli sectors and evolving its tactics over time. Microsoft reported that Polonium spied on over 20 Israeli organizations, including key sectors like Transportation, IT, Finance, and Healthcare in Spring 2022.

Russian Military Hackers Target NATO Fast Reaction Corps

APT28, a group of Russian military hackers have been exploiting a Microsoft Outlook zero-day (CVE-2023-23397) since March 2022 to target multiple European NATO member countries, including a NATO Rapid Deployable Corps. Over the course of 20 months, researchers at Palo Alto Networks’ Unit 42 have observed this group launch three different campaigns targeting at least 30 organizations across 14 nations deemed of probable strategic intelligence significance to Russia's military and government.

Ransomware Surge is Driving UK Inflation, Says Veeam

New data gathered by Veeam indicates that a surge in ransomware attacks has caused businesses in the UK to increase prices, adding to the already high inflation. Veeam surveyed 100 UK businesses with over 500 employees that had been compromised by ransomware. According to the software company, large companies had to increase costs to customers by an average of 17% following an attack.

Forward Momentum: Key Learnings From Trend Micro’s Security Predictions for 2024

Advances in cloud technology, artificial intelligence and machine learning, and Web3 are reshaping the threat landscape, urging organizations to re-strategize their defenses and stay up to date with the latest trends and threats. A new blog post by Trend Micro highlights the new challenges that will come with these emerging technologies and what to expect for the upcoming new year.

Ninety Percent of Energy Companies Suffer Supplier Data Breach

Security Scorecard recently analyzed the cybersecurity posture of the largest coal, oil, natural gas, and electric companies in the US, UK, France, Germany, and Italy, as well as their suppliers. According to the vendor, UK energy firms received the high average security rating (80% holding a B or above). However, a third of global firms received a rating of C or lower, making them susceptible to a breach.

Why Cloud Security Matters in Today’s Business World

As companies increasingly adopt cloud computing, a report by Ermetic and IDC reveals that 80% of CISOs experienced cloud data breaches in the last 18 months, with 43% facing 10 or more breaches. The report emphasizes the need for a robust understanding of cloud security to safeguard organizations, personnel, and customers during the transition. Cloud security involves principles like access controls and system audits. Key reasons to embrace it include scalability, reliability, and protection against DDoS attacks.

New Krasue Linux RAT Targets Telecom Companies in Thailand

Group-IB researchers discovered a previously undetected Linux remote access trojan called Krasue being employed in attacks aimed at telecom companies in Thailand. The Krasue Remote Access Trojan (RAT) emerged in 2021 according to samples found on VirusTotal. The name “Krasue,” comes from the Thai name of a nocturnal native spirit known throughout Southeast Asian folklore.

LockBit Remains Top Global Ransomware Threat

A new report from ZeroFox highlights LockBit’s continued dominance in the ransomware landscape, with the group accounting for 25% of all ransomware and digital extortion attacks worldwide between January 2022 and September 2023. In particular, LockBit poses a big threat to entities in North America, with an average of 40% of LockBit victims based in this region, spanning the manufacturing, construction, retail, legal & consulting, and healthcare sectors. Researchers note this is expected to increase to 50% by the end of 2023.

Hackers Breach US Govt Agencies Using Adobe ColdFusion Exploit

CISA recently published an advisory warning that hackers are exploiting a critical vulnerability in Adobe ColdFusion to gain initial access to government servers. Tracked as CVE-2023-26360, the flaw relates to an improper access control vulnerability in Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier), which could result in arbitrary code execution.

Governments Spying on Apple, Google Users Through Push Notifications - US Senator

Senator Ron Wyden has raised concerns that unidentified governments are surveilling smartphone users through push notifications on apps, demanding data from Google and Apple. Push notifications, used by various apps for updates, messages, and news alerts, often travel through Google and Apple servers. This unique access gives the companies insight into app traffic and user activity, potentially facilitating government surveillance.

Russian APT28 Exploits Outlook Bug to Access Exchange

Microsoft issued a warning regarding the exploitation of CVE-2023-23397 by APT 28, a Russian state sponsored group. The targeted entities include government, energy, transportation, and other key organizations in the United States, Europe, and the Middle East. CVE-2023-23397 was first disclosed and patched as a zero-day bug in Microsoft’s March 2023 Patch Tuesday update round.

New AeroBlade Hackers Target Aerospace Sector in the U.S.

Cyber security firm Blackberry has uncovered a campaign targeting an aerospace organization in the United States. Researchers are tracking the actors behind this campaign as ‘AeroBlade.” Based on the observed attack, the actors used spear-phishing as their delivery mechanism, where they employed a weaponized document, sent as an email attachment.

Holiday Shopping Scams Persist with Cybercriminal Tactics

Cybercriminals are currently targeting SaaS services and utilizing AI technology, social media phishing, and brand impersonation to pilfer from various sectors, impacting the reputations of legitimate businesses. It is crucial to adopt proactive measures, such as manual or automated takedown services, to maintain consumer trust during the bustling holiday shopping season. The USPS phishing attack encompasses over 3,000 phishing domains that mimic reputable brands like Walmart, with scammers exploiting stolen data to entice victims into revealing sensitive banking details.

Florida Water Agency Latest to Confirm Cyber Incident as Feds Warn of Nation-state Attacks

A regulatory agency in Florida confirmed they responded to a recent cyber attack last week as US cybersecurity agencies warn of foreign attacks against water utilities. A spokesperson for the St. Johns River Water Management District, which works closely with utilities on water supply issues, confirmed that it “identified suspicious activity in its information technology environment” and that “containment measures have been successfully implemented.”

Over 20,000 Vulnerable Microsoft Exchange Servers Exposed to Attacks

The ShadowServer Foundation is warning that tens of thousands of Microsoft Exchange email servers in Europe, the United States, and Asia are exposed on the public internet and vulnerable to remote code execution flaws. The mail systems run a software version that is currently unsupported and no longer receives any updates, being vulnerable to multiple security issues, some with a critical severity rating.

Check Point Research Navigates Outlook’s Security Landscape: The Obvious, the Normal, and the Advanced

In a recent blog from Check Point, Outlook, the desktop app in the Microsoft Office suite, is highlighted as one of the world's most widely used applications for organizational communication. However, it poses significant security risks, acting as a critical gateway for cyber threats. The blog categorizes attack vectors into three types: the "obvious" Hyperlink attack vector, the "normal" Attachment attack vector, and the "advanced" Email Reading and Special Object attack vectors.

Qakbot Takedown Aftermath: Mitigations and Protecting Against Future Threats

The DOJ and FBI collaborated to dismantle the Qakbot malware and its botnet, successfully disrupting a long standing threat. However, concerns linger as Qakbot may still pose a risk, although in a reduced form. The takedown removed the malware from a significant number of devices, including 700,000 globally and 200,000 in the U.S. Yet, recent findings suggest Qakbot remains active but weakened.

Simple Hacking Technique Can Extract ChatGPT Training Data

Researchers from Google DeepMind, Cornell University, and other institutions found that the widely used generative AI chatbot, ChatGPT, is susceptible to data leaks. By prompting ChatGPT to repetitively say words like "poem," "company," and others, the researchers were able to make the chatbot regurgitate memorized portions of its training data.

US Govt Sanctions North Korea’s Kimsuky Hacking Group

On Thursday the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) sanctioned eight North Korean agents for facilitating sanctions evasion including revenue generation and missile-related technology procurement that support the Democratic People’s Republic of Korea’s (DPRK) weapons of mass destruction programs.

New ‘Turtle’ macOS Ransomware Analyzed

Several vendors on VirusTotal have detected a new ransomware dubbed Turtle which is capable of not only targeting Windows and Linux systems but also macOS. Cybersecurity researcher Patrick Wardle who analyzed this new strain, says that Turtle Ransomware is currently not sophisticated. The malware was developed in the Go programming language.

RedLine Stealer Malware Deployed Via ScrubCrypt Evasion Tool

Researchers from Satori Threat Intelligence discovered a new version of the ScrubCrypt obfuscation tool being used to target organizations with the RedLine stealer malware. This latest version of ScrubCrypt is for sale on dark web marketplaces, and is being used in account takeover and fraud attacks.

Behind the Attack: LUMMA Malware

Researchers at Perception Point recently unveiled a sophisticated malware attack aimed at bypassing threat detection systems. The attack involves impersonating a financial services company via a fake invoice email. The email includes a button that leads to an unavailable website which urges users to visit a seemingly legitimate link for the invoice.

Qlik Sense Exploited in Cactus Ransomware Campaign

According to a new blog post by researchers at Artic Wolf, a set of known vulnerabilities in Qlik Sense, a cloud analytics and business intelligence platform, are being exploited to deploy ransomware. Tracked as CVE-2023-41266, CVE-2023-41265, and CVE-2023-48365, the flaws are being chained together to achieve remote code execution on targeted systems.

Iran-Backed Cyber Av3ngers Escalates Campaigns Against U.S. Critical Infrastructure

The Iran-backed Cyber Av3ngers, affiliated with the IRGC, has been actively exploiting Programmable Logic Controllers (PLCs) in Water and Wastewater treatment plants, targeting critical infrastructure installations in the U.S. The group, known for making false claims, initiated attacks on various water authorities, an aquarium, and a brewery. They focus on Unitronics PLCs, leveraging open source tools and exploiting vulnerabilities. The recent campaign expanded to target critical infrastructure globally, particularly those using equipment associated with Israel.

New BLUFFS Attack Lets Attackers Hijack Bluetooth Connections

Researchers from Eurecom have developed six next attacks they have collectively named “BLUFFS.” These vulnerabilities can be used for device impersonation and man-in-the-middle (MitM) attacks. BLUFFS exploits two previously unknown flaws in Bluetooth, related to how session keys are derived to decrypt data in exchange.

Iranian Hackers Exploit PLCs in Attack on Water Authority in U.S.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is responding to a cyber attack on the Municipal Water Authority of Aliquippa, Pennsylvania. The attack involved the exploitation of Unitronics programmable logic controllers (PLCs) and has been attributed to the Iranian-backed hacktivist group Cyber Av3ngers.

General Electric, DARPA Hack Claims Raise National Security Concerns #2

General Electric (GE) and the Defense Advanced Research Projects Agency (DARPA) are reported to have experienced security breaches, with stolen data allegedly available for sale on the Dark Web. The compromised information includes access credentials, DARPA-related military data, SQL files, and more. GE has acknowledged the breach and is actively investigating the matter. DARPA, known for collaborating with GE on various projects, may have classified information on weapons programs and artificial intelligence research in its data stores.

General Electric, DARPA Hack Claims Raise National Security Concerns

General Electric, an American multinational conglomerate that has several divisions including aerospace, power, and renewable energy, is investigating claims that a threat actor breached its development environment and leaked allegedly stolen data. The development comes after a threat actor named IntelBroker posted to a dark forum claiming to have access to General Electric’s development and software pipelines.

Key Cybercriminals Behind Notorious Ransomware Families Arrested in Ukraine

A joint operation carried out by Europol and law enforcement agencies has led to the arrest of 5 key suspects in Ukraine believed to be core members of various ransomware operations including LockerGoga, MegaCortex, Dharma, and the now defunct Hive ransomware. Since 2019, these individuals have targeted over 1,800 victims across 71 countries, compromising large corporations.

Daixin Team Claims Attack on North Texas Municipal Water District

The Daixin Team, a group known for carrying out ransomware attacks, has listed the North Texas Municipal Water District (NTMWD) as a victim on their data leak site. The actors claim to have stolen large amounts of sensitive data from the company and are threatening to release it publicly. The information stolen is said to include board meeting minutes, internal project documentation, personnel details, audit reports, and more. The leak of the data puts the company at risk of frauds in the next months.

Hacktivists Breach U.S. Nuclear Research Lab, Steal Employee Data

The Idaho National Laboratory (INL) announced this week that they suffered a cyberattack after SiegedSec hacktivists leaked stolen human resources data online. INL is a nuclear research center run by the U.S. Department of Energy that employs 5,700 specialists in atomic energy, integrated energy, and national security.

Exploit for CrushFTP RCE Chain Released, Patch Now

A critical vulnerability (CVE-2023-43177) in CrushFTP, allowing hackers to access files, execute code, and steal passwords. Although a fix was issued in version 10.5.2, a recent public exploit by Converge demands immediate updates for CrushFTP users. This exploit lets attackers read, delete files, and potentially gain total control over systems using specific web ports and functions in CrushFTP.

8Base Group Deploying New Phobos Ransomware Variant via SmokeLoader

Last Friday, Cisco Talos published a blog post, highlighting that 8Base ransomware actors are using a variant of the Phobos ransomware to carry out financially motivated attacks. Although most Phobos variants have been distributed using SmokeLoader, a backdoor trojan, researchers note that in 8Base campaigns, the actors are embedding the ransomware component into encrypted payloads, which are then decrypted and loaded into the SmokeLoader process memory.

Popular Dragon Touch Tablet for Kids Infected with Corejava Malware

Retailers like Amazon have promoted affordable Android devices for children, such as the Dragon Touch KidzPad Y88X 10 tablet. However, research by the Electronic Frontier Foundation (EFF) revealed malware and riskware on the device, leading to Amazon removing it from the platform. Other Y88X models remain available. This is not the first instance; in January 2023, Amazon sold a T95 Android TV box with preinstalled malware. Both instances involved the Corejava malware.

MySQL Servers Targeted by ‘Ddostf’ DDoS-As-A-Service Botnet

The ‘Ddostf’ malware botnet is attacking MySQL servers to turn them into a DDoS service. AnhLab Security Emergency Response Center (ASEC) discovered this while tracking threats against database servers. Ddostf infiltrates MySQL servers either through vulnerabilities in unpatched systems or by cracking weak administrator account passwords. These attackers search the web for exposed MySQL servers, trying to breach them through brute forcing administrator credentials.

Beware: Malicious Google Ads Trick WinSCP Users into Installing Malware

Cybersecurity company Securonix has uncovered a new campaign dubbed SEO#LURKER, where actors are tricking WinSCP users into installing malware via SEO poisoning and bogus Google ads. In particular, the actors are using dynamic search ads which automatically generate ads based on a site's content to serve the malicious ads that take the victims to an infected site, which in this case is a compromised WordPress site (gameeweb[.]com). Researchers say this WordPress site will redirect the victim to a phishing site advertising a fake installation for WinSCP, in turn infecting the victim with malware.

#StopRansomware: Rhysida Ransomware

A new joint advisory from CISA and the FBI has been issued detailing observed TTPs and IOCs to help organizations protect against Rhysida Ransomware. Rhysida is a fairly new ransomware that was first detected in May 2023. Like any other ransomware gang, the group engages in double extortion schemes where it will encrypt and exfiltrate victims’ files, threatening to publish the data online unless a ransom is paid.

FBI Warns: Five Weeks In, Gaza Email Scams Still Thriving

FBI is warning of cybercriminals taking advantage of the war in Gaza to solicit funds from unsuspecting victims. According to alerts sent out by the agency, these fraudsters are using various schemes including emails, social media, cold calls, and websites masquerading as fundraisers and charities to convince end users to donate money, stating that the funds will go to victims of the ongoing conflict. These donations are requested in the form of gift cards, wire transfers, and cryptocurrency, making it difficult to trace back.

Zero-Days in Edge Devices Become China's Cyber Warfare Tactic of Choice

Over the past five years, Chinese state-sponsored cyber operations have evolved into a more mature and coordinated threat, focusing on exploiting both known and zero-day vulnerabilities in public-facing security and network appliances. They have also placed a strong emphasis on operational security and anonymity These changes have been influenced by both internal factors like military restructuring and changes in domestic regulations, as well as external factors including reporting by Western governments and the cybersecurity community.

LockBit Ransomware Exploits Citrix Bleed in Attacks, 10K Servers Exposed

About a month ago, Citrix fixed a critical information disclosure flaw (CVE-2023-4966), “Citrix Bleed,” impacting Citrix NetScaler ADC and NetScaler Gateway. As of writing thousands of internet-exposed endpoints are still running vulnerable appliances despite patches being released. As such threat actors are using this opportunity to launch attacks. One of these actors is the LockBit Ransomware group, which researchers say is using publicly available exploits for CVE-2023-4966 to breach the systems of large organizations, steal data, and encrypt files.

82% of Attacks Show Cyber-Criminals Targeting Telemetry Data

A new report from Sophos indicates that cyber-criminals are disabling or wiping out logs in 82% of incidents, making it difficult for organizations to backtrace and determine what happened on systems during a crisis. What’s more is that based on a case study conducted by Sophos, nearly a quarter of organizations investigated didn’t have the appropriate logging available in place for incident responders. Researchers say this was due to several factors, including insufficient retention, re-imaging, or a lack of configuration. “In an investigation, not only would this mean the data would be unavailable for examination, but the defenders would have to spend time figuring out why it wasn’t available” stated researchers in a recent blog post.

BlackCat Ransomware Gang Targets Businesses Via Google Ads

ALPHV/BlackCat ransomware threat actors have been seen using Google Ads to distribute malware. By masquerading as popular software products like Advanced IP Scanner and Slack, the group has been luring professionals to attacker controlled websites. The victims, thinking they are downloading legitimate software, are unknowingly installing a piece of malware called Nitrogen. Nitrogen serves as initial-access malware providing intruders with a foothold into the target organization’s IT environment.

Steps CISOs Should Take Before, During & After a Cyberattack

In today's complex cybersecurity landscape, cyberattacks are inevitable. Organizations, regardless of size or industry, must establish detailed playbooks for effective response. Chief Information Security Officers (CISOs) play a crucial role in preparing for attacks by fostering relationships, educating leaders, and developing comprehensive frameworks.

DP World Cyberattack Blocks Thousands of Containers in Ports

International logistics firm DP World Australia announced that a cyber attack has severely disrupted it’s regular freight movement in multiple Australian ports. DP World specialized in cargo logistics, port terminal operations, maritime services, and free trade zones, they have an annual revenue of over $10 billion. In total, the firm operates 82 marine and inland terminals in 40 countries, handles 70 million containers annually carried by 70,000 vessels, and manages roughly 10% of all global container traffic. DP World has the largest presence in Australia, handling over 40% of the nation’s container trade.

Update: Iranian Hackers Launch Malware Attacks on Israel’s Tech Sector

Imperial Kitten, also known as Tortoiseshell, TA456, Crimson Sandstorm and Yellow Liderc, has launched a new campaign targeting transportation, logistics, and technology companies in the Middle East. Associated with the Iranian Revolutionary Guard Corps (IRGC), this threat actor, using the online persona Marcella Flores, has been active since at least 2017, conducting cyberattacks across sectors like defense technology, telecommunications, maritime, energy, and consulting.

New Ransomware Group Emerges with Hive's Source Code and Infrastructure

Hunters International, a newly emerged ransomware group, has acquired the source code and infrastructure from the dismantled Hive operation, a once-prolific ransomware-as-a-service (RaaS) group. The Hive group's operations were halted as part of a coordinated law enforcement effort in January 2023. This move allowed Hunters International to start its own cyber threat activities with a mature toolkit.

Signature Techniques of Asian APT Groups Revealed

The Kaspersky Cyber Threat Intelligence team has unveiled crucial insights into the tactics, techniques and procedures (TTPs) employed by Asian Advanced Persistent Threat (APT) groups. In a report published today, Kaspersky reveals TTPs found from their examination of one hundred global cybersecurity incidents.

Dragos: OT Threat Intelligence in Cyber Assessment Framework (CAF)

Dragos recently highlighted the UK National Cyber Security Centre's Cyber Assessment Framework (CAF) in a report, emphasizing its global applicability. The CAF, designed to enhance government cybersecurity, outlines top-level outcomes for good cybersecurity. While initially aimed at the UK, its principles are valuable globally.

Russian-Speaking Threat Actor “Farnetwork” Linked to 5 Ransomware Gangs

According to a report from cybersecurity company Group-IB, a threat actor known as 'farnetwork' has operated under various usernames like farnetworkl, jingo, jsworm, razvrat, piparkuka, and farnetworkitand. They actively sought affiliates for different ransomware operations on Russian-speaking hacker forums. In March, farnetwork started recruiting affiliates for their ransomware-as-a-service (RaaS) program based on the Nokoyawa locker.

Beware, Developers: BlazeStealer Malware Discovered in Python Packages on PyPI

According to a new report from Checkmarx, throughout 2023 threat actors have been distributing malicious Python packages disguised as legitimate obfuscation tools to execute BlazeStealer malware on targeted systems. Once executed, BlazeStealer will retrieve a malicious script from an external source and run a discord bot designed to enable the threat actor to gain complete control over the victim’s computer.

Ransomware Actors Continue to Gain Access through Third Parties and Legitimate System Tools

According to a new advisory from the FBI, the agency noted that ransomware actors continue to gain access through third-party vendors and services. Between 2022 and 2023, the FBI observed ransomware attacks compromising casinos through third-party gaming vendors. In particular, small and tribal casinos were targeted, with the threat actors encrypting the PII data of employees and patrons which would be held for ransom payments.

Ethical Hackers Enhance Cybersecurity with Generative AI

The growing use of digital technology makes cybersecurity more important than ever. Ethical hackers, who identify and prevent cyber threats, are increasingly using AI tools like ChatGPT. A report by Bugcrowd reveals that many hackers believe AI will change how they work in the coming years. While AI can't replace human creativity in security, it helps in tasks like data analysis and vulnerability detection.

Okta Breach: Employee's Personal Google Account Usage on Company Laptop Blamed

In a recent statement from Okta security chief David Bradbury, Bradbury confirmed that from September 28, 2023, to October 17, 2023, a threat actor gained unauthorized access to files inside Okta’s customer support system associated with 134 Okta customers. These files contained session tokens, which the threat actor was able to use to hijack the legitimate Okta sessions of 5 customers.

Critical Atlassian Confluence Bug Exploited in Cerber Ransomware Attacks

Last Tuesday, Atlassian released security updates to address a critical improper authorization vulnerability impacting all versions of Confluence Data Center and Server. Tracked as CVE-2023-22518, the vulnerability can be used in data destruction attacks targeting internet-exposed and unpatched instances. While initially, Atlassian noted that it is unaware of reports of active exploitation, the vendor updated its advisory on Friday, stating that threat actors are starting to exploit the flaw in attacks in the wild.

Over Half of Users Report Kubernetes/Container Security Incidents

A report from Infosecurity magazine says that Cloud native development practices are creating dangerous new security blind spots for organizations in the US, UK, France and Germany. A study by Venafi polled 800 security and IT leaders from large organizations based in these four countries. It found that 59% of respondents have experienced security incidents in their Kubernetes or container environments.

A Ukrainian Company Shares Lessons in Wartime Resilience

MacPaw, a Ukrainian software company, faced the challenge of maintaining business continuity during the Russian invasion. Their CTO, Vira Tkachenko, explained how they prepared for wartime cyber resilience, including forming an emergency team, prioritizing employee safety and service delivery, fortifying their headquarters, ensuring power and connectivity options, building hardware reserves, setting up redundant communications, freezing code changes, and dealing with increased cyberattacks.

Adtran - AOE Server Vulnerability Advisory

AOE servers that are not properly secured are susceptible to a security vulnerability that could potentially grant unauthorized access to the server via the AOE Server Admin user account. Such compromised servers are consequently vulnerable to ransomware attacks, posing a significant security risk.

MITRE ATT&CK v14 Released

MITRE has released MITRE ATT&CK v14, the newest iteration of its popular investigation framework / knowledge base of tactics and techniques employed by cyber attackers. The goal of MITRE ATT&CK is to catalog and categorize the known tactics, techniques, and procedures (TTPs) used by adversaries in real-world attacks.

Common Vulnerability Scoring System v4.0 Summary:

FIRST, the Forum of Incident Response and Security Teams, will release this week version 4.0 of the Common Vulnerability Scoring System (CVSS). CVSS is an open framework that allows organizations and researchers to communicate specific characteristics and severities of software vulnerabilities.

Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence

President Joe Biden has signed an executive order aimed at regulating generative AI systems like ChatGPT, recognizing their transformative potential and potential risks. The order focuses on ensuring the safe and responsible development and use of AI. It directs various federal agencies and departments to create standards and regulations for AI in various areas, including criminal justice, education, health care, housing, and labor, with an emphasis on protecting civil rights and liberties.

Mass Exploitation of ‘Citrix Bleed’ Vulnerability Underway

Last week, Citrix warned that threat actors are actively exploiting a critical information disclosure vulnerability impacting Citrix NetScaler ADC and Gateway instances. Tracked as CVE-2023-4966, the vulnerability can be exploited by unauthenticated attackers to leak sensitive information from on-prem appliances that are configured as an AAA virtual server or gateway. In the past couple of days, security researchers have noticed an alarming increase in exploitation attempts, with several threat actors including ransomware groups, targeting vulnerable instances.

Dozens of Countries Will Pledge to Stop Paying Ransomware Gangs

As part of the upcoming third annual meeting of the International Counter-Ransomware Initiative, the Biden administration and dozens of its foreign allies will pledge to stop paying ransomware gangs. Representatives from 48 countries, the European Union, and Interpol are expected to attend this week’s summit, which will focus on strategies to block funds used by ransomware gangs to fuel their operations.

'Prolific Puma' Hacker Gives Cybercriminals Access to .us Domains

A report by Infoblox uncovers a concerning trend involving a link-shortening service called "Prolific Puma." This service assists cyber attackers and scammers by providing them with top-level .us domains, enabling them to run phishing campaigns with reduced visibility. Over the past 18 months, Prolific Puma has generated up to 75,000 unique domain names, often sidestepping regulations to offer malicious actors .us URLs.

Security Brief: TA571 Delivers IcedID Forked Loader

In a recent blog post, cybersecurity firm Proofpoint disclosed that it observed two campaigns on October 11 and 18, 2023, in which TA571, a sophisticated cybercriminal threat actor, delivered the Forked variant of IceID. The forked variant was observed being delivered via emails containing 404 TDS URLs that would lead to the download of a password-protected archive, with the password listed in the email. “The zip file contained a VBS script and a benign text file.

BiBi-Linux: A New Wiper Dropped By Pro-Hamas Hacktivist Group

Researchers at Security Joes have uncovered a new Linux Wiper malware dubbed “BiBi-Linux Wiper,” being used by a pro-Hamas Hacktivist group to target Israeli entities in the ongoing Israeli-Hamas conflict. BiBi-Linux Wiper is an x64 ELF executable that is designed to render files unusable by overwriting their contents, further appending targeted files with an extension that uses the following structure “[RANDOM_NAME].BiBi[NUMBER].”

OT Cyber Attacks Proliferating Despite Growing Cybersecurity Spend

The significant rise in attacks on operational technology (OT) systems is primarily due to two key factors: increasing global threats from nation state actors and the involvement of profit-driven cybercriminals often backed by the former. The lack of success in defending against these attacks can be attributed to several factors, including the complexity of OT environments, the convergence of information technology and OT, insider attacks, supply chain vulnerabilities, and more.

Russia to Launch Its Own Version of VirusTotal Due to US Snooping Fear

The Russian government is developing its own malware scanning platform, similar to VirusTotal, to address concerns that the U.S. government might access data from the popular Google-owned service. This new platform, called "Multiscanner," is being created by Russia's National Technology Center for Digital Cryptography in collaboration with other organizations and private enterprises, including companies like Kaspersky, AVSoft, and Netoscope.

CISA Releases Logging Made Easy Article

We wanted to let members know that CISA has introduced a valuable toolset designed to assist companies with their logging requirements. "Logging Made Easy (LME)," LME is a reimagined offering by CISA, that transforms a well-established log management solution into a reliable, centralized log management alternative.

A Cascade of Compromise: Unveiling Lazarus' New Campaign

Earlier this year, a software vendor fell victim to a Lazarus malware attack due to unpatched legitimate software. Despite previous warnings and patches from the vendor, vulnerabilities remained, allowing the threat actor to exploit them. Fortunately, proactive measures detected and thwarted an attack on another vendor. Further investigation revealed that the software vendor had been repeatedly targeted by Lazarus, indicating a persistent and determined threat actor likely seeking valuable source code or tampering with the software supply chain. The adversary used advanced techniques and introduced the SIGNBT malware for victim control.

Microsoft: Octo Tempest Is One of the Most Dangerous Financial Hacking Groups

Summary: Researchers at Microsoft released a comprehensive profile of Octo Tempest, a native English speaker known for advanced social engineering skills. Octo Tempest primarily focuses on data extortion and ransomware attacks against various companies. This threat actor’s tactics have been continuously evolving since early 2022, with expanded targeting encompassing organizations offering cable telecommunications, email, and tech services.

Cloudflare Sees Surge in Hyper-volumetric HTTP DDoS Attacks

Cloudflare says the number of hyper-volumetric HTTP DDoS (distributed denial of service) attacks recorded in the third quarter of 2023 surpasses every previous year, indicating that the threat landscape has entered a new chapter” (Bleeping Computer, 2023). DDoS attacks are a type of cyber attack that sends large amounts of traffic towards hosting apps, websites, and online services in an attempt to overwhelm and make them unavailable to legitimate visitors.

France Accuses Russian State Hackers of Targeting Government Systems, Universities, Think Tanks

A hacking group associated with Russia’s military intelligence agency has been spying on French universities, businesses, think tanks, and government agencies, according to a new report from France’s top cybersecurity agency ANSII” (The Record, 2023). According to the agency, APT28 (Fancy Bear) has been breaching French networks since the second half of 2021 looking for sensitive data. The group chose not to leverage backdoors and instead compromised devices like routers that aren’t as closely monitored.

Chilean Telecom Giant GTD Hit by the Rorschach Ransomware Gang

Chile's telecommunications company, Grupo GTD, has experienced a cyberattack that affected its Infrastructure as a Service (IaaS) platform. The attack caused disruptions to various online services, including data centers, internet access, and Voice-over-IP (VoIP). The attack has been attributed to the Rorschach ransomware gang, which has led to the disconnection of their IaSS platform from the internet.

StripedFly Malware Framework Infects 1 Million Windows, Linux Hosts

A sophisticated cross-platform malware platform named StripedFly flew under the radar of cybersecurity researchers for five years, infecting over a million Windows and Linux systems during that time. Kaspersky discovered the true nature of the malicious framework last year, finding evidence of its activity starting in 2017, with the malware wrongly classified as just a Monero cryptocurrency miner.

Israeli-Hamas Conflict Spells Opportunity for Online Scammers

Researchers have exposed multiple cyber scams exploiting the Israeli-Hamas conflict. These scams involve more than 500 deceptive emails and fraudulent websites that take advantage of people’s desire to support those affected by the conflict. Many of these emails contain links to counterfeit websites claiming to provide information about the ongoing situation and encouraging individuals to donate using various cryptocurrency payment methods, as reported by Kaspersky researchers.

Attacks on Web Applications Spike in Third Quarter, New Talos IR Data Shows

There was a notable increase in threats to web applications, accounting for 30 percent of the engagements Cisco Talos Incident Response (Talos IR) responded to in the third quarter of 2023, compared to 8 percent the previous quarter. Exploitation of public-facing applications was the top observed means of gaining initial access, accounting for 30 percent of engagements.

Citrix Bleed Exploit Lets Hackers Hijack NetScaler Accounts

A proof-of-concept (PoC) exploit is released for the 'Citrix Bleed' vulnerability, tracked as CVE-2023-4966, that allows attackers to retrieve authentication session cookies from vulnerable Citrix NetScaler ADC and NetScaler Gateway appliances. CVE-2023-4966 is a critical-severity remotely exploitable information disclosure flaw Citrix fixed on October 10 without providing many details.

ESET: Winter Vivern Exploits Zero-Day Vulnerability in Roundcube Webmail Servers

As per a report by ESET security, a well-known cybersecurity endpoint protection vendor, the threat actor identified as Winter Vivern, also known as TA473 and UAC-0114, has been detected exploiting a zero-day vulnerability in Roundcube webmail software on October 11, 2023, for the purpose of gathering email messages from victims' accounts. Telemetry data indicates that the campaign specifically aimed at Roundcube Webmail servers owned by governmental entities and a think tank, all located in Europe.

Strengthening Ransomware Defense: The Importance of Title Case Security Patch Management

A recent TrendMicro report highlights that IT teams are currently grappling with a deluge of software patches, which are being released on a regular basis, ranging from monthly to daily. As per statistics, contemporary enterprises are burdened with managing an average of 1,061 applications, and due to the frequent issuance of patches by various software vendors, the need for strategic prioritization has become imperative.

'Log in with...' Feature Allows Full Online Account Takeover for Millions

Security flaws in the use of OAuth by Grammarly, Vidio, and Bukalapak could potentially put the financial and credential information of millions of users at risk. These issues also raise concerns that other online services may face similar problems, potentially leading to account takeovers, credential theft, and financial fraud for users across various websites. Salt Labs researchers found serious API misconfigurations on websites like Grammarly, Vidio, and Bukalapak, indicating that numerous other sites might be similarly affected.

September Was a Record Month for Ransomware Attacks in 2023

Ransomware activity in September reached unprecedented levels following a relative lull in August that was still way above regular standards for summer months. According to NCC Group data, ransomware groups launched 514 attacks in September. This surpasses March 2023 activity, which counted 459 attacks, and was heavily skewed by Clop's MOVEit Transfer data theft attacks.

Vietnamese DarkGate Malware Targets META Accounts in the UK, USA, India

Cybersecurity firm WithSecure, has discovered a connection between recent DarkGate malware attacks targeting its clients and Vietnam-based threat actors engaged in a campaign to compromise Meta business accounts and pilfer sensitive data. WithSecure's Detection and Response Team (DRT) reported multiple DarkGate malware infection attempts against their clients' organizations in the UK, USA, and India on August 4, 2023. The attack methods closely resemble those seen in recent DuckTail infostealer campaigns, which WithSecure has been monitoring for over a year.

New TetrisPhantom Hackers Steal Data from Secure USB Drives on Govt Systems

A new sophisticated threat tracked as ‘TetrisPhantom’ has been using compromised secure USB drives to target government systems in the Asia-Pacific region. Secure USB drives store files in an encrypted part of the device and are used to safely transfer data between systems, including those in an air-gapped environment. Access to the protected partition is possible through custom software that decrypts the contents based on a user-provided password. One such software is UTetris[.]exe, which is bundled on an unencrypted part of the USB drive.

US Energy Firm Shares How Akira Ransomware Hacked its Systems

In a rare display of transparency, US energy services firm BHI Energy details how the Akira ransomware operation breached their networks and stole the data during the attack. BHI Energy, part of Westinghouse Electric Company, is a specialty engineering services and staffing solutions provider supporting private and government-operated oil & gas, nuclear, wind, solar, and fossil power generation units and electricity transmission and distribution facilities.

Google Chrome's New "IP Protection" Will Hide Users' IP Addresses

Google is set to introduce a new "IP Protection" feature in its Chrome browser to enhance user privacy by concealing their IP addresses through the use of proxy servers. This move aims to address privacy concerns related to IP addresses, which can be used for covert tracking, and marks Google's effort to strike a balance between user privacy and web functionality.

Tracking Unauthorized Access to Okta's Support System

In a recent statement from Okta Security, they've reported the discovery of malicious activity involving the unauthorized use of a stolen credential to access Okta's support case management system. The threat actor was able to access files uploaded by specific Okta customers as part of recent support cases. It's essential to clarify that the support case system operates independently of the primary Okta service, which remains fully functional and unaffected. Notably, the Auth0/CIC case management system has not been impacted by this incident.

Pro-Israeli Hacktivist Group 'Predatory Sparrow' Reappears

A hacktivist group supporting Israel, known as Predatory Sparrow, has resurfaced recently. Last week, the group broke its year-long silence by posting a tweet referencing the ongoing Gaza conflict, warning of its return and sharing a link to a report about the United States sending fighter planes and warships to aid Israel. Predatory Sparrow is recognized as a relatively advanced Israeli hacking operation, and it has a track record of conducting disruptive attacks in Iran, aimed at undermining the Iranian government.

ExelaStealer: A New Low-Cost Cybercrime Weapon Emerges

In a report from Fortinet, they detail a new information-stealing malware named ExelaStealer that has recently emerged in the cybersecurity landscape. ExelaStealer is described as a low-cost, mostly open-source infostealer with the option for paid customizations. This affordability and openness make it accessible to a wide range of cybercriminals, from novices to more seasoned threat actors. The malware is predominantly coded in Python and offers support for JavaScript. It possesses the capability to exfiltrate a variety of sensitive data, including passwords, Discord tokens, credit card information, cookies, session data, keystrokes, screenshots, and clipboard content.

Attacks on 5G Infrastructure from User Devices: ASN.1 Vulnerabilities in 5G Core

In a recent report from TrendMicro, researchers delve into critical vulnerabilities and risks associated with 5G and its infrastructure. They take a particular focus on the control plane and the susceptibility of the NGAP protocol to ASN.1-related issues. The first part of the report reveals how GTP-U tunnels can be exploited by user devices, potentially leading to core network crashes. In the second part, the report discusses how attackers can leverage these vulnerabilities by disguising control messages as user traffic, resulting in the transition from the user plane to the control plane.

North Korean Hackers Are Targeting Software Developers and Impersonating IT Workers

North Korean hackers have notably increased their emphasis on the IT industry, by infiltrating companies involved in software development and organizations seeking IT professionals. On Wednesday, Microsoft disclosed that North Korean affiliated hacking groups Lazarus (Diamond Sleet) and Andariel (Onyx Sleet) have been exploiting a critical authentication bypass vulnerability (CVE-2023-42793) within JetBrains TeamCity server.

QR Codes Used in 22% of Phishing Attacks

Hoxhunt released the results of their Hoxhunt Challenge, an exercise conducted in 38 organizations across nine industries and 125 countries. Their study revealed that 22% of phishing attacks in the first weeks of October 2023 used QR codes to deliver malicious payloads.

E-Root Admin Faces 20 Years for Selling Stolen RDP, SSH Accounts

Sandu Diaconu, the operator of the E-Root marketplace, has been extradited to the U.S. to face a maximum imprisonment penalty of 20 years for selling access to compromised computers. The Moldovan defendant was arrested in the U.K. in May 2021 while attempting to flee the country following the authorities' seizure of E-Root's domains in late 2020. Last month, Diaconu consented to be extradited to the United States for wire fraud, money laundering, computer fraud, and access device fraud

Iran-Linked OilRig Targets Middle East Governments in 8-Month Cyber Campaign

The OilRig threat group, connected to Iran, conducted an eight-month-long cyber campaign against an unspecified Middle Eastern government from February to September 2023. This operation resulted in the theft of files and passwords, and at one point, they used a PowerShell backdoor called PowerExchange. The Symantec Threat Hunter Team refers to this operation as "Crambus." The attackers used the PowerExchange implant to monitor emails from an Exchange Server, execute commands, and send the results to themselves. They compromised at least 12 computers and installed backdoors and keyloggers on an additional dozen machines, indicating a significant breach.

The Iron Swords War – Cyber Perspectives from the First 10 Days of the War in Israel

In a recent report from Check Point, the focus is on escalating cyber activities during the Israel-Hamas conflict. The key points include a surge in cyberattacks targeting Israel, diverse cyber threats like DDoS attacks and hack-and-leak incidents, and the involvement of various hacktivist groups aligned with geopolitical interests. These developments are causing heightened risks and tensions in the cyber domain.

Multiple North Korean Threat Actors Exploiting the TeamCity CVE-2023-42793 Vulnerability

wo North Korean nation-state actors, Lazarus (or Zinc) and Plutonium (or Andariel), have been exploiting a known remote code execution vulnerability in the TeamCity continuous integration and continuous deployment tool. The vulnerability, CVE-2023-42793, was patched by JetBrains in version 2023.05.4. These actors have been targeting on-premises instances of TeamCity, deploying backdoors, stealing credentials, and more. Microsoft's threat intelligence group observed these attacks and noted that both groups may be opportunistically compromising vulnerable servers, but they have also used techniques that could provide persistent access to victim environments.

Ex-Navy IT Head Gets 5 Years for Selling People’s Data on Darkweb

Marquis Hooper, a former U.S. Navy IT manager, has received a sentence of five years and five months in prison for illegally obtaining US citizens' personally identifiable information (PII) and selling it on the dark web. The man was indicted with his wife, Natasha Renee Chalk, in February 2021 and pleaded guilty to aggravated identity theft and conspiracy to commit wire fraud in March 2023.

Ukrainian Activists Hack Trigona Ransomware Gang, Wipe Servers

A group of cyber activists under the Ukrainian Cyber Alliance (UAC) banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available. The Ukrainian Cyber Alliance fighters say they exfiltrated all of the data from the threat actor’s systems, including source code and database records, which may include decryption keys.

D-Link Confirms Data Breach after Employee Phishing Attack

Taiwanese networking equipment manufacturer D-Link confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month. The attacker claims to have stolen source code for D-Link's D-View network management software, along with millions of entries containing personal information of customers and employees, including details on the company's CEO.

Critical Vulnerabilities Expose Weintek HMIs to Attacks

Last week, CISA warned organizations about critical and high-severity vulnerabilities in a human-machine interface (HMI) product made by Taiwan-based Weintek. According to CISA, the impacted product, the Weintek cMT HMI, is used worldwide, including in critical manufacturing organizations, which are considered part of critical infrastructure.

Is It On or Off? Cisco IOS XE Devices Hacked in Widespread Attacks

Amid the COVID-19 pandemic, as remote work became a necessity, IT teams had to rapidly implement protocols and software suites to maintain business continuity and efficiency. This involved enabling routing configurations and adjusting inbound and outbound policies on appliances that previously didn't support remote connections. This allowed networking appliances and software packages to be accessed and configured on-the-fly, enabling staff to access the necessary resources for their work from locations outside the traditional office spaces.

Russian Sandworm Hackers Breached 11 Ukrainian Telcos Since May

The state-sponsored Russian hacking group tracked as 'Sandworm' has compromised eleven telecommunication service providers in Ukraine between May and September 2023. That is based on a new report by Ukraine's Computer Emergency Response Team (CERT-UA) citing 'public resources' and information retrieved from some breached providers.

Researchers Warn of Increased Malware Delivery via Fake Browser Updates

Researchers from Sekoia have released details on a new campaign from the threat group behind SocGholish. This latest activity leverages compromised WordPress sites to push malicious fake browser updates. The campaign, which has been called ClearFake, injects Javascript into compromised WordPress websites so that it downloads another Javascript payload from an attacker controlled domain.

Colonial Pipeline Attributes Ransomware Claims to ‘Unrelated’ Third-Party Data Breach

Colonial Pipeline has reported that there has been no disruption to its pipeline operations or systems following threats from a ransomware group known as Ransomed.vc. Colonial Pipeline is responsible for operating the largest pipeline system for refined oil products in the United States. The Ransomed.vc gang claimed that they had stolen data from Colonial Pipeline's systems.

macOS Malware 2023 | A Deep Dive into Emerging Trends and Evolving Techniques

In a recent report by SentinelOne, they've highlighted a noteworthy shift in the behavior of macOS malware. The trend we're observing is a move away from the concept of persistence, particularly in many malware families. Specifically, infostealers have taken center stage, aiming to accomplish their objectives in a single execution. This includes the theft of valuable data such as admin passwords, browsing history, and cookies, all achieved without relying on traditional methods of maintaining persistence.

Women Political Leaders Summit Targeted in Romcom Malware Phishing

A less detectable version of the RomCom backdoor was used to target attendees of the Women Political Leaders Summit in Brussels, which centers on gender equality and women in politics. The attackers created a fake website resembling the official WPL portal to lure individuals looking to participate or learn about the summit.

EPA Calls Off Cyber Regulations for Water Sector

The Environmental Protection Agency will no longer require cybersecurity audits of U.S. water utilities through sanitary surveys. “In a letter to state drinking water administrators on Thursday, the EPA said litigation from Republican states and trade associations, which raised questions about the long-term legal viability of the initiative to regulate the cybersecurity of water utilities, drove the decision to rescind a March memorandum implementing the rule.

Ransomware Attacks Now Target Unpatched WS_FTP Servers

Internet-exposed WS_FTP servers unpatched against a maximum severity vulnerability are now targeted in ransomware attacks. As recently observed by Sophos X-Ops incident responders, threat actors self-described as the Reichsadler Cybercrime Group attempted, unsuccessfully, to deploy ransomware payloads created using a LockBit 3.0 builder stolen in September 2022.

DarkGate Malware Spreading via Messaging Services Posing as PDF Files

The DarkGate malware is being spread through messaging platforms like Skype and Microsoft Teams. It disguises itself as a PDF document, but contains a harmful script that downloads and runs the malware. It’s uncertain how the attackers compromised the messaging app accounts, but it’s suspected to be due to leaked credentials or a previous compromise of the organization.

Newest Ransomware Trend: Attackers Move Faster with Partial Encryption

In a recent report from Check Point, it was observed that ransomware actors can rapidly incapacitate systems through partial encryption. You might be wondering, what is partial encryption and why is it effective? Generally, encryption, especially for large data volumes, can be a time-consuming process. Consequently, attackers are seeking more efficient and effective methods to make victims' data inaccessible until the ransom is paid.

Assessed Cyber Structure and Alignments of North Korea in 2023

North Korea’s state-sponsored hackers, under the direction of its ruling regime, are constantly improving their tactics for conducting cyber operations. This information comes from a recent report by Google’s Mandiant threat intelligence team. The report reveals how the Pyongyang-based regime, despite its small population of 25 million, utilizes cyber intrusions for both espionage and financial crimes, thereby bolstering its power and financing its cyber and kinetic capabilities.

A Frontline Report of Chinese Threat Actor Tactics and Techniques

Microsoft threat intelligence experts are seeing a trend of Chinese threat groups deploying less desktop malware and prioritizing in stealing passwords and tokens that can be used to access sensitive systems used by remote workers. Ever since the COVID-19 pandemic, work from home has become a norm with organizations granting employees remote access to sensitive systems and resources.

LinkedIn Smart Links Attacks Return to Target Microsoft Accounts

Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it.

AvosLocker Ransomware Continues to Target US - CISA Alert AA23-284A

On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.

LinkedIn Smart Links Attacks Return to Target Microsoft Accounts

Cofense has detected a surge in the abuse of LinkedIn Smart Links in phishing attacks allowing actors to bypass protection measures and evade detection. “Smart Links are part of LinkedIn's Sales Navigator service, used for marketing and tracking, allowing Business accounts to email content using trackable links to determine who engaged with it. Also, because Smart Link uses LinkedIn's domain followed by an eight-character code parameter, they appear to originate from a trustworthy source and bypass email protections” .

AvosLocker Ransomware Continues to Target US - CISA Alert AA23-284A

On October 11, 2023, The Cybersecurity and Infrastructure Security Agency (CISA) released a joint advisory on AvosLocker ransomware. AvosLocker is a Ransomware-as-a-Service group that employs double extortion tactics in their ransomware attack campaigns. AvosLocker was first seen in June 2021, and they have multiple ransomware variants for Windows, Linux, and VMware ESXi environments.

High Severity Vulnerability in curl 8.4.0

Last week, researchers warned of a critical flaw in curl, the popular command line transfer tool. Curl project founder and lead developer Daniel Stenberg called it “probably the worst curl security flaw in a long time.” While details were initially withheld, a patch released today fixed two separate vulnerabilities tracked as CVE-2023-38545 and CVE-2023-38546.

One-Click Exploit Reveals Common Software's Supply Chain Risk in Linux Operating Systems

Researchers from GitHub security lab have discovered a critical vulnerability in a library used within the GNOME desktop environment for Linux systems. GNOME is a popular open-source desktop environment found in distributions like Ubuntu and Fedora. The vulnerability, rated 8.8 out of 10, resides in a library called "libcue," which is used for parsing metadata related to CD or DVD track layouts.

Google Mitigated the Largest DDoS Attack to Date, Peaking Above 398 Million RPS

Google says it mitigated a series of DDoS attacks reaching a peak of 398 million requests per second (rps), which is nearly 9 times bigger than the largest-recorded DDoS attack last year, peaking at 46 million rps. The latest set of attacks started in August and are still ongoing. According to Google, the attacks rely on a novel technique dubbed “Rapid Reset” which leverages stream multiplexing, a feature of the widely-adopted HTTP/2 protocol.

Microsoft to kill off VBScript in Windows to block malware delivery

Microsoft says it is in the works of removing VBScript (Visual Basic Script), a scripting language that was introduced by the tech giant approximately 30 years ago. Although VBScript was originally designed for Windows automation and administrative tasks, over the years, threat actors have misused it to create and distribute malicious payloads.

New Threat Actor “Grayling” Blamed For Espionage Campaign

Security researchers have revealed evidence of a newly discovered APT group that primarily targeted Taiwanese organizations during a cyber-espionage campaign spanning at least four months. Known as "Grayling" according to Symantec, this group initiated their operations in February 2023 and persisted until at least May 2023.

Phishing Scam Alert - Impersonation of USPS and Dozens of National Postal Services

As we approach the holiday season, we've remained vigilant in warning our members about the recent surge in phishing attacks targeting U.S. Postal Service (USPS) customers. These malicious campaigns are disseminated through SMS, email, and various other phishing methods. In these attacks, criminals impersonate USPS services with the intent to deceive individuals and pilfer personal and financial information.

Microsoft Releases New Report on Cybercrime, State-Sponsored Cyber Operations

According to Microsoft’s latest Digital Defense Report, Ukraine, the United States, and Israel were the most targeted countries based on state-sponsored threat activity observed by the tech giant against organizations in more than 120 countries. Based on intel gathered between July 2022 and June 2023, the majority of cyber attacks observed were fueled by nation-state spying and influence operations, with 40% of all observed attacks targeting critical infrastructure organizations.

D.C. Board of Elections Confirms Voter Data Stolen in Site Hack

The District of Columbia Board of Elections (DCBOE) is currently probing a data leak involving an unknown number of voter records following breach claims from a threat actor known as RansomedVC. DCBOE operates as an autonomous agency within the District of Columbia Government and is entrusted with overseeing elections, managing ballot access, and handling voter registration processes.

Hackers Hijack Citrix NetScaler Login Pages to Steal Credentials

Hackers are conducting a large-scale campaign to exploit the recent CVE-2023-3519 flaw in Citrix NetScaler Gateways to steal user credentials. The flaw is a critical unauthenticated remote code execution bug discovered as a zero-day in July that impacts Citrix NetScaler ADC and NetScaler Gateway. By early August, the flaw had been leveraged to backdoor at least 640 Citrix servers, and the figure reached 2,000 by mid-August.

NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations

The UK's National Cyber Security Centre (NCSC) has released guidance to assist medium to large organizations in mapping their supply chains, with a focus on boosting confidence in managing vulnerabilities related to suppliers. Additionally, a report by Picus Security highlights the growing prevalence of multipurpose malware, which possesses multiple functionalities.

GitHub's Secret Scanning Feature Now Covers AWS, Microsoft, Google, and Slack

GitHub recently updated its secret scanning feature to extend validity checks to popular services including Amazon Web Services (AWS), Microsoft, Google, and Slack. The feature was introduced earlier this year to help alert users whether exposed tokens found by the secret scanning are active. While the feature was first enabled for GitHub tokens, the cloud-based code hosting and version control service is now including support for more tokens.

Sony Confirms Data Breach Impacting Thousands in the U.S.

Sony Interactive Entertainment (Sony) has informed both current and former employees and their family members regarding a cybersecurity incident that resulted in the exposure of personal information. The company has dispatched data breach notifications to approximately 6,800 individuals, verifying that the breach transpired due to an unauthorized entity exploiting a zero-day vulnerability in the MOVEit Transfer platform.

Maritime Infrastructure Security Breaches from Drones ‘Becoming a Common Occurrence,’ Says Report

A recent report highlights the growing presence of drones above sensitive maritime facilities, signaling a common occurrence. The report also criticizes the effectiveness of current federal counter-UAS legislation, citing a lack of authorities and capabilities to intercept suspicious drones. U.S. Coast Guard Capt. Andrew J. Meyers emphasized the importance of Area Maritime Security Committees (AMSCs) in safeguarding the nation's ports, praising their role in fostering relationships, collaborative planning, communication, and unity of effort.

Exploits Released for Linux Flaw Giving Root on Major Distros

Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Library's dynamic loader, allowing local attackers to gain root privileges on major Linux distributions. Dubbed 'Looney Tunables' and tracked as CVE-2023-4911, this security vulnerability is due to a buffer overflow weakness, and it affects default installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38.

Atlassian Confluence Hit by New Actively Exploited Zero-Day – Patch Now

Atlassian has published security updates to fix an actively exploited zero-day vulnerability in its Confluence Data Center and Server software. Tracked as CVE-2023-22515, the flaw relates to a case of privilege escalation. Although Atlassian did not specify the root cause of this flaw, the vulnerability could allow a regular user account to elevate to admin.

US Executives Targeted in Phishing Attacks Exploiting Flaw in Indeed Job Platform

In a recent report from Menlo Security, it was discovered that Indeed, a widely recognized global job search platform headquartered in the US, boasting over 350 million monthly visitors and a global workforce of more than 14,000 employees, has become the focus of a significant phishing campaign. This campaign underscores how threat actors can exploit the platform's credibility and popularity.

EvilProxy Uses Indeed.com Open Redirect For Microsoft 365 Phishing

A recently uncovered phishing campaign is targeting Microsoft 365 accounts of key executives in U.S.-based organizations by abusing open redirects from the Indeed employment website for job listings. The threat actor is using the EvilProxy phishing service that can collect session cookies, which can be used to bypass multi-factor authentication (MFA) mechanisms.

New BunnyLoader Threat Emerges as a Feature-Rich Malware-As-A-Service

Security researchers discovered a new malware-as-a-service (MaaS) named 'BunnyLoader' advertised on multiple hacker forums as a fileless loader that can steal and replace the contents of the system clipboard. The malware is under rapid development, with updates adding new features and bug fixes. It can currently download and execute payloads, log keys, steal sensitive data and cryptocurrency, and execute remote commands.

Ransomware Reinfections on the Rise Due to Improper Remediation

According to a recent report from Malwarebytes, it was found that ransomware attacks don't typically originate as a fresh problem for organizations; instead, they are the grim culmination of unresolved network compromises. Threat actors gain initial access through stolen login credentials, deployed malware, or established backdoors—akin to leaving an unlocked door for future visits.

Malware-Infected Devices Sold Through Major Retailers

Human Security has exposed a significant monetization method employed by a sophisticated cyber-criminal operation. This operation involved the sale of backdoored off-brand mobile and CTV (Connected TV) Android devices through major retailers, which had originated from repackaging factories in China.

FBI Warns of Surge in 'Phantom Hacker' Scams Impacting Elderly

The FBI issued a public service announcement warning of a significant increase in 'phantom hacker' scams targeting senior citizens across the United States. ‘This Phantom Hacker scam is an evolution of more general tech support scams, layering imposter tech support, financial institution, and government personas to enhance the trust victims place in the scammers and identify the most lucrative accounts to target,’ the FBI said.

Ransomware Gangs Now Exploiting Critical TeamCity RCE Flaw

Ransomware gangs are now targeting a recently patched critical vulnerability in JetBrains' TeamCity continuous integration and deployment server. The flaw (tracked as CVE-2023-42793 and tagged with a 9.8/10 severity score) allows unauthenticated attackers to gain remote code execution (RCE) after successfully exploiting an authentication bypass weakness in low-complexity attacks that don't require user interaction.

Future Government Shutdowns: Potential Impact on National Cybersecurity

In a recent report from Forbes, the nation's cybersecurity was in a tight spot when Congress passed a bill to keep the government running for the next 45 days. A government shutdown could have caused problems for many government functions, including those responsible for protecting the country from cyberattacks. Depending on how long the shutdown lasted, it could have led to a crisis for companies and organizations across the country.

Microsoft Edge, Teams Get Fixes for Zero-days in Open-source Libraries

Microsoft released emergency security updates for Edge, Teams, and Skype to patch two zero-day vulnerabilities in open-source libraries used by the three products. The first bug is a flaw tracked as CVE-2023-4863 and is caused by a heap buffer overflow weakness in the WebP code library (libwebp), whose impact ranges from crashes to arbitrary code execution.

Strengths and Weaknesses of a Single-Vendor Approach: Microsoft

In a recent report by SentinelOne, it's highlighted that Microsoft's security business has seen substantial growth, generating over $20 billion annually. The International Data Corporation (IDC) reported that Microsoft holds the largest market share in 2022, at 18.9%, with a 7.2% increase. Similarly, Gartner estimated that in 2021, Microsoft controlled 8.5% of the entire security software market, outperforming its competitors.

Chinese Threat Actors Stole Around 60,000 Emails from US State Department in Microsoft Breach - Filing

This report was filed under "Vendor Reports" because it was investigated by Microsoft (being the vendor) as a notable incident, "Microsoft researchers discovered that the threat actors gained access to customer email accounts using Outlook Web Access in Exchange Online (OWA) and Outlook[.]com by forging authentication tokens to access user email." Microsoft corrected the issue in its products by, "Revoking all valid MSA signing keys to prevent attackers from accessing other compromised keys."

Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users

An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing the malware. ‘Zanubis's main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device,’ Kaspersky said in an analysis published last week.

Millions of Exim Mail Servers Exposed to Zero-Day RCE Attacks

A critical zero-day vulnerability was disclosed in the Exim mail transfer agent (MTA) software, which if successfully exploited could enable an unauthenticated attacker to gain remote code execution on Internet-exposed servers. Tracked as CVE-2023-42115, the flaw resides in the SMTP service, which listens on TCP port 25 by default. According to Trend Micro’s Zero Day Initiative, which uncovered the flaw, CVE-2023-42115 results from a lack of proper validation of user-supplied data which could result in a write past the end of a buffer and further allow an attacker to execute code in the context of the service account.

Exploit Available for Critical WS_FTP Bug Exploited in Attacks

Over the weekend, security researchers uncovered a critical vulnerability (CVE-2023-40044) in Progress Software's WS_FTP Server. They released a proof-of-concept (PoC) exploit along with technical details. The flaw stems from a .NET deserialization vulnerability in the Ad Hoc Transfer Module, allowing unauthenticated attackers to execute remote commands via a simple HTTP request. Assetnote researchers, who discovered the issue, expressed surprise at how long it remained unpatched.

Exploit Released for Microsoft SharePoint Server Authentication Bypass Flaw

Proof-of-concept exploit code has surfaced on GitHub for a critical authentication bypass vulnerability in Microsoft SharePoint Server, allowing privilege escalation. Tracked as CVE-2023-29357, the security flaw can let unauthenticated attackers gain administrator privileges following successful exploitation in low-complexity attacks that don't require user interaction.

Hackers Steal User Database from European Telecommunications Standards Body

Hackers targeted the European Telecommunications Standards Institute (ETSI), a nonprofit organization responsible for developing communication standards, and stole a user database. The motive behind the attack remains unclear, with suspicions ranging from financial gain to potential espionage. ETSI engaged France's cybersecurity agency ANSSI to investigate and enhance its information systems' security.

Chinese Threat Actors Stole Around 60,000 Emails from US State Department in Microsoft Breach

China-linked hackers breached Microsoft's email platform in May and stole tens of thousands of emails from U.S. State Department accounts, according to a Senate staffer. During a briefing by State Department IT officials, it was revealed that threat actors targeted around 60,000 emails from a total of 10 State Department accounts belonging to officials working in East Asia, the Pacific, and Europe.

Budworm Hackers Target Telcos and Govt Orgs With Custom Malware

A Chinese cyber-espionage group known as Budworm has recently been detected engaging in cyberattacks. They have specifically targeted a telecommunications company in the Middle East and a government organization in Asia. What's noteworthy is that they've deployed a new version of their customized 'SysUpdate' malware.

Google Fixes Fifth Actively Exploited Chrome Zero-Day of 2023

Yesterday, Google released emergency security updates to address a zero-day flaw impacting its Chrome Browser. Tracked as CVE-2023-5217, the flaw relates to a heap buffer overflow weakness in the VP8 encoding of libvpx, an open-source video codec library from Google and the Alliance for Open Media (AOMedia). A successful exploit of this flaw could lead to browser crashes or arbitrary code execution.

Cisco Urges Admins to Fix IOS Software Zero-Day Exploited in Attacks

Multiple vulnerabilities have been identified in Cisco Catalyst SD-WAN Manager (formerly Cisco SD-WAN vManage). These vulnerabilities could potentially allow attackers to access an affected instance or cause a denial of service (DoS) condition on the affected system. Cisco has taken action to address these vulnerabilities through software updates, "Although exploiting this vulnerability demands significant access to the target environment, threat actors have already initiated attacks, as reported by the company in the same advisory.

US and Japan Warn of Chinese Hackers Backdooring Cisco Routers

US and Japanese law enforcement and cybersecurity agencies warn of the Chinese 'BlackTech' hackers breaching network devices to install custom backdoors for access to corporate networks. The joint report comes from the FBI, NSA, CISA, and the Japanese NISC (cybersecurity) and NPA (police), who explain that the state-sponsored hacking group is breaching network devices at international subsidiaries to pivot to the networks of corporate headquarters.

GitHub Repos Bombarded By Info-Stealing Commits Masked as Dependabot

Hackers are breaching GitHub accounts and inserting malicious code disguised as Dependabot contributions to steal authentication secrets and passwords from developers. The campaign unfolded in July 2023, when researchers discovered unusual commits on hundreds of public and private repositories forged to appear as Dependabot commits.

New ZenRAT Malware Targeting Windows Users via Fake Password Manager Software

Researchers at Proofpoint have uncovered a new malware strain dubbed ZenRAT which is being distributed via bogus installation packages of the Bitwarden password manager. ZenRAT is a modular remote access trojan that comes with various modules designed to steal information from victims’ systems. Although researchers noted that ZenRAT is being hosted on fake websites pretending to be associated with Bitwarden, it’s unclear how end users are being directed to these sites.

New Zerofont Phishing Tricks Outlook Into Showing Fake AV-Scans

Threat actors are employing a novel tactic by incorporating zero-point fonts within emails, creating the illusion that malicious emails have undergone successful security scans in Microsoft Outlook. While the ZeroFont phishing method has been previously observed, its current application marks a significant development. ISC Sans analyst Jan Kopriva, in a recent report, cautions that this technique could greatly enhance the success rate of phishing attacks, underscoring the importance of user awareness regarding its deployment in real-world scenarios.

Shadowsyndicate Hackers Linked to Multiple Ransomware Ops, 85 Servers

Security researchers have identified ShadowSyndicate as a threat actor using seven ransomware families in attacks over the past year. They suggest it could be an initial access broker and affiliate to ransomware operations. Their findings are based on a distinct SSH fingerprint found on 85 IP servers, discovered using tools like Shodan and Censys. This fingerprint was first seen in July 2022 and still in use in August 2023. Researchers also found eight different Cobalt Strike watermarks on ShadowSyndicate servers.

BORN Ontario child registry data breach affects 3.4 million people

The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, has announced that it is among the victims of Clop ransomware's MOVEit hacking spree. BORN is a perinatal and child registry that collects, interprets, shares and protects critical data about pregnancy, birth and childhood in the province of Ontario.

Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals

Ukrainian military entities are the target of a phishing campaign that leverages drone manuals as lures to deliver a Go-based open-source post-exploitation toolkit called Merlin. ‘Since drones or Unmanned Aerial Vehicles (UAVs) have been an integral tool used by the Ukrainian military, malware-laced lure files themed as UAVs service manuals have begun to surface," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News.

New Stealthy and Modular Deadglyph Malware Used in Govt Attacks

A highly advanced backdoor malware called 'Deadglyph' was recently employed in a cyber espionage operation targeting a Middle Eastern government agency. This sophisticated malware, known as Deadglyph, has been linked to the Stealth Falcon Advanced Persistent Threat (APT) group, also known as Project Raven or FruityArmor.

Is Gelsemium APT Behind a Targeted Attack in Southeast Asian Government?

Researchers at Kaspersky Lab have uncovered a new backdoor called "SessionManager" that has been used in attacks targeting Microsoft IIS Servers since March 2021. This backdoor allows threat actors to maintain persistent, update-resistant, and stealthy access to a targeted organization's IT infrastructure. It has been deployed in over 20 organizations, and as of late April 2022, many samples were not yet flagged as malicious by online file scanning services.

Dallas says Royal Ransomware Breached its Network Using Stolen Account

The City of Dallas, Texas, said this week that the Royal ransomware attack that forced it to shut down all IT systems in May started with a stolen account. Royal gained access to the City's network using a stolen domain service account in early April and maintained access to the compromised systems between April 7 and May 4. During this period, they successfully collected and exfiltrated 1.169 TB worth of files based on system log data analysis conducted by city officials and external cybersecurity experts.

Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape

Proofpoint has observed an increase in activity from specific malware families targeting Chinese-language speakers. Campaigns include Chinese-language lures and malware typically associated with Chinese cybercrime activity. Newly observed ValleyRAT is emerging as a new malware among Chinese-themed cybercrime activity, while Sainbox RAT and related variants are recently active as well.

Pro-Russia Hacker Group NoName Launched a DDoS Attack on Canadian Airports Causing Severe Disruption

Pro-Russia hacker group NoName is suspected of launching a DDoS cyberattack that caused significant disruptions at several Canadian airports. The attack affected check-in kiosks and electronic gates, leading to delays in the processing of arrivals at border checkpoints across the country. The Canada Border Services Agency (CBSA) confirmed the DDoS attack and is investigating the incident, assuring that no personal information has been compromised. No evidence of a data breach has been found at this time.

P2PInfect Botnet Activity Surges 600x with Stealthier Malware Variants

The P2PInfect botnet worm has entered a phase of significantly increased activity, with a notable surge observed from late August through September 2023. Initially documented by Unit 42 in July 2023, P2PInfect is categorized as a peer-to-peer malware that exploits a remote code execution vulnerability to breach Redis instances on internet-exposed Windows and Linux systems.

Cyber Group 'Gold Melody' Selling Compromised Access to Ransomware Attackers

A financially motivated threat actor has been outed as an initial access broker (IAB) that sells access to compromised organizations for other adversaries to conduct follow-on attacks such as ransomware. SecureWorks Counter Threat Unit (CTU) has dubbed the e-crime group Gold Melody, which is also known by the names Prophet Spider (CrowdStrike) and UNC961 (Mandiant).

T-Mobile App Glitch Let Users See Other People's Account Info

Today, T-Mobile customers said they could see other peoples' account and billing information after logging into the company's official mobile application. According to user reports on social media, the exposed information included customers' names, phone numbers, addresses, account balances, and credit card details like the expiration dates and the last four digits.

GitLab Releases Urgent Security Patches for Critical Vulnerability

GitLab recently rolled out security updates to address a critical vulnerability impacting its enterprise edition. Tracked as CVE-2023-5009, the flaw could enable an attacker to run pipelines as an arbitrary user via scheduled security scan policies. As such, the actor could use elevated permissions of the impersonated user to further access sensitive information, modify source code, or even run arbitrary code on the targeted system.

Finnish Authorities Dismantle Notorious PIILOPUOTI Dark Web Drug Marketplace

Finnish law enforcement authorities have announced the takedown of PIILOPUOTI, a dark web marketplace that specialized in illegal narcotics trade since May 2022. ‘The site operated as a hidden service in the encrypted TOR network,’ the Finnish Customs (aka Tulli) said in a brief announcement on Tuesday. ‘The site has been used in anonymous criminal activities such as narcotics trade.’

Fake WinRAR Proof-of-Concept Exploit Drops VenomRAT Malware

Threat actors exploited a recently disclosed WinRAR vulnerability (CVE-2023-40477) by repurposing an older proof-of-concept (PoC) code. The Zero Day Initiative initially reported the WinRAR vulnerability to the vendor on June 8, 2023, but publicly disclosed it on August 17, 2023. Within four days of the public disclosure, an actor known as "whalersplonk" uploaded a fake PoC script to their GitHub repository.

Snatch Ransomware Alert

Snatch is a ransomware group primarily targeting Windows-based systems. They employ various tactics, including exploiting vulnerabilities, brute force attacks, and data exfiltration to compromise and extort victims. Snatch operates under a ransomware-as-a-service (RaaS) model and has targeted critical infrastructure sectors such as Defense Industrial Base (DIB), Food and Agriculture, and Information Technology.

ShroudedSnooper Threat Actors Target Telecom Companies in the Middle East

Telecommunications companies have increasingly become the focus of state-sponsored actors and advanced adversaries in recent years. In 2022, the telecommunications sector consistently ranked as one of the most targeted verticals in Talos IR (Incident Response) engagements. Telecom companies control critical infrastructure assets, which make them attractive targets for adversaries seeking to create significant disruptions.

Trend Micro Fixes Endpoint Protection Zero-day Used in Attacks

Trend Micro fixed a remote code execution zero-day vulnerability in the Trend Micro's Apex One endpoint protection solution that was actively exploited in attacks. Apex One is an endpoint security solution catering to businesses of all sizes, and the 'Worry-Free Business Security' suite is designed for small to medium-sized companies.

Earth Lusca Expands Arsenal with SprySocks Linux Malware

China-linked threat group Earth Lusca has deployed a new Linux malware called SprySOCKS in a recent cyber espionage campaign. Researchers at Trend Micro discovered this malware while tracking Earth Lusca's activities. SprySOCKS, based on an open-source Windows backdoor called Trochilus, was adapted for Linux. Earth Lusca continues to develop it, as evidenced by different versions detected.

Bumblebee Malware Returns in New Attacks Abusing WebDAV Folders

The malware loader 'Bumblebee' has broken its two-month vacation with a new campaign that employs new distribution techniques that abuse 4shared WebDAV services. WebDAV (Web Distributed Authoring and Versioning) is an extension of the HTTP protocol that enables clients to perform remote authoring operations such as creating, accessing, updating, and deleting web server content.

Microsoft AI Researchers Accidentally Expose 38 Terabytes of Confidential Data

Microsoft on Monday said it took steps to correct a glaring security gaffe that led to the exposure of 38 terabytes of private data. The leak was discovered on the company's AI GitHub repository and is said to have been inadvertently made public when publishing a bucket of open-source training data, Wiz said. It also included a disk backup of two former employees' workstations containing secrets, keys, passwords, and over 30,000 internal Teams messages.

New AMBERSQUID Cryptojacking Operation Targets Uncommon AWS Services

A new cloud-native cryptojacking operation, known as AMBERSQUID, is targeting less common AWS services like AWS Amplify, AWS Fargate, and Amazon SageMaker for illicit cryptocurrency mining. Sysdig, a security firm, identified this campaign while analyzing 1.7 million Docker Hub images and attributed it to Indonesian attackers due to their use of the Indonesian language in scripts and usernames.

FBI Hacker USDOD Leaks Highly Sensitive TransUnion Data

“Researchers at vx-underground have uncovered a major data breach involving the hacker known as "USDoD," who leaked highly sensitive data from TransUnion, a leading consumer credit reporting agency. The breach exposed personal information of 58,505 individuals globally, including names, passport details, financial data, and more, dating back to March 2022.

Canadian Government Targeted With DDoS Attacks by Pro-Russia Group

The pro-Russian cybercrime group named NoName057(16) has been observed launching distributed denial-of-service (DDoS) attacks against Canadian organizations, a fresh government alert warns. Since March 2022, the threat actor – also known as NoName05716, 05716nnm or Nnm05716 – has been launching disruptive attacks in support of Russia’s invasion of Ukraine.

BlackCat Ransomware Hits Azure Storage with Sphynx Encryptor

The BlackCat (ALPHV) ransomware gang now uses stolen Microsoft accounts and the recently spotted Sphynx encryptor to encrypt targets' Azure cloud storage. While investigating a recent breach, Sophos X-Ops incident responders discovered that the attackers used a new Sphynx variant with added support for using custom credentials. After gaining access to the Sophos Central account using a stolen One-Time Password (OTP), they disabled Tamper Protection and modified the security policies

Iranian Hackers Breach Defense Orgs in Password Spray Attacks

Since February 2023, Microsoft has reported that an Iranian-backed threat group known as APT33 (or Peach Sandstorm, HOLMIUM, Refined Kitten) has been conducting password spray attacks against thousands of organizations in the U.S. and globally. These attacks involve attempting to access multiple accounts using a single or commonly used password, increasing the chances of success without triggering account lockouts.

ORBCOMM Ransomware Attack Causes Trucking Fleet Management Outage

Trucking and fleet management solutions provider ORBCOMM has confirmed that a ransomware attack is behind recent service outages preventing trucking companies from managing their fleets. ORBCOMM is a solutions provider for freight companies to manage fleets and track transported assets. The company also provides Electronic Logging Devices (ELD) that truckers use to log their hours to adhere to federal safety regulations.

NodeStealer Malware Now Targets Facebook Business Accounts on Multiple Browsers

An ongoing campaign is targeting Facebook Business accounts with bogus messages to harvest victims' credentials using a variant of the Python-based NodeStealer and potentially take over their accounts for follow-on malicious activities. ‘The attacks are reaching victims mainly in Southern Europe and North America across different segments, led by the manufacturing services and technology sectors.

Pirated Software Likely Cause of Airbus Breach

A major data breach at Airbus revealed earlier this week stemmed from a RedLine info-stealer likely hidden in a pirated copy of Microsoft software, according to researchers. The European aerospace giant said it has launched an investigation into the incident.

Enterprises Persist with Outdated Authentication Strategies

Despite authentication being a cornerstone of cybersecurity, risk mitigation strategies remain outdated, according to new research from Enzoic. With the attack surface expanding and the increasing sophistication of cyber threats, organizations are struggling to deliver secure and user-friendly authentication. The research uncovered that despite the emergence of modern strategies, most companies still rely on traditional approaches.

Scattered Spider Behind MGM Cyberattack, Targets Casinos

The "Scattered Spider" threat group is believed to be responsible for the cyberattack on MGM Resorts that occurred on September 10. This attack has left systems offline in over 30 hotels and casinos owned by the conglomerate worldwide, and the disruption continues even days later. As reported by Reuters, the Scattered Spider ransomware group, as identified by sources familiar with the situation, is believed to consist of young individuals based in the US and UK.

Russian Journalist's iPhone Compromised by NSO Group's Zero-Click Spyware

The iPhone belonging to Galina Timchenko, a prominent Russian journalist and critic of the government, was compromised with NSO Group's Pegasus spyware, a new collaborative investigation from Access Now and the Citizen Lab has revealed. The infiltration is said to have happened on or around February 10, 2023. Timchenko is the executive editor and owner of Meduza, an independent news publication based in Latvia.

Update Adobe Acrobat and Reader to Patch Actively Exploited Vulnerability

Adobe recently addressed a critical flaw in Acrobat and Reader that could enable actors to execute malicious code on targeted systems. Tracked as CVE-2023-26369, the vulnerability has been rated 7.8 out of 10 on the CVSS scale, indicating a high level of severity. According to the vendor, CVE-2023-26369 relates to an out-of-bounds write issue and can be exploited to execute arbitrary code via specially crafted PDF documents.

Suspected Ransomware Attack Hits Auckland Transport's Hop Cards

Auckland Transport's Hop card system has been hit by a suspected ransomware attack, leading to disruptions in card top-up services and limited functionality at customer service centers. The attack is under investigation, and there is no indication that personal or financial data has been compromised. Commuters can still use their cards to tag on and off, but online top-ups and services on the AT website are unavailable.

Kubernetes Flaws Could Lead to Remote Code Execution on Windows Endpoints

Akamai researchers recently discovered a high-severity vulnerability in Kubernetes tracked as CVE-2023-3676 (CVSS 8.8). This identification of this issue led to the discovery of two more vulnerabilities tracked as CVE-2023-3893, and CVE-2023-3955 (CVSS 8.8). All three vulnerabilities were caused by insecure function call and the lack of user input sanitization.

MetaStealer Malware is Targeting Enterprise macOS Users

A new strain of macOS malware is targeting enterprise users, as indicated by file names and content. Some versions of this malware, called MetaStealer, masquerade as Adobe files, while others use deceptive methods like password-protected ZIP files sent by fake clients. Once opened, these files reveal an app disguised as a PDF.

Ransomware Access Broker Steals Accounts via Microsoft Teams Phishing

Microsoft has reported a change in tactics by an initial access broker, previously associated with ransomware groups. This actor, identified as Storm-0324, has shifted its focus to Microsoft Teams phishing attacks as a means to infiltrate corporate networks. Storm-0324 is a financially motivated threat group with a history of deploying ransomware such as Sage and GandCrab in previous campaigns.

Rust-Written 3AM Ransomware: A Sneak Peek into a New Malware Family

A new ransomware family called 3AM has emerged in the wild after it was detected in a single incident in which an unidentified affiliate deployed the strain following an unsuccessful attempt to deliver LockBit (attributed to Bitwise Spider or Syrphid) in the target network. 3AM gets its name from the fact that it's referenced in the ransom note. It also appends encrypted files with the extension .threeamtime.

Microsoft September 2023 Patch Tuesday Fixes 2 Zero-Days, 59 Flaws

As part of the September Patch Tuesday, Microsoft addressed 59 flaws, including two zero-days that were exploited in attacks in the wild. In total, Microsoft released fixes for 3 Security Feature Bypass Vulnerabilities, 24 Remote Code Execution Vulnerabilities, 9 Information Disclosure Vulnerabilities, 3 Denial of Service Vulnerabilities, 5 Spoofing Vulnerabilities, and 5 Edge - Chromium Vulnerabilities.

Facebook Messenger Phishing Wave Targets 100K Business Accounts Per Week

Hackers use a massive network of fake and compromised Facebook accounts to send out millions of Messenger phishing messages to target Facebook business accounts with password-stealing malware. The attackers trick the targets into downloading a RAR/ZIP archive containing a downloader for an evasive Python-based stealer that grabs cookies and passwords stored in the victim's browser.

Google Fixes Another Chrome Zero-Day Bug Exploited in Attacks

Yesterday, Google released security updates to fix a critical zero-vulnerability in its Chrome web browser. Tracked as CVE-2023-4863, the flaw relates to a heap-based buffer overflow in the WebP image format. Successful exploitation of this issue could result in browser crashes or arbitrary code execution.

Cuba Ransomware Group Unleashes Undetectable Malware

Security researchers at Kaspersky have exposed the activities of the infamous ransomware group Cuba. In a recent advisory, Kaspersky revealed that this cyber-criminal gang has been targeting organizations across different industries worldwide. In December 2022, Kaspersky detected a suspicious incident on a client's system, which led to the discovery of three mysterious files triggering the komar65 library, also known as BUGHATCH.

Apple Backports BLASTPASS Zero-Day Fix to Older iPhones

Apple released security updates for older iPhones to fix a zero-day vulnerability tracked as CVE-2023-41064 that was actively exploited to infect iOS devices with NSO's Pegasus spyware. CVE-2023-31064 is a remote code execution flaw that is exploited by sending maliciously crafted images via iMessage.

'Redfly' Hackers Infiltrated Power Supplier's Network for 6 Months

An espionage threat group tracked as 'Redfly' hacked a national electricity grid organization in Asia and quietly maintained access to the breached network for six months. These new findings come from Symantec, who found evidence of ShadowPad malware activity in the organization's network between February 28 and August 3, 2023, along with keyloggers and specialized file launchers.

Microsoft Teams Phishing Attack Pushes Darkgate Malware

A recent phishing scheme has exploited Microsoft Teams messages as a means to distribute harmful attachments that deploy the DarkGate Loader malware. This campaign commenced in late August 2023, as phishing messages originating from two compromised external Office 365 accounts were observed, targeting various organizations. These accounts were employed to deceive Microsoft Teams users into downloading and launching a ZIP file titled "Alterations to the holiday calendar."

'Evil Telegram' Android apps on Google Play infected 60K with spyware

Several malicious Telegram clones for Android on Google Play were installed over 60,000 times, infecting people with spyware that steals user messages, contacts lists, and other data. The apps appear to be tailored for Chinese-speaking users and the Uighur ethnic minority, suggesting possible ties to the well-documented state monitoring and repression mechanisms. The apps were discovered by Kaspersky, who reported them to Google.

Ragnar Locker Claims Attack on Israel's Mayanei Hayeshua Hospital

The Ragnar Locker ransomware gang has claimed responsibility for an attack on Israel's Mayanei Hayeshua hospital, threatening to leak 1 TB of data allegedly stolen during the cyberattack. The cyberattack on Mayanei Hayeshua occurred in early August, disrupting the hospital's record-keeping system and preventing new patients from receiving care.

Ransomware Attack Wipes Out Four Months of Sri Lankan Government Data

Sri Lanka's government cloud system, Lanka Government Cloud (LGC), has fallen victim to a massive ransomware attack that began on August 26, 2023. The attack resulted in the encryption of LGC services and backup systems, affecting approximately 5,000 email addresses using the "gov[dot]lk" domain, including those of the Cabinet Office.

UK and US Sanction 11 Members of the Russia-Based TrickBot Gang

The United States, in coordination with the United Kingdom, sanctioned eleven more individuals who are members of the Russia-based Trickbot cybercrime group. The sanctions were provided by the U.S. Department of the Treasury’s Office of Foreign Assets Control. The sanctioned TrickBot members worked as administrators, managers, developers, and coders, who have materially supported the operations of the group. The group has been tied to Russian intelligence services and has targeted the U.S. government, companies and hospitals.

Mac Users Beware: Malvertising Campaign Spreads Atomic Stealer macOS Malware

A new malvertising campaign has been observed distributing an updated version of a macOS stealer malware called Atomic Stealer (or AMOS), indicating that it's being actively maintained by its author. An off-the-shelf Golang malware available for $1,000 per month, Atomic Stealer first came to light in April 2023. Shortly after that, new variants with an expanded set of information-gathering features were detected in the wild, targeting gamers and cryptocurrency users.

Apple Discloses 2 New Zero-Days Exploited to Attack iPhones, Macs

Yesterday, Apple issued emergency security updates to address two zero-day flaws that were exploited in attacks targeting iPhone and Mac users. The vulnerabilities are being tracked as CVE-2023-41064 (discovered by Citizen Lab security researchers) and CVE-2023-41061 (discovered by Apple) and were found in the Image I/O and Wallet frameworks. CVE-2023-41064 relates to a validation issue in Wallet which can be exploite

Attackers Leverage Windows Advanced Installer to Drop Cryptocurrency Malware

Attackers operating from IP addresses in France, Luxembourg, and Germany have been utilizing the legitimate Windows tool, Advanced Installer, to create software packages that deliver cryptocurrency mining malware onto computers in various sectors. The malware payloads, as reported by Cisco Talos researchers on September 7, include the M3_Mini_RAT client stub. This remote access trojan enables the attackers to establish backdoors, download, and execute additional threats, including PhoenixMiner for Ethereum cryptocurrency mining and IOIMiner, a multi-coin mining threat.

Mirai Variant Infects Low-Cost Android TV Boxes for DDoS attacks

A variant of the Mirai malware botnet has been observed infecting affordable Android TV set-top boxes that are widely used for media streaming by millions of users. Dr. Web's antivirus team reports that this trojan represents a fresh iteration of the 'Pandora' backdoor, initially seen in 2015. The primary focus of this campaign is on economical Android TV boxes such as the Tanix TX6 TV Box, MX10 Pro 6K, and H96 MAX X3.

September Android updates Fix Zero-Day Exploited in Attacks

As part of the September 2023 Android security updates, Google addressed 33 vulnerabilities, including a high-severity zero-day that is actively being exploited in the wild. Tracked as CVE-2023-35674, the zero-day flaw impacts the Android Framework and could allow threat actors to escalate privileges on vulnerable devices without requiring user interaction or additional execution privileges

US and UK Sanction 11 TrickBot and Conti Cybercrime Gang Members

The USA and the United Kingdom have sanctioned eleven Russian nationals associated with the TrickBot and Conti ransomware cybercrime operations. The TrickBot malware operation launched in 2015 and focused on stealing banking credentials. However, over time, it developed into a modular malware that provided initial access to corporate networks for other cybercrime operations, such as Ryuk and, later, Conti ransomware operations.

China, North Korea Pursue New Targets While Honing Cyber Capabilities

China has developed a new capability using artificial intelligence to automatically generate images for influence operations in the United States and other democracies. These images aim to mimic U.S. voters across the political spectrum and create controversy along racial, economic, and ideological lines. Microsoft's Threat Analysis Center (MTAC) has observed China-affiliated actors using AI-generated visual media in campaigns that focus on politically divisive topics and denigrate U.S. political figures and symbols.

New Python Variant of Chaes Malware Targets Banking and Logistics Industries

Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes. ‘It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol,’ Morphisec said in a new detailed technical write-up shared with The Hacker News.

New BLISTER Malware Update Fueling Stealthy Network Infiltration Summary:

An updated version of a malware loader known as BLISTER is being used as part of SocGholish infection chains to distribute an open-source command-and-control (C2) framework called Mythic. ‘New BLISTER update includes keying feature that allows for precise targeting of victim networks and lowers exposure within VM/sandbox environments,’ Elastic Security Labs researchers Salim Bitam and Daniel Stepanic said in a technical report published late last month.

W3ll Phishing Kit Hijacks Thousands of Microsoft 365 Accounts, Bypasses MFA

An entity identified as W3LL created a phishing toolkit capable of evading multi-factor authentication and employed various tools to compromise over 8,000 corporate Microsoft 365 accounts. Over the course of ten months, security experts detected the utilization of W3LL's resources and infrastructure in the establishment of approximately 850 phishing campaigns, targeting login credentials for more than 56,000 Microsoft 365 accounts.

Smishing Triad Targeted USPS and US Citizens for Data Theft

The "Smishing Triad" cybercriminal group, believed to be Chinese-speaking, has been targeting individuals worldwide through a package tracking text scam sent via iMessage. Impersonating various postal services and government agencies, including the Royal Mail, New Zealand Postal Service, Correos, Postnord, Poste Italiane, and the Italian Revenue Service, the group aims to collect personal and payment information for identity theft and credit card fraud.

APT28 Cyberattack: Msedge as a Bootloader, TOR, and Mockbin[.]org/Website[.]hook Services as a Control Center

The government computer emergency response team of Ukraine, CERT-UA, recorded a targeted cyber attack against a critical energy infrastructure facility in Ukraine. To implement the malicious plan, an e-mail message with a fake sender address and a link to an archive, for example, "photo.zip", was distributed. Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file "weblinks.cmd" to the victim's computer.

MITRE and CISA Release OT Attack Emulation Tool

A new open source tool designed to emulate cyber-attacks against operational technology (OT) has been released by MITRE and the US Cybersecurity and Infrastructure Security Agency (CISA). The MITRE Calder for OT is now publicly available as an extension to the open-source Caldera platform on GitHub.

Exploit released for critical VMware SSH auth bypass vulnerability

Summoning Team’s Sina Kheirkhah recently published a proof-of-concept exploit code for a critical SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool. Tracked as CVE-2023-34039, the vulnerability can be exploited by remote attackers to bypass SSH authentication on unpatched appliances and access the tool’s command line interface.

German financial agency site disrupted by DDoS attack since Friday

The German Federal Financial Supervisory Authority (BaFin) announced today that an ongoing distributed denial-of-service (DDoS) attack has been impacting its website since Friday. BaFin is Germany’s financial regulatory authority, part of the Federal Ministry of Finance, responsible for supervising 2,700 banks, 800 financial, and 700 insurance service providers.

Hackers Exploit MinIO Storage System to Breach Corporate Networks

Two recent vulnerabilities in MinIO have been exploited by threat actors to breach object storage systems. This access allows the actors to view private information, execute arbitrary code, and potentially take over servers. MinIO is a open-source storage service that is compatible with various cloud containers including Amazon S3.

Okta: Hackers Target IT Help Desks to Gain Super Admin, Disable MFA

Researchers at Okta issued a warning regarding social engineering attacks directed at IT service desk agents serving U.S.-based clients. The aim of these attacks was to deceive these agents into resetting multi-factor authentication (MFA) for users with elevated privileges. The attackers' ultimate objective was to gain control of Okta Super Administrator accounts, which have extensive privileges. This access would enable them to exploit identity federation functionalities, permitting impersonation of users within the compromised organization.

North Korean Hackers Behind Malicious VMConnect PyPI Campaign

North Korean state-sponsored hackers are behind the VMConnect campaign that uploaded to the PyPI (Python Package Index) repository malicious packages, one of them mimicking the VMware vSphere connector module vConnector. The packages were uploaded at the beginning of August, with one named VMConnect targeting IT professionals seeking virtualization tools.

WordPress Migration Add-on Flaw Could Lead to Data Breaches

Researchers found a vulnerability in the widely-used plugin, All-in-One WP Migration, employed for migrating WordPress sites, and having an active user base of 5 million. This vulnerability involves unauthorized manipulation of access tokens, potentially granting attackers access to sensitive site data. All-in-One WP Migration is a user-friendly tool tailored for WordPress site migration.

Paramount Discloses Data Breach Following Security Incident

American entertainment giant Paramount Global disclosed a data breach after its systems got hacked and attackers gained access to personally identifiable information (PII). Paramount said in breach notification letters signed by Nickelodeon Animation Studio EVP Brian Keane sent to affected individuals that the attackers had access to its systems between May and June 2023.

Cisco VPNs with No MFA Enabled Hit by Ransomware Groups

Since March 2023 (and possibly even earlier), affiliates of the Akira and LockBit ransomware operators have been breaching organizations via Cisco ASA SSL VPN appliances, “In some cases, adversaries have conducted credential stuffing attacks that leveraged weak or default passwords; in others, the activity we’ve observed appears to be the result of targeted brute-force attacks on ASA appliances where multi-factor authentication (MFA) was either not enabled or was not enforced for all users (i.e., via MFA bypass groups),” Rapid7 researchers said on Tuesday.

How to Prevent ChatGPT From Stealing Your Content & Traffic

ChatGPT and similar large language models (LLMs) have added further complexity to the ever-growing online threat landscape. Cybercriminals no longer need advanced coding skills to execute fraud and other damaging attacks against online businesses and customers, thanks to bots-as-a-service, residential proxies, CAPTCHA farms, and other easily accessible tools.

Easy-to-Exploit Skype Vulnerability Reveals Users’ IP Address

A vulnerability in Skype mobile apps can be exploited by attackers to discover a user’s IP address – a piece of information that may endanger individuals whose physical security depends on their general location remaining secret. The security vulnerability has been discovered by a security researcher named Yossi, who privately reported it to Microsoft and demonstrated its effective exploitation to journalist Joseph Cox.

Spain Warns of LockBit Locker Ransomware Phishing Attacks

The Spanish National Police has issued an alert about an active ransomware campaign known as 'LockBit Locker,' which is currently targeting architecture firms in the country using phishing emails. According to the translated police statement, a series of emails have been identified as being sent to architecture companies.

Four in Five Cyber-Attacks Powered by Just Three Malware Loaders

Researchers from ReliaQuest found that cybercriminals relied primarily on seven different malware loaders to carry out attacks in the first half of 2023. QakBot, SocGholish, and Raspberry Robin were the most commonly used loaders, accounting for roughly 80% of all intrusions. GootLoader, ChromeLoader, Guloader, and Ursnif were also commonly seen.

MalDoc in PDFs: Hiding Malicious Word Docs in PDF Files

Japan's computer emergency response team (JPCERT) is sharing a new 'MalDoc in PDF' attack detected in July 2023 that bypasses detection by embedding malicious Word files into PDFs. The file sampled by JPCERT is a polyglot recognized by most scanning engines and tools as a PDF, yet office applications can open it as a regular Word document (.doc). Polyglots are files that contain two distinct file formats that can be interpreted and executed as more than one file type, depending on the application reading/opening them.

Microsoft: Stealthy Flax Typhoon Hackers Use Lolbins to Evade Detection

Microsoft has detected a new hacking collective referred to as Flax Typhoon. This group focuses on government bodies, educational institutions, vital manufacturing units, and IT organizations, presumably with the aim of espionage. The attackers avoid heavy usage of malware for infiltrating and controlling victim networks. Instead, they opt for utilizing existing components within the operating system, often referred to as living-off-the-land binaries (LOLBins), along with legitimate software.

KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities

An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. ‘The binary now includes support for Telnet scanning and support for more CPU architectures,’ Akamai security researcher Larry W. Cashdollar said in an analysis published this month. The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors.

Rhysida Claims Ransomware Attack On Prospect Medical, Threatens to Sell Data

The Rhysida ransomware group recently claimed responsibility for a cyberattack targeting Prospect Medical Holdings, a US healthcare company operating 16 hospitals in California, Connecticut, Pennsylvania, and Rhode Island and a network of 166 outpatient clinics and centers. The attack allegedly took place on August 3rd, with employees finding ransom notes on their systems stating that their network was hacked and devices had been encrypted. Due to the attack, the hospitals were forced to shut down their IT networks to mitigate the impact, causing employees to use paper charts.

Poland’s Authorities Investigate a Hacking Attack on Country’s Railways

Poland's Internal Security Agency (ABW) and national police are investigating a hacking attack on the country's state railway network. The attack disrupted railway traffic overnight and triggered an emergency status that stopped trains near the city of Szczecin. The attack is suspected to be part of broader destabilization efforts by Russia, possibly in conjunction with Belarus.

New Study Sheds Light on Adhubllka Ransomware Network

Cybersecurity experts have revealed an intricate network of interconnected ransomware types that all stem from a shared origin: the Adhubllka ransomware group. Netenrich, a cybersecurity firm, conducted a study exploring the lineage of various ransomware versions, such as LOLKEK, BIT, OBZ, U2K, and TZW. The researchers discovered significant resemblances in code, tactics, and infrastructure among these apparently distinct ransomware types. By tracking the evolution of these variants, the experts established a genealogical link connecting them to the original Adhubllka ransomware, which emerged in January 2020.

New Telegram Bot "Telekopye" Powering Large-scale Phishing Scams from Russia

A new financially motivated operation is leveraging a malicious Telegram bot to help threat actors scam their victims. Dubbed Telekopye, a portmanteau of Telegram and kopye (meaning "spear" in Russian), the toolkit functions as an automated means to create a phishing web page from a premade template and send the URL to potential victims, codenamed Mammoths by the criminals.

Jupiter X Core WordPress plugin could let hackers hijack sites

WordPress security company Patchstack discovered two critical vulnerabilities affecting Jupiter X Core, a premium visual editor plugin for setting up Wordpress and WooCommerce websites. The first flaw tracked as CVE-2023-38388, allows unauthenticated threat actors to upload files, which could lead to arbitrary code execution on the server.

Whiffy Recon Malware: New Threat Analysis and Insights

Researchers from Secureworks Counter Threat Unit (CTU) have identified a new Wi-Fi scanning malware named Whiffy Recon, which has been dropped by the Smoke Loader botnet. This malicious code employs nearby Wi-Fi access points as reference points for Google's geolocation API to triangulate the positions of infected systems.

Ransomware Hackers' Dwell Time Drops to 5 Days, RDP Still Widely Used

Ransomware threat actors are reducing the time they spend within compromised networks before being detected by security solutions. In the first half of this year, the median dwell time for these hackers decreased to five days from nine days in 2022. However, the overall median dwell time for all cyberattacks dropped to eight days from ten in 2022, indicating a general trend of quicker detection. Ransomware attacks constituted nearly 69% of all recorded cyberattacks during this period.

FBI Identifies Wallets Holding Cryptocurrency Funds Stolen by North Korea Summary:

The FBI in the United States issued a cautionary notice regarding the potential efforts of threat actors associated with North Korea to convert pilfered cryptocurrency, totaling over $40 million in value. In a disclosure, the Federal Bureau of Investigation outlined the actions of six cryptocurrency wallets operated by entities connected to North Korea. These wallets possess approximately 1,580 Bitcoin, equivalent to around $41 million based on current valuations. Authorities suspect these funds are connected to the recent heist of a substantial sum of cryptocurrency, amounting to hundreds of millions of dollars.

Russian Toolkit Aims to Make Online Scamming Easy for Anyone

A toolkit possibly developed by Russian individuals, known as Telekopye to security experts, aims to let fraudsters focus on refining their social engineering skills, freeing them from the technical aspects of online scams. Eset researchers uncovered a tool they named Telekopye, derived from the combination of "Telegram" and "kopye," the Russian word for spear.

Over 3,000 Openfire Servers Vulnerable to Takover Attacks

Thousands of Openfire servers remain vulnerable to CVE-2023-32315, an actively exploited and path traversal vulnerability that allows an unauthenticated user to create new admin accounts. Openfire is a widely used Java-based open-source chat (XMPP) server downloaded 9 million times. On May 23, 2023, it was disclosed that the software was impacted by an authentication bypass issue that affected version 3.10.0, released in April 2015, until that point.

Hosting Firm Says it Lost All Customer Data After Ransomware Attack

Danish hosting firms CloudNordic and AzeroCloud recently disclosed that they suffered from a ransomware attack, causing the firms to lose a majority of customer data and shut down all systems, including websites, emails, and customer sites. Since the attack took place last Friday, IT teams have only managed to restore some of the servers without any data, with CloudNordic stating that the restoration process isn’t going smoothly and that many of their customers’ data seems irrecoverable.

FBI: Patches for Recent Barracuda ESG Zero-Day Ineffective

The Barracuda Email Security Gateway (ESG) vulnerability, identified as CVE-2023-2868, has been exploited by a Chinese state-sponsored cyberespionage group named UNC4841. This vulnerability affects Barracuda ESG versions 5.1.3.001 to 9.2.0.006, enabling attackers to perform command injections via specially crafted TAR file attachments in emails. Despite Barracuda's patch release in May 2023, the FBI has found that the patches are ineffective, and the vulnerability remains actively exploited.

A North Korean State-Backed Hacking Group Leveraged Zoho's ManageEngine ServiceDesk for Compromrise

The North Korean state-backed hacker group Lazarus has been exploiting a critical vulnerability (CVE-2022-47966) in Zoho's ManageEngine ServiceDesk software to compromise an internet backbone infrastructure provider and healthcare organizations. This campaign began in early 2023, targeting entities in the U.S. and U.K. The attackers employed the QuiteRAT malware and a newly identified remote access trojan (RAT) named CollectionRAT. The latter was discovered through the analysis of the group's infrastructure.

Scarab Ransomware Deployed Worldwide Via Spacecolon Toolset

ESET researchers found the Spacecolon toolkit spreading Scarab ransomware across global organizations. It exploits weak web servers or RDP credentials for entry, with Turkish elements hinting at a Turkish-speaking developer. Spacecolon dates back to May 2020, with ongoing campaigns and a recent May 2023 build. ESET hasn’t linked it to any known group naming it “CosmicBeetle”.

Akira Ransomware Targets Cisco VPNs to Breach Organizations Summary:

There's mounting evidence that Akira ransomware targets Cisco VPN (virtual private network) products as an attack vector to breach corporate networks, steal, and eventually encrypt data. Akira ransomware is a relatively new ransomware operation launched in March 2023, with the group later adding a Linux encryptor to target VMware ESXi virtual machines.

WinRAR Zero-Day Exploited Since April to Hack Trading Accounts

According to Group-IB a WInRaR zero-day vulnerability was actively exploited to install malware when clicking on harmless files in an archive, allowing hackers to breach online cryptocurrency trading accounts. Tracked as CVE-2023-38831, the vulnerability is triggered by creating specially crafted archives with a slightly modified structure compared to safe files, which causes WinRAR's ShellExecute function to receive an incorrect parameter when it attempts to open the decoy file.

Scraped data of 2.6 million Duolingo users released on hacking forum

The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information. Duolingo is one of the largest language learning sites in the world, with over 74 million monthly users worldwide. In January 2023, someone was selling the scraped data of 2.6 million DuoLingo users on the now-shutdown Breached hacking forum for $1,500. This data includes a mixture of public login and real names, and non-public information, including email addresses and internal information related to the DuoLingo service.

Ivanti Warns of New Actively Exploited MobileIron Zero-Day Bug

US based software company Ivanti has issued a warning to its customers about an ongoing exploitation of a critical Sentry API authentication bypass vulnerability. The vulnerability affects Ivanti Sentry, which serves as a gatekeeper for enterprise ActiveSync and Sharepoint servers, as well as a Kerberos Key Distribution Center Proxy server. The cybersecurity firm Mnemonic discovered the vulnerability (CVE-2023-38035), allowing unauthorized attackers to access sensitive admin portal configuration APIs through port 8443 used by Mobile Iron Configuration Service (MICS).

Carderbee Hacking Group Hits Hong Kong Orgs in Supply Chain Attack

An undisclosed Advanced Persistent Threat (APT) hacking collective known as 'Carderbee' has been detected launching assaults on various institutions situated in Hong Kong and other parts of Asia. This group employs authentic software to infiltrate victims' machines with the PlugX malware. According to findings from Symantec, the legitimate software involved in this supply chain breach is Cobra DocGuard, designed by the Chinese developer 'EsafeNet.' This software is typically employed in security applications for tasks like data encryption and decryption.