Something to Remember Us By: Device Confiscated by Russian Authorities

According to Citizen Lab, a concerning incident has surfaced where devices confiscated by Russian authorities were returned to their owners with Monokle-type spyware installed. Monokle, a highly advanced spyware tool, is capable of extracting sensitive data such as contact lists, messages, and login credentials, while also intercepting communications and remotely activating device cameras and microphones.

U.S. Offered $10M for Hacker Just Arrested by Russia

Mikhail Matveev, known in the cybercriminal world by the aliases "Wazawaka" and "Boriselcin," has been a prominent figure in several ransomware groups responsible for extorting hundreds of millions of dollars from various sectors, including healthcare, education, government agencies, and private enterprises.

Google Deindexes Chinese Propaganda Network

Google has uncovered a sophisticated pro-China influence network operated by four public relations firms, collectively tracked as "GlassBridge." Active since at least 2022, this network has leveraged deceptive online tactics to spread Chinese state narratives to international audiences.

Zero Day Social Media and One Drive Phish

In November, we observed an increase in spear phishing attempts clicked by our user base using discreet redirect tactics. However, this report will focus on a rise in social media phishing, specifically aimed at Instagram accounts.

Zero Day Social Media and One Drive Phish

In November, we observed an increase in spear phishing attempts clicked by our user base using discreet redirect tactics. However, this report will focus on a rise in social media phishing, specifically aimed at Instagram accounts. Here are some examples and highlights.

Forti-fied? Logging Blind Spot Revealed in FortiClient VPN

While creating an automatic credential validation system for Fortinet VPN, Pentera says it uncovered a bug that actors can exploit to potentially compromise the security of dozens of organizations. Initially, to automate the validation of credentials, Pentera attempted to use clients like OpenConnect to establish a connection, but this approach proved unreliable.

New 'Helldown' Ransomware Variant Expands Attacks to VMware and Linux Systems

Helldown, a ransomware strain derived from the leaked LockBit 3.0 codebase, has been expanding its operations, with researchers recently identifying a Linux variant. This development indicates the group's growing focus on targeting virtualized infrastructures, such as VMware. First documented in August 2024, Helldown has been described as an aggressive ransomware group targeting sectors like IT services, telecommunications, manufacturing, and healthcare.

Security Brief: ClickFix Social Engineering Technique Floods Threat Landscape

Proofpoint has observed a significant rise in the use of the ClickFix social engineering technique, a deceptive method that tricks users into executing malicious PowerShell commands. Initially linked to campaigns by TA571 and the ClearFake threat cluster, the technique has now become a favorite across multiple financially motivated and espionage-focused threat actors.

Sitting Ducks DNS Attacks Put Global Domains at Risk

Over 1 million domains have been identified as potentially vulnerable to "Sitting Ducks" attacks, a cyber threat that exploits DNS misconfigurations, particularly lame delegation. This misconfiguration occurs when domains mistakenly point to incorrect authoritative name servers, allowing attackers to hijack domains.

5G Network AI Models: Threats and Mitigations

Modern communications networks, particularly those driven by 5G technology, are increasingly relying on Artificial Intelligence (AI) to boost performance, improve reliability, and ensure security. As these networks evolve, AI plays an essential role in real-time data processing, predictive maintenance, and optimizing traffic management.

Threats in Space (or rather, on Earth): Internet-exposed GNSS Receivers

Global Navigation Satellite Systems (GNSS), which include the U.S. GPS, Russian GLONASS, European Galileo, Chinese BeiDou, Indian NavIC, and Japanese Quazi-Zenith, serve as critical infrastructure providing essential positioning, navigation, and timing (PNT) services for a wide array of industries such as telecommunications, agriculture, finance, banking, transportation, and mobile communications.

Palo Alto Networks Firewalls, Expedition Under Attack

On November 14, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active exploitation of two critical vulnerabilities in Palo Alto Networks' Expedition firewall configuration migration tool: CVE-2024-9463 and CVE-2024-9465. These vulnerabilities, with CVSS scores of 9.9 and 9.3 respectively, pose significant risks to affected systems.

Strela Stealer: Today's Invoice Is Tomorrow's Phish

In November 2024, IBM X-Force observed an ongoing Hive0145 campaign targeting Europe, specifically Spain, Germany, and Ukraine using Strela Stealer malware, a credential-theft tool delivered through highly tailored phishing emails. These emails, posing as legitimate invoice notifications, utilize previously compromised email credentials to blend seamlessly into legitimate email traffic.

GoIssue – The Tool Behind Recent GitHub Phishing Attacks

SlashNext researchers recently uncovered a new phishing tool called GoIssue, which allows threat actors to extract email addresses from GitHub profiles and send bulk emails to users. Advertised on cybercriminal forums, GoIssue is priced at $700 for a custom build or $3,000 for full source code access.

Phishing by Design: Two-Step Attacks Using Microsoft Visio Files

Perception Point researchers published a blog post on November 11, 2024, regarding an observed dramatic increase in two-step phishing attacks targeting hundreds of organizations by leveraging Microsoft Visio's .vsdx files. By weaponizing .vsdx files rarely used in phishing attacks, the adversary exploits user trust in the reputation of Microsoft and concurrently adds a new layer of deception designed to evade detection.

Lazarus Group Uses Extended Attributes for Code Smuggling in macOS

According to a recent report by Group-IB, the Lazarus APT group has started attempting to smuggle code utilizing custom extended attributes, which are metadata associated with files and folders in various file systems. Extended attributes allow users to store additional information beyond standard metadata like file size, timestamps, and permissions.

U.S. Agency Cautions Employees to Limit Phone Use Due to Salt Typhoon Hack of Telco Providers

The US government's Consumer Financial Protection Bureau (CFPB) has advised employees to avoid using cellphones for work after China-linked APT group Salt Typhoon breached major telecom providers. The CFPB, established in 2011 to protect consumers in the financial sector and promote fair, transparent markets, issued a directive urging employees to limit phone use and rely on Microsoft Teams and Cisco WebEx for meetings involving nonpublic data.

New Citrix Zero-Day Vulnerability Allows Remote Code Execution

Researchers at WatchTowr have disclosed new vulnerabilities in Citrix Virtual Apps and Desktops, particularly affecting the Session Recording component, which administrators use to monitor and record user sessions. These security flaws could potentially allow unauthenticated remote code execution, presenting a serious threat to affected systems.

New Ymir Ransomware Partners With RustyStealer in Attacks

Ymir, a relatively new ransomware family, has been observed by researchers at Kaspersky encrypting systems that were previously compromised by RustyStealer, an infostealer malware first documented in 2021. Ymir ransomware initiated operations in July 2024 and is known for its in-memory execution, use of PDF files as ransom notes, and extension configuration options.

New Campaign Uses Remcos RAT to Exploit Victims

Fortinet's FortiGuard Labs recently identified a phishing campaign delivering a new Remcos RAT variant through a malicious Excel document attached to a phishing email. The attack starts with a convincing email that includes the Excel file, disguised as an order form to lure the recipient into opening it.

Dark Web Profile: CosmicBeetle "NoName" Ransomware

CosmicBeetle, also known as NoName, is a ransomware-as-a-service (RaaS) operation that has been active since 2020. This group is known for exploiting known vulnerabilities, such as EternalBlue (CVE-2017-0144), and the Zerologon vulnerability (CVE-2020-1472) to infiltrate systems.

New Android Banking Malware 'ToxicPanda' Targets Users with Fraudulent Money Transfers

Cleafy's Threat Intelligence team witnessed a significant spike in malicious activity utilizing a new Android malware sample in late October 2024. Initially classified as TgToxic malware, this malware sample was further analyzed and although it has similar bot commands with TgToxic, the code differs greatly in that many TgToxic capabilities are absent and some commands act as placeholders for unimplemented modules, leading Cleafy to classify this malware as a new family called ToxicPanda.

GoZone Ransomware Accuses and Threatens Victims

The GoZone ransomware, a new strain identified by SonicWall researchers, targets victims with a relatively low ransom demand of $1,000 in Bitcoin for file decryption. Written in Go, it employs Chacha20 and RSA algorithms to encrypt files, appending a ".d3prU" extension to signal compromise.

Massive PSAUX Ransomware Attack Targets 22,000 CyberPanel Instances

A critical Remote Code Execution vulnerability in CyberPanel exposed over 22,000 instances online, leading to a large-scale PSAUX ransomware attack that took most affected servers offline. This vulnerability affects CyberPanel versions 2.3.6 and likely 2.3.7 and includes three significant flaws: defective authentication, command injection, and a security filter bypass.

Malvertising Campaign Hijacks Facebook Accounts to Spread SYS01stealer Malware

This is a sophisticated campaign with a large scope and it utilizes the commonly used Facebook software as an avenue for initial access. The TA has the infrastructure to impersonate ads for essentially any commonly used software. This malware has the capability to evade AV detection. The possibility of legitimate business accounts being utilized to propagate the malware further, highlights the severity of the threat.

ReliaQuest Uncovers New Black Basta Social Engineering Technique

Researchers at ReliaQuest have uncovered a new social engineering technique employed by Black Basta ransomware actors to gain an initial foothold into victim environments. Previously, these actors would overwhelm users with email spam, prompting recipients to create a legitimate help-desk ticket to resolve the issue. From here, Black Basta operators would then contact the end user, posing as the help desk to respond to the ticket. I

Redline, Meta Infostealer Malware Operations Seized by Police

The Dutch National Police, in coordination with the FBI and other international agencies, have dismantled the network infrastructure supporting the Redline and Meta infostealer malware operations in an effort known as "Operation Magnus." This disruption serves as a direct warning to cybercriminals that their data is now in the hands of law enforcement.

LinkedIn Bots and Spear Phishers Target Job Seekers

LinkedIn, Microsoft's professional social network, serves as a vital hub for job recruiters and seekers. Unfortunately, it's also becoming a fertile ground for cybercriminals targeting unsuspecting users. Like other social platforms, LinkedIn is rife with bots that respond to specific keywords or hashtags such as "I was laid off" or "#opentowork."

AWS's Predictable Bucket Names Make Accounts Easier to Crack

In June 2024, Aqua Security discovered a security vulnerability in the AWS Cloud Development Kit (CDK), an open-source tool for building cloud infrastructure. This vulnerability could potentially allow attackers to gain administrative access to a target AWS account, allowing account hijacking for executing malicious code.

Amazon Identified Internet Domains Abused by APT29

Amazon recently seized domains used by APT 29, a Russian state-backed actor, in a mass email phishing campaign targeting government agencies, enterprises, and militaries. The campaign which was initially identified and disclosed by Ukraine's Computer Emergency Team (CERT-UA),

LinkedIn Bots and Spear Phishers Target Job Seekers

LinkedIn, Microsoft's professional social network, serves as a vital hub for job recruiters and seekers. Unfortunately, it's also becoming a fertile ground for cybercriminals targeting unsuspecting users. Like other social platforms, LinkedIn is rife with bots that respond to specific keywords or hashtags such as "I was laid off" or "#opentowork."

Scattered Spider x RansomHub: A New Partnership

In October 2024, a significant cybersecurity event involving a manufacturing firm was analyzed by ReliaQuest. The investigation attributed the breach to a group called "Scattered Spider," a collective of English-speaking cybercriminals connected to the ransomware organization "RansomHub."

Embargo Ransomware: Rock'n'Rust

In June 2024, ESET researchers identified a new ransomware group, Embargo, utilizing a Rust-based toolkit for its operations. The toolkit consists of MDeployer, a loader, and MS4Killer, an EDR killer. Both tools are designed to facilitate the deployment and execution of the Embargo ransomware.

Akira Ransomware Continues to Evolve

A new blog post by Cisco Talos shed light on the activities of Akira ransomware, noting that the group is actively creating new variants of its encryptor and refining its TTPs to adapt to shifts in the threat landscape. In 2023 Akira typically employed a double-extortion tactic where victim data was exfiltrated before encryption.

Threat Actor Abuses Gophish to Deliver New PowerRAT and DcRAT

Cisco Talos recently uncovered a phishing campaign leveraging the open-source Gophish toolkit, executed by an unknown threat actor. The campaign utilizes modular infection chains, either via malicious documents (Maldoc) or HTML files containing JavaScript, which lead to the deployment of two Remote Access Trojans (RATs): PowerRAT, a newly identified PowerShell-based RAT, and DCRAT, a widely recognized malware.

Hackers Advertise Stolen Verizon Push-to-Talk 'Call Logs'

Cybercriminals have compromised a third-party provider linked to Verizon's Push-to-Talk systems, a service used by government agencies, first responders, and enterprises for secure internal communication. This breach, advertised on a Russian-language cybercrime forum, does not impact Verizon's core consumer network but reveals significant vulnerabilities in telecoms' security practices.

Latrodectus Malware Increasingly Used by Cybercriminals

ForcePoint has observed an increase in the use of Latrodectus malware by cybercriminals in attacks targeting the financial, automotive, and healthcare sectors. For its part, Latrodectus is a malware downloader that has been around since October 2023. The strain is believed to be developed by LunarSpider, a threat actor who developed the notorious IceID trojan, which has been used by dozens of malware families for distribution purposes.

Attackers Target Exposed Docker Remote API Servers With perfctl Malware

Attackers are exploiting exposed Docker Remote API servers to deploy the perfctl malware, utilizing a structured attack flow that begins with probing the vulnerable server and ends with payload execution and persistence. The attack starts with the attacker identifying an exposed Docker Remote API server through a ping request. Once the server is located, the attacker creates a Docker container using the ubuntu image.

VMware Fixes Bad Patch for Critical vCenter Server RCE Flaw

VMware has released a new security update for CVE-2024-38812, a critical remote code execution (RCE) vulnerability in VMware vCenter Server that wasn't fully addressed by the initial patch in September 2024. The flaw, with a CVSS score of 9.8, stems from a heap overflow issue in the DCE/RPC protocol, affecting vCenter Server and related products like vSphere and Cloud Foundation. It can be exploited without user interaction through specially crafted network packets.

ESET Partner Breached to Send Data Wipers to Israeli Orgs

Last Friday, ESET announced on X (formerly known as Twitter) that it is aware of a security incident that affected its partner company in Israel. Notably, a phishing campaign initiating on October 8th was observed, where emails branded with ESET's logo were sent from eset[.]co[.]il, a legitimate domain that is operated by ESET's Israel distributor, Comsecure.

macOS HM Surf Vuln Might Already Be Under Exploit by Major Malware Family

Microsoft has urged all macOS users to update their systems due to a vulnerability (CVE-2024-44133, CVSS 5.5) patched in the September macOS Sequoia updates. The flaw may be exploited by the Adloader macOS malware family. It targets Apple's Transparency, Consent, and Control (TCC) protections, potentially allowing unauthorized access to a device's camera, microphone, and location.

ClickFix Tactic: The Phantom Meet

Researchers at Sekoia have shed light on a new social engineering tactic called ClickFix, which involves displaying fake error messages in web browsers to trick users into copying and executing malicious PowerShell code to infect targeted systems. In the last couple of months, ClickFix has been used to distribute Windows and macOS infostealers, botnets, and remote access tools.

macOS Vulnerability Could Expose User Data, Microsoft Warns

Microsoft has identified a vulnerability in macOS, named "HM Surf," that enables attackers to bypass the system's Transparency, Consent, and Control technology, which is responsible for managing user permissions for accessing sensitive data. This flaw, tracked as CVE-2024-44133, allows attackers to gain unauthorized access to user data, including browsing history, camera, microphone, and location.

Exploiting Session Fixation via Stored XSS and Cookie Jar Overflow Attack

The pentester encountered a session fixation vulnerability in a PHP web application, but knew it might not be taken seriously on its own. To demonstrate its severity, they combined it with an existing XSS vulnerability and a lesser-known technique called the Cookie Jar Overflow Attack. This combination allowed them to show how an attacker could bypass security measures and hijack user sessions.

Analysis of the Crypt Ghouls Group: Continuing the Investigation into a Series of Attacks on Russia

In December, a new ransomware group targeting Russian businesses and government agencies was identified, dubbed “Crypt Ghouls.” Investigation revealed connections to other cybercriminal groups through shared tactics, tools, and infrastructure. The group employs a variety of utilities, including Mimikatz and LockBit 3.0 for ransomware attacks, utilizing compromised contractor credentials to gain access via VPN.

North Korea Escalates Fake IT Worker Schemes to Extort Employers

Secureworks Counter Threat Unit researchers have identified evolving tactics in fraudulent employment schemes involving North Korean IT workers, linked to the NICKEL TAPESTRY threat group. These schemes involve North Korean nationals using stolen or falsified identities to secure employment at Western companies, including those in the U.S., UK, and Australia.

RansomHub Overtakes LockBit as Most Prolific Ransomware Group

According to Symantec's new report, Ransomware: Threat Level Remains High in Third Quarter, ransomware continues to be a growing threat in the cyber landscape, with Symantec observing 1,255 ransomware attacks in the third quarter of 2024. One of the biggest developments observed by Symantec in Q3 of 2024 was a decline in LockBit activity, a previously dominant player in the ransomware ecosystem.

Cronus: Ransomware Threatening Bodily Harm

Cronus is a sophisticated ransomware strain developed using .NET technology, first reported by Seqrite. This analysis arose from the discovery of a malicious document presented as a PayPal invoice, which was submitted to VirusTotal. The investigation outlines the ransomware's method of file encryption, its persistence mechanisms, and a detailed examination of its ransom note.

North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware

North Korean threat actor ScarCruft, also known as TA-RedAnt, APT37, and several other aliases, has been linked to the exploitation of a now-patched zero-day vulnerability in Windows, identified as CVE-2024-38178 (CVSS score: 7.5). This flaw, a memory corruption issue in the Windows Scripting Engine, allowed remote code execution when using Microsoft Edge in Internet Explorer Mode. Microsoft patched the vulnerability as part of its August 2024 Patch Tuesday updates.

Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data

A newly discovered Golang ransomware variant has been found to abuse Amazon S3's Transfer Acceleration feature to exfiltrate data from victim machines to attacker-controlled S3 buckets. The ransomware samples analyzed contained hardcoded AWS credentials, which were used to create S3 buckets and enable faster data transfers through Amazon's globally distributed CloudFront edge locations.

Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) are releasing this joint Cybersecurity Advisory to warn network defenders of Iranian cyber actors' use of brute force and other techniques to compromise organizations across multiple critical infrastructure sectors, including the healthcare and public health (HPH), government, information technology, engineering, and energy sectors.

LLMs Are a New Type of Insider Adversary

Security teams are increasingly recognizing large language models (LLMs) as vital business tools capable of automating various tasks, thereby allowing employees to focus on more strategic functions and potentially providing a competitive advantage.

Tax Extension Malware Campaign: Threat Actors Target GitHub Comment Section to Bypass SEG

Cofense has shared insights on a phishing campaign it detected earlier this year, where actors were observed using GitHub links to bypass email security gateways and distribute malware. These links were generated through the submission of GitHub comments, which can be added to the source code repository and may include but are not limited to proposed changes, more information from a user on an issue, or documentation.

Attackers Deploying Red Teaming Tool for EDR Evasion

Threat actors are exploiting the open-source EDRSilencer tool to bypass endpoint detection and response systems, according to Trend Micro researchers. Originally designed for red teaming, EDRSilencer leverages the Windows Filtering Platform to block EDR communications by identifying and filtering EDR processes, preventing them from sending alerts or telemetry.

Iranian Hackers Now Exploit Windows Flaw to Elevate Privileges

The recent activities of Iranian state-sponsored hacking group APT34, also known as OilRig, have focused on government and critical infrastructure entities in the UAE and Gulf region. Trend Micro researchers identified a new campaign in which OilRig deployed a novel backdoor to target Microsoft Exchange servers for credential theft.

D.C. Memo: 'Cyber Incident' Forces Shutdown of OzarksGo's Linear TV Service

OzarksGo, a fiber ISP based in Fayetteville, Arkansas, experienced a cyber incident on October 7 that specifically targeted the servers responsible for providing linear TV service to approximately 4,500 customers in northwest Arkansas and northeast Oklahoma. Upon discovering the potential issue, the company acted promptly by deactivating the affected equipment and bringing in external experts to assess the situation and mitigate further impact.

Ham Radio Is Alive and Well - And Still a Lifeline in Disasters

Amateur ham radio operators have long served as vital communication links during disasters, providing essential support when conventional systems fail. Despite advancements in technology, these skilled volunteers remain prepared through training and drills, such as the Amateur Radio Emergency Service (ARES) Field Day.

Cybercriminals Are Targeting AI Conversational Platforms

Resecurity has reported a growing trend of attacks on AI conversational platforms, particularly those using Natural Language Processing and Machine Learning to simulate human-like interactions. These platforms, commonly used in industries such as finance, e-commerce, and customer support, enable personalized, automated responses to consumers.

Internet Archive Data Breach Exposes 31 Million Accounts

The Internet Archive, a nonprofit digital library known for providing free access to archived websites and digital materials, has been facing a distributed denial-of-service attack for three consecutive days, severely limiting users' ability to access the site. Alongside this DDoS attack, a data breach was discovered, exposing 31 million user accounts, including email addresses, screen names, and bcrypt-hashed passwords.

MisterioLNK: The Open-Source Builder Behind Malicious Loaders

A new, previously undetected loader builder, dubbed "MisterioLNK," has been identified by Cyble Research and Intelligence Labs (CRIL). This versatile tool, publicly accessible on GitHub, poses a significant threat to security defenses due to its ability to generate loader files that largely evade detection by conventional security systems.

To Deliver Malware, Attackers Use the Phone

There has been a recent increase in actors employing callback phishing to infect unsuspecting victims with malware. Callback phishing, otherwise known as telephone-oriented attack delivery (TOAD), is a hybrid phishing model (a combination of voice and phishing) that aims to take advantage of the trust people often assign to strangers who assume authority over the phone.

New Mamba 2FA Bypass Service Targets Microsoft 365 Accounts

Mamba 2FA is an emerging phishing-as-a-service platform that targets Microsoft 365 accounts through adversary-in-the-middle attacks. It uses highly convincing phishing login pages to steal authentication tokens, bypassing multi-factor authentication protections. Priced at $250 per month, Mamba 2FA is gaining popularity due to its accessibility and effectiveness, positioning it as one of the fastest-growing phishing platforms in the market.

Scammers Hit Florida Hurricane Victims with Fake FEMA Claims, Malware Files

In the wake of Hurricane Helene and the impending arrival of Hurricane Milton on October 9th, 2024, Florida faces another threat: a myriad of cyberattacks targeting vulnerable individuals and organizations. Veriti, a cybersecurity research firm based in Israel, identified three key emerging threats exploiting the chaos and urgency surrounding hurricane relief efforts.

New Generation of Malicious QR Codes Uncovered by Researchers

Summary: Barracuda threat analysts have identified a new wave of QR code phishing attacks, known as "quishing," that employ sophisticated techniques to bypass traditional security measures. These phishing attempts use QR codes generated from text-based ASCII/Unicode characters instead of conventional static images, making them difficult for optical character recognition systems to interpret.

31 New Ransomware Groups Join the Ecosystem in 12 Months

Secureworks' 2024 State of the Threat Report highlights a significant 30% rise in active ransomware groups over the past year, despite extensive law enforcement actions aimed at disrupting these operations. In the last 12 months, 31 new ransomware groups have emerged, shifting the landscape from a few dominant players to a more fragmented ecosystem.

U.S. and Microsoft Seize 107 Russian Domains in Major Cyber Fraud Crackdown

Last week, Microsoft and the U.S. Department of Justice (DOJ) announced that they seized 107 internet domains that were being used by Star Blizzard, a Russian nation-state actor. 66 of these domains were used by Star Blizzard to target over 30 civil society organizations including journalists, think tanks, and non-governmental organizations (NGOs), between January 2023 and August 2024.

Separating the Bee From the Panda: CeranaKeeper Making a Beeline for Thailand

A new China-aligned threat actor, dubbed CeranaKeeper, has been identified targeting governmental institutions in Southeast Asia, primarily Thailand. The group has been active since at least early 2022 and is characterized by its relentless pursuit of data exfiltration. CeranaKeeper leverages a variety of techniques and tools, including custom backdoors, exfiltration tools, and the abuse of legitimate cloud and file-sharing services like DropBox and OneDrive, to achieve its objectives.

Mind the (Air) Gap: GoldenJackal Gooses Government Guardrails

ESET researchers uncovered a sophisticated cyberespionage campaign by the GoldenJackal APT group, targeting governmental and diplomatic entities across Europe and South Asia from 2019 to 2024. The group primarily focused on breaching air-gapped systems—networks isolated from the internet to protect highly sensitive data—using custom tools delivered via USB drives.

Hackers Pose as British Postal Carrier to Deliver Prince Ransomware in Destructive Campaign

A cybersecurity campaign targeting organizations in mid-September, in the U.K. and the U.S., employed Prince Ransomware, a freely available variant advertised on GitHub for educational purposes by developer “SecDbg”. The connection to Prince Ransomware was identified due to the observed sample downloading the same PNG from Imgur, and setting the PNG as the background, exactly as Prince Ransomware does in the configuration example on GitHub.

Python-Based Malware Slithers Into Systems via Legit VS Code

A sophisticated cyberattack targeting organizations worldwide has been uncovered by Cyble Research and Intelligence Labs (CRIL). The threat actor (TA) employed a multi-stage attack, utilizing legitimate tools such as Visual Studio Code (VS Code) and GitHub to gain unauthorized remote access to victims' machines. The attack chain's initial access is achieved through a malicious .LNK file, disguised as a legitimate setup file, which is potentially delivered to victims through spam or phishing emails.

New MedusaLocker Ransomware Variant Deployed by Threat Actor

Researchers at Cisco Talos have uncovered a financially motivated threat actor deploying a new MedusaLocker ransomware variant, dubbed “BabyLockerKZ.” First observed in late 2023, this variant distinguishes itself from the original MedusaLocker by using unique autorun keys and an additional public-private key set stored in the registry. Despite these differences, BabyLockerKZ utilizes the same chat and leak site URLs as its predecessor, marking its first identification as a MedusaLocker variant.

Crypto Scam App Disguised as WalletConnect Steals $70K in Five-Month Campaign

Check Point Research uncovered a recent mobile malware campaign exclusively targeting cryptocurrency users through a malicious Android app disguised as the legitimate WalletConnect protocol, taking advantage of its trusted name. This fake app, identified by Check Point, employed various evasion techniques including BASE64 encoding and encryption to avoid detection, deceive users, and steal their crypto assets. It achieved high visibility in Google Play Store search results through fake reviews and consistent branding, leading to over 10,000 downloads. Another malware app identified by Check Point exhibits similar features and achieved more than 5,000 downloads. Once the fake app is installed, it checks if the user isn't on a desktop, taking users to a legitimate website if they are, and then drops the MS Drainer and prompts the user to sign several transactions. The information is transmitted to a C2 server and it sends commands to MS Drainer to transfer funds to the attacker's wallet. This campaign is notable because it represents the first instance of a cryptocurrency drainer focusing exclusively on mobile device users. While the exact number of victims is unknown, over 150 users are estimated to have lost funds.

Detecting CUPS Exploits: Critical Security Vulnerabilities in Linux and Unix Systems Allow Remote Co

In a recent development, researchers identified significant security vulnerabilities within the OpenPrinting Common Unix Printing System (CUPS), which is a crucial component in many Linux environments. These vulnerabilities could enable attackers to execute arbitrary code remotely, potentially compromising the integrity of affected systems. Given the widespread use of CUPS in personal and enterprise settings, this poses a substantial threat to printing and document-handling workflows, highlighting the need for immediate attention from cybersecurity professionals.

New Cryptojacking Attack Targets Docker API to Create Malicious Swarm Botnet

A recent discovery by Datadog Security Research has unveiled a new cryptojacking campaign targeting Docker and Kubernetes, two widely used platforms for containerized development. The attackers exploit vulnerable Docker Engine APIs exposed to the internet to deploy a cryptocurrency miner on compromised containers. The campaign then utilizes additional malicious scripts to achieve lateral movement across the network, compromising other Docker hosts, Kubernetes deployments, and even SSH servers.

Police Arrest Four Suspects Linked to LockBit

Law enforcement from 12 countries arrested four suspects tied to the LockBit ransomware gang, including a developer, a bulletproof hosting administrator, and two individuals linked to LockBit activities. These arrests were part of Operation Cronos, a global crackdown led by the UK National Crime Agency (NCA), which began in April 2022. A suspected LockBit developer was arrested in August 2024 at the request of French authorities, while two other individuals were arrested in the UK, one for LockBit affiliation and the other for money laundering. Additionally, Spain arrested a bulletproof hosting service administrator used by LockBit.

Ransomware Attack Forces UMC Health System to Divert Some Patients

Last week, Texas healthcare provider UMC Health System disclosed that it detected unusual activity within its IT systems and took steps to proactively disconnect systems to contain the incident. Due to the outage, medical prescription lists are unavailable at UMC clinics. As such, patients have been advised to bring their prescriptions with them when visiting. As a precaution, UMC decided to temporarily divert incoming emergency and non-emergency patients to nearby health facilities. In an update on Monday, the healthcare giant stated that it will start accepting patients via ambulance. However, a select number of patients will still be diverted until all UMC resources are fully functional. As of writing, the investigation is still ongoing, with UMC working with third parties to determine the full scope of the incident and recover systems as soon as possible.

Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit

A critical XML external entity reference (XXE) vulnerability, tracked as CVE-2024-34102, has been exploited to compromise five percent of Adobe Commerce and Magento stores. This vulnerability, dubbed CosmicSting, has been exploited by malicious actors to gain remote code execution on vulnerable systems. The flaw was patched by Adobe on June 27th, 2024, but widespread exploitation has continued. Sansec research discovered seven different groups running large-scale campaigns utilizing this CosmicSting vulnerability.

Lumma Stealer - Using Steam Workshop as C2

An IT-ISAC member shared some indicators related to Lumma Stealer and it's use of Steam Workshop for C2 communications. Lumma Stealer, a subscription-based malware active since 2022, is believed to be developed by the threat actor "Shamel" under the alias "Lumma." It is promoted on dark web forums and a Telegram channel with over a thousand subscribers, and sold for as little as $250 USD. Lumma Stealer collects system data, sensitive information like cookies, passwords, credit card details, and cryptocurrency wallet data from compromised devices. The malware is typically delivered by users downloading trojanized software or opening malicious emails containing Lumma payloads.

Cloudflare Mitigated New Record-Breaking DDoS Attack of 3.8 Tbps

Cloudflare has shared significant insights regarding a notable increase in the frequency and severity of Distributed Denial of Service (DDoS) attacks, particularly starting from early September. During this period, the company successfully neutralized over 100 hyper-volumetric Layer 3 and Layer 4 DDoS attacks. Many of these incidents surpassed critical benchmarks, with some exceeding 2 billion packets per second (Bpps) and reaching impressive peaks of 3 terabits per second (Tbps). One of the most alarming attacks peaked at an extraordinary 3.8 Tbps, which stands as the largest DDoS attack ever made public by any organization.

Ivanti EPM Vulnerability Exploited in the Wild

In May 2024, Ivanti released patches to address a SQL injection vulnerability in its Endpoint Manager. Tracked as CVE-2024-29824, the flaw impacts the Core server of Ivanti EPM 2022 SU5 and prior, and can be exploited by an unauthenticated attacker within the same network to execute arbitrary code. In its initial advisory, Ivanti did not have evidence to suggest that the flaw was exploited in attacks in the wild. However, the vendor recently updated the advisory stating that it is aware of in-the-wild exploitation. According to Ivanti, CVE-2024-29824 has been used against “a limited number of customers.” Details of these attacks have not been disclosed at this time. CISA recently added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, advising organizations to apply patches by October 23.

Stonefly: Extortion Attacks Continue Against U.S. Targets

On July 25, 2024, Rim Jong Hyok, an alleged member of the North Korean threat group Stonefly (aka Andariel, APT45, Silent Chollima, Onyx Sleet), was indicted by the U.S. Justice Department for his involvement in extorting U.S. hospitals and other healthcare providers between 2021 and 2023, laundering the ransom proceeds, and then using these proceeds to fund additional cyberattacks against targets in the defense, technology, and government sectors worldwide.

New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking

Linux servers are under threat from a stealthy malware known as "perfctl," aimed at running cryptocurrency mining and proxyjacking software. This malware employs advanced evasion tactics, remaining inactive during user activity and deleting its own files to avoid detection. It exploits a vulnerability in Polkit (CVE-2021-4043) to gain root access and install the miner. The name "perfctl" is a deliberate attempt to mimic legitimate system processes. The attack typically involves exploiting vulnerable Apache RocketMQ instances to deliver the malware. Once activated, perfctl hides itself by copying to different locations and may also download additional proxyjacking tools from remote servers.

Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) have released a joint advisory warning against a group of Iran-based cyber actors that has conducted a high volume of computer network intrusion attempts against U.S. and foreign organizations since 2017 and as recently as August 2024, including schools, municipal governments, financial institutions, and healthcare facilities.

Critical WPML Plugin Flaw Exposes WordPress Sites to Remote Code Execution

A critical security vulnerability tracked as CVE-2024-6386 has been disclosed in the WPML WordPress multilingual plugin. WPML is a popular plugin used for building multilingual WordPress sites. It has over one million active installations. This vulnerability could allow authenticated users with Contributor-level access or higher to execute arbitrary code remotely under certain circumstances.

APT Group Exploits Wps Office for Windows RCE Vulnerability (CVE-2024-7262)

ESET researchers discovered a remote code execution vulnerability (CVE-2024-7262) in WPS Office for Windows, which was actively exploited by the South Korea-aligned cyberespionage group APT-C-60. This group targeted users in East Asian countries, leveraging the vulnerability to deploy a custom backdoor named "SpyGlace" by ESET, designed for cyberespionage purposes.

What Is Volt Typhoon?

Volt Typhoon is a Chinese state-sponsored hacker group known by various aliases such as Vanguard Panda and Bronze Silhouette. Recent developments reveal that these hackers have exploited a high-severity zero-day vulnerability in the Versa Director platform, which is used by ISPs to manage complex networks.

What Is Volt Typhoon?

Volt Typhoon is a Chinese state-sponsored hacker group known by various aliases such as Vanguard Panda and Bronze Silhouette. Recent developments reveal that these hackers have exploited a high-severity zero-day vulnerability in the Versa Director platform, which is used by ISPs to manage complex networks.

NCSC Advisory - WhatsApp Verification Code Scam

The National Cyber Security Centre (NCSC) of Ireland is warning of a growing trend in WhatsApp verification code scams targeting users. These scams initiate with the actors obtaining the victim's phone number and entering the number into WhatsApp's login screen.

Hackers Infect ISPs with Malware That Steals Customers' Credentials

Malicious hackers, likely backed by the Chinese government, have exploited a critical zero-day vulnerability in the Versa Director virtualization platform used by ISPs. This vulnerability, tracked as CVE-2024-39717, allowed attackers to infect at least four US-based ISPs with malware named "VersaMem," which steals customer credentials before they are encrypted.

Newly Discovered Group Offers CAPTCHA-Solving Services to Cybercriminals

A previously undiscovered group, dubbed "Greasy Opal," has been found aiding cyber attackers by providing CAPTCHA-solving services and other tools to bypass security measures. This group, based in the Czech Republic and active since 2009, was recently identified by Arkose Cyber Threat Intelligence Research after its tools were used in attacks on Arkose Labs' customers.

Meta Exposes Iranian Hacker Group Targeting Global Political Figures on WhatsApp

Meta shared insights on a small cluster of likely social engineering activity on WhatsApp that its security team was able to block after investigating user reports. This activity which originated from Iran attempted to target individuals in Israel, Palestine, Iran, the United States and the UK, focusing on political and diplomatic officials, and other public figures, including some associated with administrations of President Biden and former President Trump.

Bling Libra's Tactical Evolution: The Threat Actor Group Behind ShinyHunters Ransomware

Unit 42's recent investigation uncovered a shift in strategy by the Bling Libra group, which is known for its ShinyHunters ransomware. Instead of just selling stolen data as they have in the past, they've now turned to extorting their victims. This new approach involves using legitimate credentials they found in public repositories to break into and compromise Amazon Web Services (AWS) environments.

Critical Flaw in WordPress LiteSpeed Cache Plugin Allows Hackers Admin Access

A critical security vulnerability (CVE-2024-28000) has been identified in the LiteSpeed Cache plugin for WordPress, a widely used caching plugin with over five million active installations. This vulnerability, discovered by John Blackburn and submitted via the Patchstack Zero Day bug bounty program for WordPress, could allow unauthenticated attackers to gain administrator privileges on vulnerable WordPress websites.

Enterprise Server Vulnerable to Critical Auth Bypass Flaw

A critical vulnerability, CVE-2024-6800, was discovered in GitHub Enterprise Server by “ahacker1” through GitHub's Bug Bounty Program. This vulnerability could be exploited by an attacker with network access to bypass authentication and gain administrator privileges on the affected machine.

Most Ransomware Attacks Now Happen at Night

A report from Malwarebytes reveals that most ransomware attacks now occur between 1 a.m. and 5 a.m., aiming to catch cybersecurity teams off guard. The 2024 State of Ransomware Report, based on threat intelligence from Malwarebytes' ThreatDown unit, indicates that a majority of incidents happen in the early morning,

Joint ODNI, FBI, and CISA Statement on Iranian Election Influence Efforts

Yesterday, the Office of the Director of National Intelligence (ODNI), the Federal Bureau of Investigation (FBI), and the Cybersecurity and Infrastructure Security Agency (CISA) released a joint statement, highlighting Iran's longstanding interest in exploiting societal tensions, including the use of cyber operations to attempt to gain access to sensitive information related to U.S. elections.

Hackers Exploit PHP Vulnerability to Deploy Stealthy Msupedge Backdoor

A newly discovered backdoor named Msupedge has been deployed in a cyberattack against an unnamed university in Taiwan. The backdoor stands out due to its unconventional method of communicating with its command-and-control server via DNS traffic, which is a relatively rare and stealthy technique. The origins and objectives behind the Msupedge attack remain unknown.

Blind Eagle Hackers Exploit Spear-Phishing to Deploy RATs in Latin America

A recent report by Kaspersky details the activities of BlindEagle, an APT group targeting Latin American entities and individuals since at least 2018. The group employs a variety of tactics, techniques, and procedures (TTPs) to achieve its objectives, which fluctuate between financial gain and espionage. BlindEagle primarily leverages phishing campaigns, often impersonating government or financial institutions, to deliver malicious payloads.

Multi-Stage ValleyRAT Targets Chinese Users with Advanced Tactics

A recent ValleyRAT malware campaign targeting Chinese speakers has been identified by FortiGuard Labs. This multi-stage malware employs sophisticated evasion techniques to establish persistent control over compromised systems. Key characteristics include heavy reliance on shellcode for in-memory execution, reducing file footprint, and the use of legitimate application icons to deceive victims.

Researchers Uncover New Infrastructure Tied to FIN7 Cybercrime Group

Researchers have uncovered new infrastructure linked to the financially motivated cybercrime group FIN7. This discovery, detailed in a report by Team Cymru in collaboration with Silent Push and Stark Industries Solutions, reveals two clusters of FIN7 activity connected to IP addresses from Post Ltd in Russia and SmartApe in Estonia.

New Mad Liberator Gang Uses Fake Windows Update Screen to Hide Data Theft

Sophos uncovered details on a new ransomware operation dubbed Mad Liberator, which uses social engineering to obtain access to victim environments, targeting users who use remote access tools installed on endpoints and servers. Since initiating operations in mid-July, 2024. Mad Liberator has been observed targeting users of Anydesk, a popular software used by IT teams to manage their environments, particularly when working with remote users and devices.

Xeon Sender Tool Exploits Cloud APIs for Large-Scale SMS Phishing Attacks

Malicious actors are increasingly using a cloud-based attack tool called Xeon Sender to conduct widespread smishing and spam campaigns by abusing legitimate software-as-a-service (SaaS) platforms. The tool, as noted by SentinelOne security researcher Alex Delamotte, allows attackers to send bulk SMS messages through multiple SaaS providers by using valid credentials for those services. Importantly, Xeon Sender doesn't exploit any inherent vulnerabilities in these providers but instead uses their legitimate APIs to carry out large-scale SMS spam attacks.

Attackers Exploit Public .env Files to Breach Cloud and Social Media Accounts

Unit 42 researchers uncovered a highly sophisticated extortion campaign that specifically targeted cloud environments by exploiting exposed environment variable files, commonly referred to as .env files. These files, which are often used to store sensitive information such as cloud service keys, API tokens, and database credentials, were inadvertently exposed due to misconfigurations in web servers and applications.

Ransomware Attack on Indian Payment System Traced Back to Jenkins Bug

A recent ransomware attack targeting India's National Payments Corporation (NPCI) has been linked to a flaw in Jenkins, a popular automation tool. The security weakness, known as CVE-2024-23897, was found in Jenkins' Command Line Interface, enabling unauthorized access to sensitive data on servers that hadn't been updated with the latest security patches.

Rogue PyPI Library Solana Users, Steals Blockchain Wallet Keys

A recent discovery by security researchers at Sonatype, published on August 7th, 2024, highlights a new malicious package on the Python Package Index (PyPI) masquerading as a legitimate Solana blockchain library, "solana-py". This fake package leverages a typosquat technique, exploiting the slight naming discrepancy between the genuine "solana-py" project on GitHub and its simplified name "solana" on PyPI.

Australian Gold Producer Evolution Mining Hit by Ransomware

On August 8, 2024, Evolution Mining, a prominent Australian gold mining firm, experienced a ransomware attack that impacted its IT systems. The company has engaged external cyber forensic experts to investigate the incident, which is currently believed to be contained. While the attack disrupted IT operations, it is not anticipated to significantly impact overall mining operations.

CVE-2024-43121 - HUSKY Plugin Vulnerability

HUSKY, a products filter plugin for the e-commerce product plugin WooCommerce, developed by “realmag777” which enhances the functionality of the base WooCommerce product for WordPress. Around 478 million websites are built on WordPress. It empowers your website visitors to easily search and filter WooCommerce products based on: categories, attributes, tags, taxonomies, meta fields, and product prices.

Beyond the Hype: Unveiling the Realities of WormGPT in Cybersecurity

In this report, they delve into WormGPT—a Dark Web counterpart to ChatGPT, which is designed to quickly generate phishing emails, malware, and harmful recommendations for hackers. Despite its alarming reputation, many of the concerns surrounding WormGPT are rooted in misunderstandings and exaggerations about AI-based hacking applications.

Inc Ransomware Encryptor Contains Keys to Victim Data Recovery

The Inc ransomware group recently carried out a significant cyberattack on McLaren Health Care, a multibillion-dollar healthcare network operating across Michigan, Indiana, and Ohio. The attack severely disrupted McLaren's IT and phone systems, forcing hospitals and outpatient clinics to implement "downtime procedures."

Emerging Phishing Campaign Targeting AWS Accounts

Wiz Threat Research has shed light on a new phishing campaign targeting AWS accounts. The campaign was spotted after an employee at Wiz received a phishing email containing a PNG image. The email was sent from an AWS account (likely compromised) using a spoofed email address -admin@alchemistdigital[.]ae.

Microsoft Fixes Six Actively Exploited Bugs

On August 14, 2024, Microsoft issued patches for six actively exploited vulnerabilities as part of its regular Patch Tuesday updates. These flaws affect Microsoft Project, various Windows products, and the Windows Scripting Engine. Notably, one high-severity vulnerability in Microsoft Project (CVE-2024-38189) could allow remote code execution if a victim opens a malicious file.

Iran Is Accelerating Cyber Activity That Appears Meant to Influence the US Election, Microsoft Says

Iran-linked threat actors are accelerating their malicious online activity intending to influence the United States presidential election by capitalizing on political polarization via TTPs such as creating fake news websites that target extremists, impersonating U.S. political activists, performing email phishing attacks from former political advisors, and making attempts to successfully log into an account belonging to a former presidential candidate, all to stoke division and political tension, especially in swing states where they potentially have the most influence.

ADT Confirms Data Breach After Customer Info Leaked on Hacking Forum

Security giant ADT has confirmed that it suffered a data breach after actors allegedly leaked stolen customer data on Breached Forums, a popular cybercriminal platform. In a form 8-K filing with the Securities and Exchange Commission (SEC), ADT stated that it recently “experienced a cybersecurity incident during which unauthorized actors illegally accessed certain databases containing ADT customer order information.”

US Dismantles Laptop Farm Used by Undercover North Korean IT Workers

The U.S. Justice Department arrested Matthew Isaac Knoot, a 38-year-old Nashville man, for aiding North Korean IT workers in obtaining remote work at U.S. companies by posing as U.S.-based individuals. Knoot operated a "laptop farm," using stolen identities, including that of "Andrew M.," to deceive companies into sending laptops to his residence.

CrowdStrike's Legal Pressures Mount, Could Blaze Path to Liability

The CrowdStrike update from July, which caused significant disruptions across industries, has led to a flurry of lawsuits from investors and affected companies. This update, known as "Channel File 291," resulted in major operational issues, including crashes on 8.5 million computers, with damages estimated at $5.4 billion.

#StopRansomware: Blacksuit (Royal) Ransomware

CISA and the FBI have updated a joint advisory released back in March 2023 on the Royal ransomware group, highlighting that the gang has now rebranded into the BlackSuit operation. BlackSuit which is an evolution of the Royal ransomware, has been observed in attacks from September 2022 through June 2023 and shares numerous code similarities with Royal ransomware while exhibiting improved capabilities.

North Korea Kimsuky Launch Phishing Attacks on Universities

Researchers have detailed activities of the North Korean APT group Kimsuky, which has been targeting universities globally for espionage. Active since 2012, Kimsuky primarily targets South Korean entities but has extended its reach to the US, the UK, and Europe. The group specializes in sophisticated phishing campaigns, often impersonating academics or journalists to steal sensitive information.

Photovoltaic Platform Flaws Threatened Global Solar Grid

Researchers have discovered critical flaws in software that manages 20% of the world's solar electricity, posing significant risks of grid overloads and blackouts. Although solar power currently represents a minor share of U.S. electricity generation, it is projected to grow exponentially and potentially make up half of domestic electricity generation by 2050.

Attackers Use Multiple Techniques to Bypass Reputation-Based Security

Reputation-based security controls may not be as effective as commonly assumed in protecting organizations against unsafe web applications and content, according to a new study by Elastic Security. Researchers have identified several techniques attackers use to bypass these mechanisms, which rely on the reputation and trustworthiness of applications and content.

Critical Progress WhatsUp RCE Flaw Now Under Active Exploitation

A path traversal vulnerability that leads to a critical and unauthenticated remote code execution (RCE) vulnerability, identified as CVE-2024-4885 reported on April 24th, 2024, affecting Progress WhatsUp Gold versions 23.1.2 and earlier has been actively exploited by threat actors since August 1, 2024. Zero Day Initiative (ZDI) publish a related advisory on July 3rd, 2024.

Cloud Cover: How Malicious Actors Are Leveraging Cloud Services

In the past year, there has been an increase in the number of threat actors leveraging legitimate cloud services in attacks. According to researchers at Symantec, trusted services like Microsoft OneDrive or Google Drive are frequently being abused given that traffic to and from such services is less likely to raise red flags than communications with attack-controlled infrastructure.

CrowdStrike Reveals Root Cause of Global System Outages

CrowdStrike has released a root cause analysis for the Falcon Sensor software update crash, which impacted millions of Windows devices globally. The incident, identified as "Channel File 291," was caused by a content validation issue linked to a new Template Type designed to enhance visibility into novel attack techniques.

Qualys 2024 Midyear Threat Landscape Review

Qualys' new 2024 Midyear Threat Landscape Review highlights a growing number of reported Common Vulnerabilities and Exposures (CVEs). From January to mid-July 2023-2024, the annual count of reported CVEs increased by 30%, from 17,114 in 2023 to 22,254 in 2024.

APT28 Targets Diplomats with HeadLace Malware via Car Sale Phishing Lure.

A sophisticated phishing campaign, linked to the Russian state-sponsored threat actor Fighting Ursa (APT28), targeted diplomatic personnel earlier this year was reported by Palo Alto Network's Unit 42. This operation employed a deceptive lure centered around a purported car sale that often resonates with diplomats, designed to entice victims into downloading a malicious ZIP archive.

New “Sitting Ducks” DNS Attack Lets Hackers Easy Domain Takeover

Researchers at Infoblox and Eclypsium have collaborated to uncover a sophisticated new attack vector within the Domain Name System (DNS), dubbed the Sitting Ducks attack. This discovery came while studying the infrastructure used by 404TDS, a Russian-hosted traffic distribution system, indicating the involvement of Russian-nexus cybercriminals.

OneBlood Target of Ransomware Event

OneBlood, the not-for-profit blood center serving much of the southeastern United States, stated that it is experiencing a ransomware event impacting its software system. While OneBlood remains operational and continues to collect, test, and distribute blood, the non-profit noted that it is operating at a significantly reduced capacity.

E-Commerce Fraud Campaign Uses 600+ Fake Sites

Security researchers have identified a sophisticated information-stealing fraud network, dubbed “Eriakos,” that lures victims to fake web shops through malicious Facebook ads. According to Recorded Future, this campaign exclusively targets mobile devices and users, making the scam websites accessible only via malvertising to evade security scanners.

DigiCert to Revoke 83,000+ SSL Certificates Due to Domain Validation Oversight

DigiCert, a certificate authority, has announced that it will revoke a subset of SSL/TLS certificates within 24 hours due to an oversight in verifying domain ownership. The affected certificates lack proper Domain Control Validation. DigiCert validates domain control by methods approved by the CA/Browser Forum, one of which involves setting up a DNS CNAME record with a random value provided by DigiCert.

Cybercriminals Deploy 100K+ Malware Android Apps to Steal OTP Codes

A new malicious campaign has been observed utilizing Android apps to steal users' SMS messages since at least February 2022 as part of a large-scale operation. These malicious apps, numbering over 107,000 unique samples, are designed to intercept one-time passwords (OTPs) used for online account verification, leading to identity fraud.

Microsoft Says Massive Azure Outage Was Caused by DDoS Attack

On July 30th, 2024, a distributed denial-of-service (DDoS) attack triggered a service disruption impacting a subset of Microsoft 365 and Azure customers globally. The outage, lasting approximately eight hours between 11:45 UTC and 19:43 UTC, resulted in intermittent errors, timeouts, and latency spikes for affected users.

Black Basta Ransomware Switches to More Evasive Custom Malware

Black Basta is a ransomware-as-a-service (RaaS) operation that has been active since April 2022. To date, the ransomware gang has been attributed to over 500 attacks targeting organizations across the world. Just this year, the group claimed responsibility for attacks against a couple of notable victims including Veolia North America, Hyundai Motor Europe, and Keytronic.

Hacktivists Claim Leak of CrowdStrike Threat Intelligence

A hacktivist group, USDoD, has claimed to have leaked CrowdStrike's internal threat actor list, including indicators of compromise (IoCs). CrowdStrike acknowledged these claims in a blog post on July 25, 2024, noting that USDoD provided a download link for the alleged list and shared sample data on BreachForums.

Play Ransomware Group's New Linux Variant Targets ESXi, Shows Ties With Prolific Puma

Researchers at Trend Micro have uncovered a new Linux variant of the Play ransomware that is specially designed to target VMWare ESXi environments. Based on a sample submitted to VirusTotal, the Linux variant is compressed in an RAR file with its Windows variant and is hosted in the URL hxxp://108.[BLOCKED].190/FX300.rar, a domain that has been used to host tools like PsExec, NetScan, WinSCP, WinRAR, and the Coroxy backdoor, which have been used by Play actors in previous attacks.

Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers

A now-patched Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) has been exploited to deliver information stealers like ACR Stealer, Lumma Stealer, and Meduza Stealer. This vulnerability allowed attackers to bypass SmartScreen warnings and deliver malicious payloads. The stealer campaign is targeting Spain, Thailand, and the US. The attack chain involves a series of intricately crafted files.

Crowdstrike Outage (update)

CrowdStrike is aware of reports of crashes on Windows hosts that have taken place after installing the latest update for CrowdStrike Falcon Sensor. CrowdStrike says that it has identified a content deployment related to this issue and reverted those changes.

CrowdStrike Outage

CrowdStrike is aware of reports of crashes on Windows hosts that have taken place after installing the latest update for CrowdStrike Falcon Sensor. CrowdStrike says that it has identified a content deployment related to this issue and reverted those changes.

Hackers use PoC exploits in attacks 22 minutes after release

According to Cloudflare's 2024 Application Security report, threat actors are increasingly quick to weaponize available proof-of-concept (PoC) exploits, sometimes within just 22 minutes of their public release. Covering activity from May 2023 to March 2024, the report highlights several emerging threat trends.

Critical Apache HugeGraph Vulnerability Under Attack - Patch ASAP

A critical remote code execution vulnerability (CVE-2024-27348, CVSS: 9.8) impacting Apache HugeGraph-Server versions before 1.3.0 has been actively exploited in the wild. The flaw resides in the Gremlin graph traversal language API and allows attackers to bypass security restrictions and gain complete control over vulnerable servers.

New BugSleep Malware Implant Deployed in MuddyWater Attacks

Researchers at Check Point have disclosed details of a new backdoor implant dubbed BugSleep that is actively being deployed in attacks by MuddyWater, an Iranian state-sponsored group, to steal files of interest and run commands on compromised systems. These attacks entail the use of phishing emails disguised as invitations to webinars or online courses, designed to redirect targets to archives containing malicious payloads hosted on the Egnyte secure file-sharing platform.

Critical Exim Bug Bypasses Security Filters on 1.5 Million Mail Servers

Last Wednesday, a critical vulnerability was patched in Exim, a free mail transfer agent (MTA) that's widely used on Unix-like operating systems. Tracked as CVE-2024-29929, the vulnerability pertains to an incorrect parsing of multiline RFC2231 header filenames, allowing threat actors to remotely deliver malicious executable attachments into end users' mailboxes by circumventing the $mime_filename extension-blocking protection mechanism.

Microsoft Links Scattered Spider Hackers to Qilin Ransomware Attacks

Microsoft has reported that the Scattered Spider cybercrime gang, also known as Octo Tempest, UNC3944, and 0ktapus, has added Qilin ransomware to its arsenal and is now using it in attacks. In the second quarter of 2024, Octo Tempest, a financially motivated threat actor, incorporated RansomHub and Qilin into its ransomware campaigns.

Cybereason - HardBit Ransomware

Summary: Cybereason Security Service Team has released a new blog post highlighting the TTPs employed by HardBit, a ransomware operation that first emerged in October 2022. HardBit seems to take inspiration from the LockBit ransomware gang, with researchers noting a similarity in the marketing tactics deployed by the group including the use of similar group image/icons, image fonts, and ransom notes.

Void Banshee APT Exploits Microsoft MHTML Flaw to Spread Atlantida Stealer

The APT group Void Banshee has been exploiting a newly disclosed security flaw in the Microsoft MHTML browser engine CVE-2024-38112 to deploy the information-stealing malware Atlantida. Cybersecurity firm Trend Micro observed this activity in mid-May 2024, noting that the vulnerability was used in a multi-stage attack involving specially crafted internet shortcut (URL) files.

10,000 Victims a Day: Infostealer Garden of Low-Hanging Fruit

The article illuminates the intricate web of the cybercriminal ecosystem, with a particular focus on the role of infostealer malware. This kind of malware acts as a digital pickpocket, discretely extracting valuable data from compromised systems. The cybercriminal landscape has undergone a transformation, evolving from solitary actors taking care of the entire process, to a highly specialized marketplace where various threat groups collaborate to maximize their illicit gains, embodying a free market economic system.

Attackers Exploit URL Protections to Disguise Phishing Links

Cybercriminals are exploiting legitimate URL protection services to disguise phishing links, according to Barracuda researchers. These services, intended to protect users from malicious websites by rewriting URLs, are being misused to mask phishing URLs and direct victims to credential-harvesting sites.

DarkGate Malware Exploits Samba File Shares in Short-Lived Campaign

The recent DarkGate malware campaign, uncovered by Palo Alto Networks Unit 42, highlights a brief yet impactful exploitation of Samba file shares for malware distribution. Spanning March to April 2024, the campaign targeted regions across North America, Europe, and parts of Asia, utilizing Visual Basic Script (VBS) and JavaScript files hosted on public-facing servers.

Phishing Campaign Abuses SharePoint Servers

ANY.RUN, an interactive malware hunting service, warned on X (formerly known as Twitter) of a massive phishing campaign that is abusing SharePoint to store PDFs containing phishing links. In a span of 24 hours ANY.RUN says it observed over 500 public sandbox sessions with SharePoint phishing.

U.S. Seizes Domains Used by AI-Powered Russian Bot Farm for Disinformation

A recent U.S. Department of Justice (DoJ) operation dismantled a large-scale Russian disinformation campaign utilizing AI-powered social media bots. The bot farm, targeting the U.S. and several other countries, employed fictitious online personas disguised as real users to spread pro-Kremlin messages. The operation, believed to be sponsored by the Kremlin and facilitated by an RT employee and an FSB officer, leveraged AI software called Meliorator to create and manage the bot network.

Multiple Threat Actors Exploit PHP Flaw CVE-2024-4577 to Deliver Malware

Multiple threat actors are exploiting the recently disclosed PHP vulnerability CVE-2024-4577 to deliver various malware families, according to the Akamai Security Intelligence Response Team. This vulnerability, which has a CVSS score of 9.8, is a PHP-CGI OS Command Injection flaw in the Best-Fit feature of encoding conversion within the Windows operating system.

Chinese APT41 Upgrades Malware Arsenal with DodgeBox and MoonWalk

China-linked APT41 is suspected of using an advanced version of StealthVector malware, dubbed DodgeBox, to deliver a new backdoor named MoonWalk. Zscaler ThreatLabz discovered DodgeBox, also known as DUSTPAN, in April 2024. Researchers Yin Hong Chang and Sudeep Singh explained that DodgeBox loads MoonWalk, which shares DodgeBox's evasion techniques and uses Google Drive for command-and-control communication.

Ransomware Groups Prioritize Defense Evasion for Data Exfiltration

Ransomware attackers are increasingly focusing on defense evasion tactics to extend their dwell time within victim networks, as highlighted in a new report by Cisco Talos. This shift is primarily driven by the double-extortion ransomware model, where attackers steal sensitive data and threaten to publish it online while locking down victims' systems.

Apple IDs Targeted in US Smishing Campaign

Symantec recently published a security bulletin warning about a phishing campaign targeting Apple users in the United States. These campaigns are mostly conducted via email but have increasingly been deployed via malicious SMS text messages (smishing).

Avast Provides DoNex Ransomware Decryptor to Victims

Beginning in March 2024, law enforcement organizations have been distributing decryptor keys to victims of the DoNex ransomware, according to Avast. The antivirus provider announced on July 8 that they have been quietly offering the decryptor after identifying a cryptographic flaw in the ransomware and its predecessors.

Cybersecurity Agencies Warn of China-linked APT40's Rapid Exploit Adaptation

Cybersecurity agencies from Australia, Canada, Germany, Japan, New Zealand, South Korea, the U.K., and the U.S. have issued a joint advisory about the China-linked cyber espionage group APT40, warning of its ability to exploit new security vulnerabilities within hours or days of their public release. APT40, also known by various aliases such as Bronze Mohawk, Gingham Typhoon, ISLANDDREAMS, Kryptonite Panda, Leviathan, Red Ladon, TA423, and TEMP.Periscope, has been active since at least 2013, primarily targeting organizations in the Asia-Pacific region.

Major ISP Accused of Mass Malware Attack on Customers

A major South Korean internet service provider, KT (formerly Korea Telecom), is facing serious allegations after reports surfaced that it installed malware on the computers of over 600,000 customers. The incident primarily targeted users of Webhard, a popular file-sharing service in South Korea.

Israeli Entities Targeted by Cyberattack Using Donut and Sliver Frameworks

Researchers have uncovered a sophisticated attack campaign targeting various Israeli entities using publicly available frameworks like Donut and Sliver. HarfangLab, a French cybersecurity firm, detailed the campaign, noting its highly targeted nature and the use of custom WordPress websites as payload delivery mechanisms. This campaign affects entities across unrelated verticals by leveraging well-known open-source malware.

Israeli Entities Targeted by Cyberattack Using Donut and Sliver Frameworks

Researchers have uncovered a sophisticated attack campaign targeting various Israeli entities using publicly available frameworks like Donut and Sliver. HarfangLab, a French cybersecurity firm, detailed the campaign, noting its highly targeted nature and the use of custom WordPress websites as payload delivery mechanisms. This campaign affects entities across unrelated verticals by leveraging well-known open-source malware.

Microsoft MSHTML Flaw Exploited to Deliver MerkSpy Spyware Tool

A recent attack campaign exploited a now-patched vulnerability (CVE-2021-40444) in Microsoft Office's MSHTML component to deliver MerkSpy spyware. This spyware primarily targeted users in Canada, India, Poland, and the U.S. The attackers meticulously crafted a deceptive Microsoft Word document disguised as a software developer job description to trick users into initiating the exploit.

CDK Global Says All Dealers Will Be Back Online By Thursday

On June 18th, CDK Global, a leading software-as-a-service provider that is used by over 15,000 car dealerships across North America, was the target of a ransomware attack, causing a massive IT outage. In particular, CDK Global's dealer management system was impacted, forcing car dealerships to switch to pen and paper, with buyers unable to purchase cars or receive service for already-bought vehicles.

Cisco Warns of NX-OS Zero-day Exploited to Deploy Custom Malware

Cisco has patched a zero-day vulnerability in NX-OS that was exploited in April to install previously unknown malware on vulnerable switches. The cybersecurity firm Sygnia reported the incidents to Cisco, attributing the attacks to a Chinese state-sponsored threat actor, Velvet Ant. Amnon Kushnir, Director of Incident Response at Sygnia, revealed that Velvet Ant used administrator-level credentials to access Cisco Nexus switches and deploy custom malware.

Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data Summary:

A North Korean APT group, Kimsuky, was discovered using a malicious Google Chrome extension codenamed TRANSLATEXT to target South Korean academia focused on North Korean affairs in March 2024. Kimsuky is a notorious hacking crew from North Korea that's known to be active since at least 2012, orchestrating cyber espionage and financially motivated attacks targeting South Korean entities.

Router Maker's Support Portal Hacked, Replies With Metamask Phishing

BleepingComputer has confirmed that the helpdesk portal of Canadian router manufacturer Mercku has been compromised and is sending MetaMask phishing emails in response to new support tickets. Mercku supplies equipment to several ISPs and networking companies, including Start.ca, FibreStream, Innsys, RealNett, Orion Telekom, and Kelcom.

Critical OpenSSH Flaw Enables Full System Compromise

A critical vulnerability (CVE-2024-6387), dubbed regreSSHion, has been identified in OpenSSH servers, potentially affecting over 14 million instances exposed on the internet. This remote unauthenticated code execution flaw allows attackers to compromise systems, leading to full system control, malware installation, data manipulation, creation of backdoors, and network propagation.

Researchers Warn of Flaws in Widely Used Industrial Gas Analysis Equipment

Multiple security vulnerabilities have been identified in Emerson Rosemount gas chromatographs, potentially allowing attackers to access sensitive information, cause denial-of-service (DoS) conditions, and execute arbitrary commands. The affected models include GC370XA, GC700XA, and GC1500XA, with versions 4.1.5 and earlier. Claroty, an operational technology (OT) security firm, highlighted two command injection flaws and two authentication and authorization vulnerabilities.

Apple Patches AirPods Bluetooth Vulnerability That Could Allow Eavesdropping

Apple recently released a firmware update to address a critical vulnerability (CVE-2024-27867) affecting various AirPods models (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro. This authentication issue could have allowed a malicious actor within Bluetooth range to impersonate a trusted device and gain unauthorized access to the targeted AirPods.

Kimsuky Group's New Backdoor Appears (HappyDoor)

Ahnlab Security Intelligence Center (ASEC) has released details of a backdoor that they first identified in 2021 and have closely monitoring since then. Dubbed, Happydoor, the backdoor is attributed to the North Korean APT group Kimsuky and has been deployed in several breaches in the last couple of years.

The Growing Threat of Malware Concealed Behind Cloud Services

The analysis highlights a growing trend where cybercriminals are leveraging cloud services to enhance the capabilities of botnets like UNSTABLE and Condi. These botnets exploit vulnerabilities in various devices to establish command and control (C2) operations through cloud servers, which provides scalability and anonymity that traditional hosting methods lack.

Linux Version of RansomHub Ransomware Targets VMware ESXi VMs

According to Recorded Future, the RansomHub operation has been using a Linux encryptor since April 2024 to specifically target VMware ESXi environments in corporate attacks. The ESXi version of RansomHub's encryptor is developed in the C++ programming language and was likely derived from the now-defunct Knight ransomware's source code.

Fake Google Chrome Errors Trick You into Running Malicious PowerShell Scripts

A sophisticated malware distribution campaign has emerged, utilizing fake error messages resembling Google Chrome, Microsoft Word, and OneDrive issues to deceive users into running malicious PowerShell scripts. This campaign involves several threat actors, including ClearFake, ClickFix, and TA571, known for their previous involvement in spam distribution and malware dissemination.

Russia's Midnight Blizzard Seeks to Snow French Diplomats

French diplomatic entities have been targeted by Midnight Blizzard, a Russia-backed advanced persistent threat, since at least 2021, according to CERT-FR. This group, infamous for its involvement in the 2016 US elections interference and the 2020 SolarWinds attacks, remains a significant cyber threat.

ONNX Phishing Service Targets Microsoft 365 Accounts at Financial Firms

A new phishing-as-a-service (PhaaS) platform called ONNX Store is targeting Microsoft 365 accounts of employees at financial firms using QR codes embedded in PDF attachments. The platform, which can target both Microsoft 365 and Office 365 email accounts, operates via Telegram bots and includes mechanisms to bypass two-factor authentication (2FA).

New ARM 'TIKTAG' attack impacts Google Chrome, Linux systems

A new speculative execution attack named "TIKTAG" targets ARM's Memory Tagging Extension, achieving over a 95% success rate in leaking data and bypassing this security feature. This attack, demonstrated by researchers from Samsung, Seoul National University, and the Georgia Institute of Technology, affects Google Chrome and the Linux kernel.

Report Reveals Record Exploitation Rate For Load Balancers

Recent data from Action1 indicates a growing trend of threat actors targeting edge devices, particularly load balancers, resulting in a record exploitation rate over the past three years. The study assessed various product categories from 2021 to 2023, using data from the National Vulnerability Database (NVD) and cvedetails.com to calculate the ratio of exploited vulnerabilities to total vulnerabilities.

UNC3944 Targets SaaS Applications

UNC3944, a financially motivated threat group, has been active since at least May 2022 and has evolved its tactics from credential harvesting to primarily data theft extortion without ransomware. They exploit vulnerabilities in software-as-a-service (SaaS) applications and leverage social engineering tactics to gain access to privileged accounts.

GitHub Phishing Campaign Wipes Repos, Extorts Victims

CronUp security researcher German Fernandez has shed light on a phishing and extortion campaign to target GitHub users. The campaign which has been ongoing for several months takes advantage of GitHub's notification system and a malicious OAuth app to gain access to victims' repositories and extort the contents for ransom.

Ukrainian Police Identify Suspected Affiliate of Conti, LockBit Groups

Ukrainian cyber police have identified a 28-year-old resident of Kyiv as a suspected affiliate of the notorious Conti and LockBit ransomware groups. He allegedly specialized in developing cryptors, which are tools that encrypt malware to evade antivirus detection. The man reportedly sold his services to hackers linked to the Conti and LockBit groups for cryptocurrency rewards.

Black Basta Ransomware Gang Linked to Windows Zero-Day Attacks

The Black Basta ransomware group is suspected of leveraging a critical Windows privilege escalation vulnerability, identified as CVE-2024-26169, as a zero-day exploit before Microsoft released a fix. This vulnerability, rated at 7.8 on the CVSS v3.1 scale, affects the Windows Error Reporting Service, enabling attackers to elevate their privileges to SYSTEM level.

Vietnamese Entities Targeted by China-Linked Mustang Panda in Cyber Espionage

Researchers at CrowdStrike Falcon Intelligence identified a previously unattributed TA group targeting a U.S.-based think tank with ties to China in April 2017 which revealed a larger campaign attributed to the China-based adversary Mustang Panda. Mustang Panda has likely been operational since 2014 targeting government organizations, nonprofits, religious institutions, and other NGOs across the U.S., Europe, Mongolia, Myanmar, Pakistan, Vietnam, and other regions with LNK files associated with the APT group.

Lost in the Fog: A New Ransomware Threat

Researchers at Artic Wolf Labs have released details on a new ransomware variant dubbed ‘Fog” that has been targeting the networks of US organizations in the education and recreation sectors since May, 2024. In one of the incidents observed, Fog ransomware actors performed pass-the-hash attacks to gain access to administrator accounts and further establish RDP connections to Windows servers running Hyper-V and Veeam.

UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion

Mandiant has identified a campaign by the financially motivated group UNC5537, targeting Snowflake customer database instances to steal data and extort victims. Snowflake is a multi-cloud data warehousing platform used for storing and analyzing large datasets. UNC5537 gains access to these databases using stolen customer credentials, obtained through various info stealer malware campaigns.

IoT Vulnerabilities Skyrocket, Becoming Key Entry Point for Attackers

The number of vulnerable Internet of Things (IoT) devices has surged by 136% over the past year, according to Forescout's report, "The Riskiest Connected Devices in 2024." This study, which analyzed data from nearly 19 million devices, revealed that the proportion of IoT devices with vulnerabilities increased from 14% in 2023 to 33% in 2024.

Inside Baseball: The Red Sox Cloud Security Game

The Boston Red Sox, positioned at the forefront of the American League East in baseball, are also making significant strides in cybersecurity. By adopting a comprehensive strategy that involves transitioning critical operations to a software-as-a-service (SaaS) model and embracing the Internet of Things (IoT) at Fenway Park, the team is actively bolstering its cloud security.

RansomHub Extortion Gang Linked to Now-Defunct Knight Ransomware

Researchers at Symantec have uncovered similarities between two ransomware families, RansomHub and Knight, indicating a potential rebrand of the now defunct Knight ransomware which went silent after its source code was listed for sale on hacker forums back in February 2024. Similar to Knight ransomware, RansomHub is written in the Go programming language.

Chinese South China Sea Cyberespionage Campaign Unearthed

A cyberespionage campaign recently targeted a government agency that frequently clashes with China over the South China sea. This campaign used previously undetected backdoors and had links to known Chinese state threat actors. Researchers at Sophos Managed Detection and Response uncovered this complex operation, named "Crimson Palace," and attributed it with high confidence to Chinese state-sponsored hacking clusters.

Zyxel Addressed Three RCEs in End-Of-Life NAS Devices

Zyxel Networks has released an emergency security update to address critical vulnerabilities in its end-of-life NAS devices, specifically NAS326 and NAS542 models. These vulnerabilities, identified as CVE-2024-29972, CVE-2024-29973, and CVE-2024-29974, allow attackers to perform command injection and remote code execution.

Belarusian Hackers Target Ukraine's Ministry of Defence in New Espionage Campaign

Belarusian state-sponsored hackers, UNC1151, targeted Ukraine's Ministry of Defence and a military base in a new cyberespionage operation according to Cyble Research and Intelligence Labs. Mandiant Threat Intelligence uncovered a persistent information operation called “Ghostwriter/UNC1151,” which is part of a larger influence campaign supporting Russian security interests and promoting narratives critical of NATO that has been active since March 2017 targeting audiences in Ukraine, Lithuania, Latvia, and Poland.

IT Consultants Engaged by NIST to Tackle National Vulnerability Database Backlog

Facing a burgeoning backlog of reported vulnerabilities, the National Institute of Standards and Technology (NIST) has found itself in a predicament, grappling with the daunting task of clearing its National Vulnerability Database (NVD). To tackle this challenge head-on, NIST has decided to extend its existing commercial contract with Analygence, a Maryland-based IT consultancy firm, known for its expertise in IT and security-related work.

Fake Browser Updates delivering BitRAT and Lumma Stealer

Researchers at eSentire have observed a trend in the employment of fake web browser updates to infect end users with various malware strains including SocGholish as well as Fakebat. In May 2024 eSentire's Threat Response Unit started seeing actors using this tactic to deliver BitRAT, a remote access trojan, and Lumma Stealer, a notorious info stealer malware that has gained popularity within the cybercriminal community.

APT28 Targets Key Networks in Europe With Headlace Malware

On September 4, 2023, CERT-UA reported a phishing campaign that leveraged Headlace malware to target a critical energy infrastructure facility in Ukraine. During this campaign, BlueDelta sent phishing emails from a fake sender address that contained links to archive files. The archive files contained lure images and Windows BAT script, which, if executed, would result in the whoami command being run and the results being exfiltrated back to the threat actor.

Andariel Hackers Target South Korean Institutes with New Dora RAT Malware

The North Korean linked threat actor Andariel has been using a new Golang-based backdoor called Dora RAT to target educational institutions, manufacturing firms, and construction businesses in South Korea. The AhnLab Security Intelligence Center reported that Andariel has deployed a variety of malware, including keyloggers, infostealers, and proxy tools, to control and exfiltrate data from infected systems.

Ransomware Rises Despite Law Enforcement Takedowns

Ransomware activity surged in 2023, according to a report by Google-owned Mandiant, despite extensive law enforcement efforts against major ransomware groups like ALPHV/BlackCat. The report, published on June 3, 2024, revealed a 75% increase in posts on ransomware groups' data leak sites compared to 2022, affecting victims in over 110 countries.

Check Point Warns Customers to Patch VPN Vulnerability Under Active Exploitation

Check Point has alerted its customers to a critical zero-day vulnerability (CVE-2024-24919, CVSS 8.6) affecting several products, including CloudGuard Network and Quantum Maestro. Attackers are exploiting this flaw by targeting outdated VPN local accounts using password-only authentication. Immediate software updates are crucial to mitigate the risk of unauthorized access to sensitive data and potential lateral movement within networks.

The Pumpkin Eclipse

Lumen Technologies' Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement.

Cyber Espionage Alert: LilacSquid Targets IT, Energy, and Pharma Sectors

A previously undocumented cyber espionage group named LilacSquid has been linked to targeted attacks across various sectors in the U.S., Europe, and Asia as part of a data theft campaign ongoing since at least 2021. This campaign is aimed at establishing long-term access to compromised organizations to siphon data of interest to attacker-controlled servers, according to a new technical report by Cisco Talos researcher Asheer Malhotra.

Important Details About CIRCIA Ransomware Reporting

The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) mandates covered entities to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). CISA aims to swiftly deploy resources, analyze trends, and share information with network defenders.

Brazilian Banks Targeted by New AllaKore RAT Variant Called AllaSenha

Since at least early May, Banking institutions in Brazil have been observed by French cybersecurity company HarfangLab being targeted by a new campaign that deploys a custom payload variant of the Windows-based AllaKore RAT called AllaSenha. The intricate infection chain involves Python scripts and a loader developed in a language called Delphi.

Pirated Microsoft Office delivers malware cocktail on systems

AhnLab Security Intelligence Center is warning of an ongoing campaign where cybercriminals are distributing various malware strains by promoting installers for cracked versions of Microsoft Office on torrent sites. The cracked Microsoft Installer comes with a well-built interface, where users can specify the version they want to install, the language, as well as whether to use 32 or 64-bit variants.

Sav-Rx Discloses Data Breach Impacting 2.8 Million Americans

Prescription management company Sav-Rx is warning over 2.8 million people in the United States that it suffered a data breach, stating that their personal data was stolen in a 2023 cyberattack. A&A Services, doing business as Sav-RX, is a pharmacy benefit management (PBM) company that provides prescription drug management services to employers, unions, and other organizations across the U.S.

The Real Danger Lurking in the NVD Backlog

On February 12, 2024, the NIST National Vulnerability Database significantly slowed its processing and enrichment of new vulnerabilities. Since then, 12,720 new vulnerabilities have been added, but 11,885 remain unanalyzed, hindering security professionals' ability to assess affected software. By February 15, the NVD warned of analysis delays,

US-Led Operation Takes Down World's Largest Botnet

A US-led law enforcement operation has dismantled the 911 S5 botnet, believed to be the world's largest. The botnet consisted of millions of compromised residential Windows computers used for cyber-attacks, fraud, child exploitation, and other serious crimes. It included over 19 million unique IP addresses, with 613,841 in the US. Cybercriminals could buy access to these IP addresses for illegal activities.

Okta Warns of Credential Stuffing Attacks Targeting Its CORS Feature

Identity and Access Management company Okta warns that its cross-origin authentication feature in Customer Identity Cloud (CIC) is susceptible to credential-stuffing attacks. “Okta's Cross-Origin Resource Sharing (CORS) feature allows customers to add JavaScript to their websites and applications to send authentication calls to the Okta API hosted.

New Tricks in the Phishing Playbook: Cloudflare Workers, HTML Smuggling, GenAI

Researchers have raised alarms about sophisticated phishing campaigns leveraging Cloudflare Workers to deploy phishing sites aimed at harvesting credentials from multiple organizations users. These campaigns utilize a method called transparent phishing or adversary-in-the-middle phishing. This technique involves using Cloudflare Workers as a reverse proxy to legitimate login pages, intercepting traffic to capture login credentials, cookies, and tokens.

Fake Antivirus Sites Spread Malware Disguised as Avast, Malwarebytes, Bitdefender

Trellix Research has uncovered a concerning trend in cybersecurity: fake antivirus websites masquerading as legitimate security software while actually harboring malware. These deceptive sites, such as avast-securedownload[.]com and bitdefender-app[.]com, distribute harmful programs like SpyNote trojan, Lumma malware, and StealC malware under the guise of reputable antivirus brands. Instances of brand reputation attacks like these pose a significant threat, exploiting users' trust in reputable antivirus brands to distribute harmful malware.

Microsoft: Gift Card Fraud Rising, Costing Businesses up to $100,000 a Day

With US holidays like Memorial Day upcoming, Microsoft is warning up an uptick in activity from Storm-0539, a cybercriminal group operating out of Morocco that is known for targeting gift card portals linked to large retailers, luxury brands, and well-known fast-food restaurants. According to Microsoft, Storm-0539 conducts deep reconnaissance and sophisticated cloud-based techniques to target gift card creators.

Russian Hackers Shift Tactics, Target More Victims with Paid Malware

Russian hackers, particularly Advanced Persistent Threat (APT) groups, are intensifying their cyberattacks, expanding targets beyond governments and utilizing readily available malware. Flashpoint researchers reveal the evolving tactics, emphasizing the need for organizational protection. Recent reports indicate collaboration among state-sponsored groups in Iran for large-scale attacks, paralleled by activities in Russia.

Cybercriminals Exploit Cloud Storage For SMS Phishing Scams

Security researchers have uncovered a series of criminal campaigns that exploit cloud storage services. These campaigns, orchestrated by unnamed threat actors, aim to deceive users into visiting malicious websites through SMS messages. According to a technical analysis released by Enea today, the attackers have two main objectives.

Japanese Experts Warn of BLOODALCHEMY Malware Targeting Government Agencies

Researchers have recently made a significant revelation regarding the BLOODALCHEMY malware, which has been employed in targeted attacks against government organizations in Southern and Southeastern Asia. These researchers found that BLOODALCHEMY is an updated iteration of Deed RAT, considered a successor to ShadowPad—a widely recognized tool utilized in APT campaigns.

Japanese Experts Warn of BLOODALCHEMY Malware Targeting Government Agencies

Researchers have recently made a significant revelation regarding the BLOODALCHEMY malware, which has been employed in targeted attacks against government organizations in Southern and Southeastern Asia. These researchers found that BLOODALCHEMY is an updated iteration of Deed RAT, considered a successor to ShadowPad—a widely recognized tool utilized in APT campaigns.

From Trust to Trickery: Brand Impersonation Over the Email Attack Vector

Cisco researchers have discovered various techniques used by cybercriminals to embed and deliver brand logos within emails, targeting users through brand impersonation. This widespread threat leverages the familiarity and trust associated with well-known brand logos to solicit sensitive information, particularly in phishing emails where attackers aim to deceive recipients into revealing credentials or other valuable information.

Inside Operation Diplomatic Specter: Chinese APT Group's Stealthy Tactics Exposed

A Chinese APT group has been targeting governmental entities in the Middle East, Africa, and Asia since late 2022 as part of a cyber espionage campaign named Operation Diplomatic Specter. According to researchers from Palo Alto Networks Unit 42, this group has conducted long-term espionage against at least seven government entities, employing sophisticated email exfiltration techniques.

Threat Actor Claiming Access to AWS, Azure, & GitHub API Keys

According to a post on X (formerly known as Twitter), a threat actor is claiming to have gained access to a handful of API keys for major cloud service providers, including Amazon Web Services (AWS), Microsoft Azure, GitHub, etc. The actor who goes by the alias “carlos_hank,” stated that these keys are “fresh and all working,” with high permissions that can be used to compromise entire cloud infrastructures.

Chinese Hackers Rely on Covert Proxy Networks to Evade Detection

Chinese-backed threat actors, including groups like Volt Typhoon, are increasingly using proxy networks known as operational relay boxes for cyber espionage, according to a Mandiant report published on May 22. ORBs, similar to botnets, are mesh networks comprising compromised devices like virtual private servers, Internet of Things devices, smart devices, and routers.

Iranian MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel

An Iranian threat actor affiliated with one of the Iranian intelligence agencies has been observed conducting destructive wiping attacks that target Albania and Israel. Cybersecurity firm Check Point is tracking the activity under the moniker Void Manticore, which is also known as Storm-842 (formerly DEV-0842) by Microsoft. The techniques, tactics, and procedures (TTPs) employed by Void Manticore are relatively straightforward and simple, involving hands-on efforts using basic, mostly publicly available tools.

Critical Fluent Bit Flaw Impacts All Major Cloud Providers

A critical vulnerability in Fluent Bit has been identified, impacting major cloud providers and numerous tech giants by exposing them to denial-of-service and remote code execution attacks. Fluent Bit, a popular logging and metrics solution for Windows, Linux, and macOS, is embedded in major Kubernetes distributions.

Ransomware and AI-Powered Hacks Drive Cyber Investment

The surge in sophisticated cyber-attacks has led to significant financial implications for businesses. Ransomware attacks, in particular, have become increasingly prevalent and costly. These attacks involve encrypting a victim's data and demanding payment, typically in cryptocurrency, for its release.

New Android Banking Trojan Mimics Google Play Update App

Cyble Research and Intelligence Labs has uncovered a new banking trojan dubbed “Antidot” targeting Android devices by posing as a Google Play update application. Users who install the application are presented with a counterfeit Google Play update page that contains a “continue” button designed to redirect to the Android device's Accessibility settings. I

Springtail: New Linux Backdoor Added to Toolkit

Symantec's Threat Hunter Team recently uncovered a new Linux backdoor, Linux.Gomir, developed by the North Korean Springtail espionage group, linked to a recent campaign against South Korean organizations. This group, also known as Kimsuky, has a history of targeting South Korean public sector organizations and was previously identified in attacks dating back to 2014.

Botnet Sent Millions of Emails in LockBit Black Ransomware Campaign

ew Jersey's Cybersecurity and Communications Integration Cell (NJCCIC) disclosed that it uncovered a new LockBit campaign where actors are sending millions of phishing emails with the help of the Phorpiex botnet to infect potential victims with LockBit Black, an encryptor that was likely built using the LockBit 3.0 builder that was leaked by a disgruntled developer on Twitter in September 2022.

Mallox Ransomware Deployed Via MS-SQL Honeypot Attack

An instance involving a MS-SQL honeypot has shed light on the sophisticated tactics employed by cyber-attackers relying on Mallox ransomware. The honeypot, set up by researchers at Sekoia, was targeted by an intrusion set utilizing brute force techniques to deploy the Mallox ransomware via PureCrypter to exploit various MS-SQL vulnerabilities. Upon analyzing Mallox samples, the researchers identified two distinct affiliates using different approaches.

Hackers Use DNS Tunneling to Scan and Track Victims

Threat actors are using DNS tunneling to track when targets open phishing emails and click malicious links, as well as to scan networks for vulnerabilities. DNS tunneling involves encoding data or commands within DNS queries, turning DNS into a covert communication channel. The attackers use various encoding methods, such as Base16, Base64, or custom algorithms, to transmit data via DNS records like TXT, MX, CNAME, and Address records.

Ongoing Campaign Bombards Enterprises with Spam Emails and Phone Calls

Cybersecurity researchers at Rapid7 have uncovered an ongoing social engineering campaign that barrages enterprises with spam emails with the goal of obtaining initial access to their environments for follow-on exploitation. The social engineering tactics involve overwhelming a potential victim's email with junk mail, calling the victim user, and offering them assistance with the issue.

Government's Addiction to Contractors Is Creating a Data Crisis

The rapid advancement of artificial intelligence and the proliferation of data worldwide, estimated to reach 200 zettabytes, have ushered in an era of unprecedented technological growth. However, despite this data abundance, there exists a crisis in accessing research data, with the government and private sector being identified as primary contributors to the problem.

North Korean Hackers Deploy New Golang Malware 'Durian' Against Crypto Firms

The North Korean APT group Kimsuky has been observed by Kaspersky deploying a previously undocumented Golang-based malware dubbed Durian in targeted cyberattacks against two South Korean cryptocurrency firms. Kaspersky states that Durian boasts comprehensive backdoor functionality, enabling the execution of delivered commands, additional file downloads, and exfiltration of files.

'The Mask' Espionage Group Resurfaces After 10-Year Hiatus

Careto, also known as "The Mask," resurfaced after a lengthy hiatus, launching a cyber-espionage campaign targeting organizations primarily in Latin America and Central Africa. This APT group was initially active from 2007 to 2013, during which it targeted a diverse range of victims across 31 countries, including prominent entities like government institutions, diplomatic offices, energy companies, research institutions, and private equity firms.

GoTo Meeting Loads Remcos RAT via Rust Shellcode Loader

There has been a notable rise in cyber threats exploiting legitimate software platforms to propagate malicious payloads. Among these threats is the Remcos RAT, a sophisticated remote access tool favored by cybercriminals. Cyber attackers have leveraged trusted applications like GoTo Meeting to facilitate the deployment of the Remcos RAT, employing advanced techniques to evade detection and compromise systems.

Widely Used Telit Cinterion Modems Open to SMS Takeover Attacks

Security researchers at Kaspersky's ICS CERT division revealed a series of eight vulnerabilities, including CVE-2023-47610 through CVE-2023-47616, in Telit Cinterion cellular modems, prevalent across industrial, healthcare, and telecommunications sectors. The most severe flaw, CVE-2023-47610, enables remote code execution via SMS, granting attackers unauthorized access to the modem's operating system without authentication.

In the Shadow of Venus: Trinity Ransomware's Covert Ties

CRIL (Cyble Research and Intelligence Labs) has uncovered a new ransomware variant dubbed Trinity, notable for its utilization of a double extortion tactic. This method involves exfiltrating victim data before initiating encryption and subsequently demanding ransom payments. The threat actors behind Trinity operate victim support and data leak sites, enhancing their coercive capabilities (T1486).

GhostStripe Attack Haunts Self-Driving Cars by Making Them Ignore Road Signs

A group of researchers, primarily from Singapore-based universities, has demonstrated the feasibility of attacking autonomous vehicles by exploiting their reliance on camera-based computer vision systems. Dubbed GhostStripe, the attack manipulates the sensors used by brands like Tesla and Baidu Apollo, which rely on complementary metal oxide semiconductor (CMOS) sensors.

New 'LLMjacking' Attack Exploits Stolen Cloud Credentials

The Sysdig Threat Research Team recently conducted a study on a new cyber attack termed “LLMjacking”, which specifically targets cloud-hosted large language model services by exploiting stolen cloud credentials. These credentials were obtained from a vulnerable version of Laravel (CVE-2021-3120).

Hijack Loader Malware Employs Process Hollowing, UAC Bypass in Latest Version

A new version of the malware loader, Hijack Loader, has been spotted by researchers at Zscaler which comes with an updated set of anti-analysis techniques to fly under the radar. In total, the latest variant comes with 7 new modules. Notably, one of these modules is designed to bypass User Account Control (UAC), a security feature on Windows designed to prevent unauthorized changes to the operating system.

Massive Webshop Fraud Ring Steals Credit Cards From 850,000 People

BogusBazaar, the vast network of fake online shops, was discovered by Security Research Labs GmbH to have successfully deceived over 850,000 individuals in the United States and Europe. This operation, which has been active for three years since 2021, has aimed to process around $50 million in fraudulent purchases by stealing credit card information and attempting fake transactions. The operations of BogusBazaar involves the creation of over 75,000 fake webshops.

New Attack Leaks VPN Traffic Using Rogue DHCP Servers

"TunnelVision" is a newly discovered cyber threat that exploits a vulnerability in the Dynamic Host Configuration Protocol to bypass the encryption of VPNs. This attack method, outlined in a report by Leviathan Security, enables malicious actors to intercept and surveil unencrypted data while maintaining the facade of a secure VPN connection.

China-Linked Attackers Successfully Targeting Network Security Devices, Worrying Officials

At the RSA Conference in San Francisco, cybersecurity experts revealed concerns about China-linked espionage groups exploiting zero-day vulnerabilities to infiltrate US critical infrastructure and businesses. Charles Carmakal from Mandiant Consulting highlighted how these attackers target network security devices that lack endpoint detection and response capabilities, such as routers and firewalls.

Critical Tinyproxy Flaw Opens Over 50,000 Hosts to Remote Code Execution

Over 52,000 out of 90,310 hosts with Tinyproxy services are vulnerable to a severe security flaw CVE-2023-49606, which exposes them to potential remote code execution. This vulnerability, with a CVSS score of 9.8 out of 10, affects Tinyproxy versions 1.10.0 and 1.11.1. The vulnerability arises from a use-after-free bug triggered by a specially crafted HTTP Connection header.

China-Linked Hackers Suspected in ArcaneDoor Cyberattacks Targeting Network Devices

ArcaneDoor, a cyber espionage campaign targeting network devices from multiple vendors, including Cisco, has been linked to China-linked actors based on findings from Censys. The campaign, attributed to a sophisticated state-sponsored actor known as UAT4356 or Storm-1849, began around July 2023 and continued with the first confirmed attack using custom malware named Line Runner and Line Dancer in January 2024.

Lockbit's Seized Site Comes Alive to Tease New Police Announcements

Law enforcement agencies, collaborated in a significant operation named Operation Cronos. This operation successfully dismantled the infrastructure of the LockBit ransomware group on February 19th. It involved seizing 34 servers that hosted the data leak website, along with data stolen from victims, cryptocurrency addresses, 1,000 decryption keys, and the affiliate panel used by LockBit.

New 'Cuckoo' Persistent macOS Spyware Targeting Intel and Arm Macs

The discovery of Cuckoo highlights the ongoing arms race between cybersecurity researchers and malicious actors. This malware's sophistication, from its ability to evade detection to its multifaceted information-gathering capabilities, showcases the level of expertise adversaries have attained in crafting highly effective threats.

Hackers Target New NATO Member Sweden with Surge of DDoS Attacks

According to metrics collected by network performance management provider Netscout, distributed denial of service attacks (DDoS) targeting Sweden surged in volume between 2023 and 2024 as the country was in the process of joining NATO. Netscout notes that DDoS attacks against Swedish organizations started picking up significantly in late 2023 with 730 Gbps attacks.

Top Threat Actors, Malware, Vulnerabilities and Exploits

The recent report from Picussecurity outlines threats, malware, vulnerabilities, and exploits for the first week of May. Critical vulnerabilities, including CVE-2024-27322 in R Programming Language and three in Judge0, pose significant risks. Malware activities involve Wpeeper Android malware utilizing compromised WordPress sites and the Dev Popper campaign targeting developers with a Python RAT.

Senators Reprimand UnitedHealth CEO in Ransomware Hearing

During a government hearing on Wednesday, senators strongly criticized UnitedHealth Group CEO Andrew Witty for the organization's inadequate security measures leading up to the February ransomware attack on Change Healthcare, a subsidiary. Witty confirmed a $22 million ransom payment and acknowledged potential data theft affecting one-third of Americans.

New "Goldoon" Botnet Targets D-Link Routers With Decade-Old Flaw

A newly discovered botnet named Goldoon has emerged, specifically targeting D-Link routers by exploiting a critical security flaw known as CVE-2015-2051. This flaw, with a high CVSS score of 9.8, impacts D-Link DIR-645 routers, allowing malicious actors to execute arbitrary commands remotely via specially crafted HTTP requests.

New Cuttlefish Malware Infects Routers to Monitor Traffic For Credentials

Lumen Technologies' Black Lotus Labs has uncovered a new malware dubbed ‘Cuttlefish' that has been observed infecting enterprise-grade and small office/home office routers to monitor data passing through them and steal authentication information. The malware supports various router architectures with builds for ARM, i386, i386_i686, i386_x64, mips32, and mips64.

Food and Ag-ISAC Alert: Pro-Russian Hacktivists Targeting HMI Vulnerabilities in OT Networks

Threat actors continue to target operational technology as a means to disrupt critical infrastructure networks, or to deliver malware as a just-in-case measure for increasing global conflicts. Earlier this year we reported on IRGC-Affiliated Cyber Actors targeting Israeli produced programmable logic controllers (PLCs) to disrupt the water sector. We also highlighted reports of Chinese (PRC) state-Sponsored actors compromising and maintaining persistent access to U.S. critical infrastructure with strategic and destructive malware.

Kapeka: A New Toolkit in the Arsenal of SandStorm

Kapeka, also known as KnuckleTouch, emerged around mid-2022 but gained formal tracking in 2024 due to its involvement in limited-scope attacks, notably in Eastern Europe. It's associated with the Sandstorm Group, operated by Russia's Military Unit 74455, known for disruptive cyber activities, particularly targeting Ukraine's critical infrastructure.

New Latrodectus Malware Attacks Use Microsoft, Cloudflare Themes

Latrodectus, also known as Unidentified 111 and IceNova, is a Windows malware downloader that acts as a backdoor, allowing threat actors to gain unauthorized access to compromised systems. The malware was initially discovered by Walmart's security team and later analyzed by cybersecurity firms such as ProofPoint and Team Cymru.

Threat Actor Profile: SideCopy

Operation SideCopy is a sophisticated cyber operation originating from Pakistan and primarily targeting Indian defense forces and personnel. Since its inception in early 2019, the threat group has demonstrated a high level of adaptability, continuously evolving its malware modules to avoid detection and maintain operational effectiveness. Notably, SideCopy closely monitors antivirus detections and promptly updates its modules in response.

China-Linked 'Muddling Meerkat' Hijacks DNS to Map Internet on Global Scale

A newly discovered cyber threat known as Muddling Meerkat has been actively engaging in sophisticated DNS activities since October 2019. This threat is believed to have affiliations with the People's Republic of China due to its utilization of DNS open resolvers from Chinese IP space and its potential control over the Great Firewall, which is known for censoring internet access and manipulating internet traffic in and out of China.

Over 1,400 CrushFTP Servers Vulnerable To Actively Exploited Bug

Last Friday, CrushFTP disclosed details of critical severity server-side template injection vulnerability in its file transfer software that is being actively exploited in attacks in the wild. Tracked as CVE-2024-4040, the flaw could enable actors to perform a virtual file system escape to read any file on the server's file system, gain administrative privileges, and perform remote code execution to effectively compromise unpatched systems.

Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

Palo Alto Networks has issued remediation guidance for a critical security flaw, CVE-2024-3400, impacting PAN-OS, which is actively being exploited. This flaw allows unauthenticated remote shell command execution and has been observed in multiple versions of PAN-OS. Dubbed "Operation MidnightEclipse," the exploit involves dropping a Python-based backdoor named UPSTYLE, enabling execution of commands through crafted requests.

CISA: Cisco and CrushFTP Vulnerabilities Need Urgent Patches

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for federal civilian agencies to patch three critical vulnerabilities within a week. These vulnerabilities include two affecting Cisco products (CVE-2024-20353 and CVE-2024-20359) and one impacting CrushFTP, a popular file transfer tool. The exploits are being actively utilized by state-sponsored threat actors, posing significant risks to network security.

Nespresso Domain Hijacked in Phishing Attack Targeting Microsoft Logins

Perception Point researchers have identified a new phishing campaign utilizing compromised accounts to target users through an open redirect vulnerability discovered within a Nespresso domain. Nespresso is a coffee manufacturer. This redirect method allows attacks to bypass standard endpoint detection security measures assuming that these measures do not check for hidden or embedded links.

Autodesk Hosting PDF Files Used in Microsoft Phishing Attacks

A campaign has been uncovered by researchers at Netcraft, where actors are using compromised email accounts to send phishing emails to existing contacts. These emails contain shortened URL links (generated using the autode[.]sk URL shortener) that lead to malicious PDF documents hosted on Autodesk Drive, a data-sharing platform.

Advanced Cyber Threats Impact Even the Most Prepared

This blog post from MITRE highlights a recent cyber intrusion they experienced, emphasizing the evolving tactics of foreign nation-state cyber adversaries. The breach, discovered in April 2024, involved the exploitation of zero-day vulnerabilities in Ivanti Connect Secure VPNs and subsequent lateral movement into their VMware infrastructure.

DPRK Hacking Groups Breach South Korean Defense Contractors

The National Police Agency in South Korea has issued an urgent warning regarding ongoing cyberattacks targeting defense industry entities by North Korean hacking groups. The police discovered several instances of successful breaches involving the hacking groups Lazarus, Andariel, and Kimsuky, all linked to the North Korean hacking apparatus.

LOCKBIT Black's Legacy: Unraveling the DragonForce Ransomware Connection

Key takeaways from the Cyble Research & Intelligence Labs (CRIL) report on DragonForce ransomware reveal significant insights. CRIL identified DragonForce ransomware as being based on LOCKBIT Black ransomware, suggesting that the threat actors behind DragonForce utilized a leaked builder of LOCKBIT Black to generate their binary. This discovery was made after an X user shared the download link for the LockBit ransomware builder in September 2022. DragonForce ransomware surfaced in November 2023, employing double extortion tactics and targeting victims worldwide.

Hackers Hijack Antivirus Updates to Drop Guptiminer Malware

GuptiMiner, a malware tool reportedly used by North Korean hackers, has recently come into the spotlight due to its sophisticated capabilities and the manner in which it has been deployed. The attack vector involves exploiting vulnerabilities in the update mechanism of eScan antivirus software, allowing the attackers to plant backdoors and deploy cryptocurrency miners on targeted networks.

Ransomware Double-Dip: Re-Victimization in Cyber Extortion

In the realm of cyber extortion, re-victimization often stems from a combination of desperation and strategic maneuvering by threat actors. For instance, repeat attacks against victims may exploit persistent vulnerabilities that were not adequately addressed or leverage new entry points, such as phishing campaigns or compromises in third-party services.

Cybercriminals Pose as LastPass Staff to Hack Password Vaults

LastPass has disclosed details of a campaign targeting its customers using the CryptoChameleon phishing kit. CryptoChameleon is a phishing-as-a-service that enables threat actors to easily generate fake SSO or other login sites impersonating the legitimate sites of companies to steal credentials and other information that can be used for authentication.

Quishing Attacks Jump Tenfold, Attachment Payloads Halve

Quishing attacks, a type of phishing that exploits QR codes, has seen siginificant rise from 0.8% in 2021 to 10.8% in 2024, according to the latest finding from Egress. At the same time, the report notes a substantial decline in attachment-based payloads, which decreased by half from 72.7% to 35,7%. Impersonation attacks continue to be a prevalent threat, with 77% if them masquerading as well-known brands such as DocuSign and Microsoft.

Ransomware Victims Who Pay a Ransom Drops to Record Low

The latest trends in ransomware paint a complex picture of evolving dynamics within the cybercriminal ecosystem. Coverware's report highlights a notable decrease in ransom payments, with only 28% of victims opting to pay in the first quarter of 2024, marking a significant drop from previous periods. This shift is attributed to improved resilience among businesses, allowing them to recover from attacks without succumbing to ransom demands.

Hackers Target Middle East Governments with Evasive "CR4T" Backdoor

In February 2024, Kaspersky discovered a new malware campaign targeting government entities in the Middle East actively employing over 30 DuneQuixote dropper samples. The droppers come in the form of either using a regular malware dropper or abusing a legitimate tool named “Total Commander” which both carry malicious code to download additional malware using a backdoor method Kaspersky has named “CR4T”.

FIN7 Targets American Automaker's IT Staff In Phishing Attacks

Researchers at BlackBerry have disclosed details of a spear-phishing campaign identified in late 2023 that targeted a large automotive manufacturer based in the United States. The campaign has been attributed to a financially motived threat actor called FIN7 and initiated with spear-phishing emails targeting highly privileged employees in the IT department of the unnamed U.S. based manufacturer.

Hackers Hijack OpenMetadata Apps in Kubernetes Cryptomining Attacks

Security researchers at Microsoft recently discovered a malware campaign exploiting new critical vulnerabilities in OpenMetadata to compromise Kubernetes environments, gain access to Kubernetes workloads and abuse them for malicious cryptomining activity. OpenMetadata is an open-source platform designed to manage metadata across various data sources. It serves as a central repository for users to discover, understand, and govern their data.

StopRansomware-Akira-Ransomware

This joint Cybersecurity Advisory (CSA) is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.

Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware

Threat actors are actively targeting unpatched Atlassian servers using a critical security vulnerability known as CVE-2023-22518, which has a CVSS score of 9.1. This vulnerability affects the Atlassian Confluence Data Center and Server, allowing attackers to reset Confluence and create an administrator account without authentication. Once they gain this level of access, threat actors can assume control of the affected systems.

Cisco Duo Warns Third-Party Data Breach Exposed SMS MFA Logs

Cisco Duo recently sent out a notice warning that some of their customer's VoIP and SMS logs for multi-factor authentication messages were stolen by hackers in a cyberattack on the vendor's telephony providers. According to Cisco Duo, an unnamed provider who handles the company's SMS and VOIP multi-factor authentication messages was compromised on April 1, 2024. In this case, the actor was able to obtain employee credentials via a phishing attack which were then used to gain access to the telephony provider's systems.

PuTTY SSH Client Flaw Allows Recovery of Cryptographic Private Keys

The discovery of CVE-2024-31497 in PuTTY versions 0.68 through 0.80 unveils a critical vulnerability that exposes cryptographic private keys to potential recovery by attackers. This flaw stems from PuTTY's method of generating ECDSA nonces, introducing a bias that weakens the security of private key generation, particularly on the NIST P-521 curve.

Open Source Leaders Warn of XZ Utils-Like Takeover Attempts

The OpenSSF and OpenJS Foundations have issued a warning to open source maintainers regarding a series of social engineering attacks reminiscent of the xz Utils campaign. These attacks involve suspicious emails sent to the OpenJS Foundation Cross Project Council, requesting urgent updates to popular JavaScript projects under the pretext of addressing critical vulnerabilities.

Cybersecurity Pros Urge US Congress to Help NIST Restore NVD Operation

Professionals in the vulnerability management community warned that the lasting issues of the US National Vulnerability Database (NVD) could lead to a major supply chain security crisis. 50 cybersecurity professionals consolidated to sign and send an open letter on April 12th to several members of the US Congress including the Secretary of Commerce which addressed the ongoing issues with NVD.

7 Top IT Challenges in 2024

In recent years, AI, cybersecurity, and digital transformation have emerged as pivotal themes shaping the landscape of IT. Organizations must stay ahead of the curve, understanding the evolving dynamics, reasons behind them, and how to adapt.

AT&T Data Breach: Impact Extends to 51 Million Customers

AT&T has confirmed a data breach impacting 51 million former and current customers, after previously denying ownership of the leaked data. The breach, initially reported in 2021 by threat actor ShinyHunters and later by 'MajorNelson', exposed personal information including names, email addresses, phone numbers, social security numbers, and AT&T account details. Although AT&T claims no financial data or call history was compromised, the breach still poses significant risks to affected individuals.

From PDFs to Payload: Bogus Adobe Acrobat Reader Installers Distribute Byakugan Malware

A new malware variant known as Byakuan is being distributed through fake Adobe Reader installers. This malicious campaign was initially uncovered by AnhLab Security Intelligence researchers and further analyzed by Fortinet Fortiguard Labs. The attack begins with a PDF file written in Portuguese, which, upon opening, displays a blurred image and prompts the user to click on a link to download the Adobe Reader application to view the content.

RDP Abuse Present in 90% of Ransomware Breaches

Researchers at Sophos have observed a significant rise in Remote Desktop Protocol exploitation within ransomware attacks, based on their analysis of 150 incident response cases from 2023. They found that RDP abuse featured in a staggering 90% of these cases, allowing threat actors to gain unauthorized remote access to Windows environments.

AI Hallucinated Packages Fool Unsuspecting Developers

A recent report from Lasso Security, has raised concerns about software developers potentially using nonexistent or hallucinated software packages when relying on chatbots to build applications. The report, based on continued research by Bar Lanyado from Lasso, builds upon previous findings that demonstrated how large language models can inadvertently recommend packages that do not actually exist.

Indian Government Rescues 250 Citizens Forced into Cybercrime in Cambodia

The Indian government has confirmed that it has rescued and repatriated around 250 Indian citizens who were held captive in Cambodia and coerced into executing cyber scams that target people in India. These victims of human trafficking were carefully lured by crime racket agents under the guise of employment opportunities, but these victims were forced into “cyber slavery” instead.

Inc Ransom Claims to Be Behind 'Cyber Incident' at UK City Council

The cybercriminal group INC Ransom has claimed responsibility for the ongoing cybersecurity incident at Leicester City Council, marking the first involvement of an established cybercrime gang in the local authority's IT troubles. According to a post on INC Ransom's leak blog, they assert having stolen 3 TB of council data before deleting it shortly after publication.

AT&T Resets Passcodes for 7.6 Million Customers Following Dark Web Data Leak

AT&T has reset passcodes for 7.6 million current customers and 65.4 million former subscribers following a data leak discovered on the dark web. The leaked information, dating back to 2019 and earlier, varies in content, potentially including full names, email addresses, mailing addresses, phone numbers, social security numbers, dates of birth, and AT&T account numbers.

Exposing a New BOLA Vulnerability in Grafana

Palo Alto Network's Unit 42 researchers uncovered and disclosed a new Broken Object Level Authorization (BOLA) vulnerability that affects Grafana versions from 9.5.0 to 9.5.18, from 10.0.0 to 10.0.13, from 10.1.0 to 10.1.9, from 10.2.0 to 10.2.6, and from 10.3.0 to 10.3.5. Grafana is an established open-source data visualization and monitoring solution with almost 60,000 stars on GitHub that helps organizations drive business processes.

DinodasRAT Linux Implant Targeting Entities Worldwide

Kaspersky has disclosed details of a new Linux version of DinodasRAT that it discovered in early October 2023 after a publication from ESET. Also known as XDealer, the trojan is a multi-backdoor written in C++ that enables actors to surveil and harvest sensitive data from targeted systems.

Hackers Developing Malicious LLMs After WormGPT Falls Flat

Researchers have noted that cybercriminals are increasingly interested in developing malicious large language models due to the limitations of existing tools like WormGPT. Ransomware and malware operators are also showing interest in this trend. The demand for AI talent has risen as previous tools like WormGPT failed to meet cybercriminals' needs.

Agent Tesla's New Ride: The Rise of a Novel Loader

SpiderLabs has disclosed details of a new campaign that utilized a novel loader to ultimately deploy Agent Tesla on targeted systems. Researchers note that they identified a phishing email on March 8, 2024, which contained a seemingly harmless archive masquerading as a legitimate payment receipt from a bank.

Street Newspaper Appears to Have Big Issue with Qilin Ransomware Gang

The parent company of The Big Issue, a renowned street newspaper supporting homeless people, is facing a cybersecurity crisis initiated by the Qilin ransomware gang. The gang has claimed to have stolen 550 GB of sensitive company data, including personal information like driving licenses, salary details of executives, and even passport and bank details of key figures within the organization.

Sketchy NuGet Package Likely Linked to Industrial Espionage Targets Developers

Threat hunters have identified a potentially nefarious package named SqzrFramework480 within the NuGet package manager. This package is suspected to target developers using tools from a Chinese industrial technology firm known for manufacturing industrial and digital equipment. The package, uploaded by a user named "zhaoyushun1999," contains a DLL file named "SqzrFramework480[.]dll" that exhibits several concerning behaviors.

N. Korea-linked Kimsuky Shifts to Compiled HTML Help Files in Ongoing Cyberattacks

The North Korea-linked threat actor known as Kimsuky (aka Black Banshee, Emerald Sleet, or Springtail) has been observed shifting its tactics, leveraging CHM files as attack vectors in the delivery phase to deploy malware for harvesting sensitive data. Kimsuky has been active for over 10 years and is notorious for targeting entities in South Korea, North America, Europe, and Asia, gathering intelligence relative to North Korea's interests.

Russia Hackers Using TinyTurla-NG to Breach European NGO's Systems

Cisco Talos has provided updated details on a new campaign where the Russian espionage group Turla deployed their custom backdoor dubbed TinyTurla-NG to infect multiple systems in the compromised network of a European non-government organization (NGO). While it's unclear how exactly the group gained initial access, Turla in the past has initiated drive-by compromises and employed phishing lures to obtain a foothold into victim environments.

Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect

Mandiant's investigation reveals a sophisticated cyber threat campaign attributed to a Chinese threat actor group named UNC5174, also known by the alias "Uteus." The group employs a combination of novel and known vulnerabilities to target a wide range of organizations globally, including U.S. defense contractors, government entities, research institutions, and NGOs.

Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability

Ivanti has revealed a critical remote code execution vulnerability affecting Standalone Sentry and has urged customers to promptly apply the available patches for protection against potential cyber threats. Tracked as CVE-2023-41724 with a CVSS score of 9.6 this flaw allows unauthenticated attackers to execute arbitrary commands on the appliance's operating system within the same network.

New ‘Loop DoS' Attack May Impact up to 300,000 Online Systems

Researchers at CIPSPA Helmholtz-Center for Information Security have discovered a new denial-of-service attack known as ‘Loop DoS', which targets application layer protocols and exploits a vulnerability in the UDP. This attack can cause an indefinite communication loop between network services, resulting in a significant increase in traffic.

AndroxGh0st Malware Targets Laravel Apps to Steal Cloud Credentials

Juniper Threat Labs has released details on a Python-based tool, dubbed AndroxGh0st, designed to target Laravel applications and steal sensitive data. Laravel is an open-source PHP web application development framework that is used for designing web applications such as e-commerce platforms, APIs, content management systems, etc.

New AcidPour data wiper targets Linux x86 Network Devices

SentinelLab's security researcher Tom Hegel has spotted a new destructive malware dubbed AcidPour, which seems to be a variant of the AcidRain data wiper that was used to target satellite communications provider Viasat back in 2022. In a series of threads on X (formerly known as Twitter), Juan Andres Guerrero Saade, AVP of Research for SentinelLabs, provided details regarding the new data wiper, noting that it is designed to target Linux x86 IoT and networking devices.

Chinese Earth Krahang Hackers Breach 70 Orgs in 23 Countries

Trend Micro has released details surrounding a campaign that has been ongoing since early 2022. The campaign has been attributed to a Chinese APT group dubbed ‘Earth Krahang,' who according to researchers has breached 70 organizations and targeted at least 116 entities across 45 countries since initiating operations.

Conversation Overflow' Cyberattacks Bypass AI Security to Target Execs

A novel cyberattack method called "Conversation Overflow" has recently surfaced, showcasing cybercriminals' attempts to bypass AI- and ML-enabled security platforms through sophisticated techniques. This attack tactic, analyzed by SlashNext researchers, is observed in multiple incidents, indicating a deliberate effort to evade advanced cybersecurity defenses.

Malware Analysis Report

The report provides an analysis of a njRAT (Remote Access Trojan) sample discovered in October 2023. The malware, written in .NET, allows attackers to remotely control infected machines. Basic static analysis reveals key file information and suspicious strings indicating registry manipulation, network communication, and process control.

Kaspersky Reports Phishing Attacks Grew By 40 Percent in 2023

A new report from Kaspersky noted that its anti-phishing system was able to deter over 709 million attempts to access phishing and scam websites in 2023, highlighting a 40 percent increase over 2022. A spike in phishing activity was observed between May and June, where actors used travel-related lures including counterfeit airline tickets and fake hotel deals to gain potential victims.

Increase in the Number of Phishing Messages Pointing to IPFS and to R2 Buckets

Credential-stealing phishing remains a persistent threat, with threat actors continually evolving their tactics. While various methods for hosting phishing pages exist, including third-party services and email attachments, traditional approaches involving internet-connected servers remain common. A recent trend observed involves an increase in phishing campaigns utilizing IPFS (InterPlanetary File System) and R2 buckets, a Cloudflare object storage service, to host malicious content.

McDonald's IT Systems Outage Impacts Restaurants Worldwide

The recent global IT outages experienced by McDonald's restaurants have caused significant disruptions to operations across multiple countries. These outages, which commenced overnight, have led to widespread difficulties in order-taking and payment processing, prompting some stores to close temporarily.

Third-Party ChatGPT Plugins Could Lead to Account Takeovers

Researchers have discovered vulnerabilities in third-party plugins for OpenAI's ChatGPT, which could be exploited by attackers to gain unauthorized access to sensitive data. Salt Labs published research revealing security flaws in ChatGPT and its ecosystem, allowing attackers to install malicious plugins without user consent and take over accounts on platforms like Github.

Ande Loader Malware Targets Manufacturing Sector in North America

Blind Eagle, also known as APT-C-36, has been observed utilizing a loader malware named Ande Loader to distribute remote access trojans (RATs) like Remcos RAT and NjRAT. The attacks primarily target Spanish-speaking users in the manufacturing industry based in North America. These malicious activities are executed through phishing emails containing RAR and BZ2 archives, serving as the initial vectors of infection.

US Govt Probes if Ransomware Gang Stole Change Healthcare Data

The U.S. Department of Health and Human Services is investigating whether protected health information was stolen in a ransomware attack that hit UnitedHealthcare Group (UHG) subsidiary Optum, which operates the Change Healthcare platform, in late February. This investigation is coordinated by HHS' Office for Civil Rights (OCR), which enforces the Health Insurance Portability and Accountability Act (HIPAA) rules that protect patients' health information from being disclosed without their knowledge or consent.

What a Cluster: Local Volumes Vulnerability in Kubernetes

A high-severity vulnerability, CVE-2023-5528, with a CVSS score of 7.2, has been discovered by Akamai security researcher Tomer Peled in Kubernetes. This vulnerability allows remote code execution with SYSTEM privileges on all Windows endpoints within a Kubernetes cluster, posing a significant threat. It can be exploited via malicious YAML files, potentially leading to full takeover of Windows nodes.

Russia's Foreign Intelligence Service Alleges US Is Plotting to Interfere in Presidential Election

Russia's Foreign Intelligence Service (SVR) alleges that the US is plotting to interfere in its upcoming presidential election scheduled this month. According to SVR, US nation-state actors plan to launch cyber attacks against Russian voting systems to disrupt operations and interfere with the vote-counting process, as reported by Reuters. “According to information received by the Foreign Intelligence Service of the Russian Federation, the administration of J. Biden is setting a task for American NGOs to achieve a decrease in turnout,” reads a statement issued by the SVR and reported by Reuters.

Alert: Cybercriminals Deploying VCURMS and STRRAT Trojans via AWS and GitHub Summary:

A recent phishing scheme has been detected distributing remote access trojans like VCURMS and STRRAT through a malicious Java-based downloader. The attackers utilized public services like AWS and Github to host malware, employing a commercial protector to evade detection. An unusual element of the campaign is VCURMS' use of a Proton Mail email address for communication with a C2 server.

Cloud Account Attacks Surged 16-Fold in 2023

According to Red Canary's 2024 Threat Detection Report, cloud account threats surged by 16 times in 2023, with attackers adopting new strategies tailored for cloud environments. Attacks exploiting T1078.004: Cloud Accounts, a technique outlined by MITRE ATT&CK for cloud account compromises, rose to become the fourth most prevalent method used by threat actors, a significant increase from its 46th position in 2022.

Secure Cloud Business Applications: Hybrid Identity Solutions Guidance

Identity management for a traditional on-premises enterprise network is usually handled by an on-premises directory service (e.g., Active Directory). When organizations leverage cloud solutions and attempt to integrate them with their on-premises systems (creating a “hybrid” environment), identity management can become significantly more complex.

Over 12 Million Auth Secrets and Keys Leaked on GitHub in 2023

A new report from GitGuardian notes that GitHub users accidentally leaked 12.8 million authentication and sensitive secrets during 2023, highlighting a 28 percent increase over the previous year. The IT sector accounted for the most secrets leaked (65.9%), followed by education, science, retail, manufacturing, etc. T

Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption

Despite a decrease in the number of publicly claimed ransomware attacks, ransomware activity remains a significant threat, with attackers adapting to disruption and refining their tactics. Vulnerability exploitation has emerged as the primary infection vector, with attackers targeting known vulnerabilities in public-facing applications. LockBit, Noberus, and Clop are among the most prolific ransomware operations, with LockBit being the largest threat, followed by Noberus and Clop.

Typosquatting Wave Shows No Signs of Abating

In the ever-evolving landscape of cybersecurity threats, one tactic stands out for its enduring effectiveness: typosquatting. Since the dawn of the commercial internet, threat actors have leveraged this deceptive strategy to impersonate legitimate businesses, exploiting users' inattention and human errors to propagate malware, steal data, and pilfer funds.

Three-Quarters of Cyber Incident Victims Are Small Businesses

A new report from Sophos highlighted that over three-quarters of cyber incidents in 2023 impacted small businesses. Ransomware in particular made up a good chunk of these incidents with groups like LockBit, Akira, BlackCat, and Play leading the forefront in terms of the attacks observed against small businesses. Sophos notes that tactics employed by ransomware groups evolved as 2023 progressed, including the employment of remote encryption, where these actors have been observed abusing unmanaged devices on organizations' networks to attempt files on other systems via network file access.

Researchers Expose Microsoft SCCM Misconfigurations Usable in Cyberattacks

Security researchers have created a knowledge base repository for attack and defense techniques based on improperly setting up Microsoft's Configuration Manager, which could allow an attacker to execute payloads or become a domain controller. Configuration Manager (MCM), formerly known as System Center Configuration Manager (SCCM, ConfigMgr), has been around since 1994 and is present in many Active Directory environments, helping administrators manage servers and workstations on a Windows network.

Magnet Goblin Hackers Use 1-Day Flaws to Drop Custom Linux Malware

A financially motivated hacking group exploits newly disclosed 1-day vulnerabilities to infiltrate public-facing servers, deploying custom malware on both Windows and Linux systems. These vulnerabilities, publicly disclosed but not yet patched, are swiftly leveraged by threat actors before security updates can be applied. Analysts identified rapid exploitation of these vulnerabilities, sometimes within a day of a proof of concept exploit being released.

NSA Launches Top 10 Cloud Security Mitigation Strategies

As businesses transition towards hybrid and multi-cloud environments, the prevalence of cloud misconfigurations and security vulnerabilities has emerged as a significant concern. Cyber threat actors are capitalizing on these vulnerabilities, targeting misconfigured or inadequately secured cloud systems.

Dropbox Used to Steal Credentials and Bypass MFA in Novel Phishing Campaign

Security company Darktrace shared details around a new phishing campaign leveraging legitimate Dropbox infrastructure to bypass multi-factor authentication (MFA). Darktrace notes in their report that while it is common for attackers to exploit the trust of users by mimicking common services, this campaign took things a step further and actually used the legitimate cloud storage platform.

Switzerland: Play Ransomware Leaked 65,000 Government Documents

Switzerland's National Cyber Security Centre (NCSC) has released details surrounding a ransomware attack on Xplain which impacted thousands of sensitive government files. Xplain is a Swiss technology and software solutions company, which supports various government departments, administrative units, and even the country's military.

'The Weirdest Trend in Cybersecurity': Nation-States Returning to USBs

During a keynote presentation this week at CPX 2024 in Las Vegas, the vice president of research at Check Point, Maya Horowitz, highlighted the resurgence of USBs used by Nation-state actors to compromise highly secured government organizations and critical infrastructure facilities. According to Horowitz, three major threat groups employed USBs as their primary initial infection vector in 2023: Chinese Nation-state group Mustang Panda, Russian APT group Gamaredon, and the actors behind the Raspberry Robin worm.

NSA's Zero-Trust Guidelines Focus on Segmentation

The US National Security Agency (NSA) has released guidelines for zero-trust network security, aiming to provide a structured approach towards its adoption. Despite the increasing recognition of zero trust as a vital security strategy, its implementation remains slow, necessitating clear guidance and support.

New Python-Based Snake Info Stealer Spreading Through Facebook Messages

Facebook messages are being used by threat actors to a Python-based information stealer dubbed Snake that's designed to capture credentials and other sensitive data. "The credentials harvested from unsuspecting users are transmitted to different platforms such as Discord, GitHub, and Telegram," Cybereason researcher Kotaro Ogino said in a technical report.

FBI Releases 2023 Internet Crime Report

The report issued on March 6, 2024, highlights the escalating cybercrime landscape in the United States, with a record number of complaints received by the Internet Crime Complaint Center (IC3) in 2023. Key points include a substantial increase in financial losses, with investment fraud, Business Email Compromise (BEC), and ransomware standing out as significant threats.

Critical TeamCity Bugs Endanger Software Supply Chain

Critical vulnerabilities have been uncovered in the on-premises deployments of JetBrains TeamCity, a widely used Continuous Integration/Continuous Deployment (CI/CD) pipeline tool. These vulnerabilities, known as CVE-2024-27198 and CVE-2024-27199, pose significant risks as they could enable threat actors to gain administrative control over TeamCity servers.

ScreenConnect Flaws Exploited to Drop New ToddlerShark Malware

Late last month, ConnectWise addressed two flaws impacting its remote access software ScreenConnect, which could be exploited by actors to bypass authentication (CVE-2024-1709) and execute code remotely (CVE-2024-1708). Since then, several threat actors have abused the flaws, particularly CVE-2024-1709, in the wild to deploy various payloads including ransomware (Black Basta, Bl00dy, LockBit), remote access trojans, info stealers, and much more.

Stealthy GTPDOOR Linux Malware Targets Mobile Operator Networks

Security researcher HaxRob discovered a previously unknown Linux backdoor named GTPDOOR, designed for covert operations within mobile carrier networks. The threat actors behind GTPDOOR are believed to target systems adjacent to the GPRS roaming eXchange (GRX), such as SGSN, GGSN, and P-GW, which can provide the attackers direct access to a telecom's core network.

Content Farm Impersonates 60+ Major News Outlets

Researchers at Bleeping Computer have discovered a content farm that masquerades as reputable news sources, including a couple major news outlets. These sites plagiarize articles without attribution, essentially stealing content from credible news organizations and research institutes.

TA577 Exploits NTLM Authentication Vulnerability

Proofpoint cybersecurity researchers have uncovered a new tactic employed by cybercriminal threat actor TA577, revealing a previously unseen objective in their operations. The group was found using an attack chain aimed at stealing NT LAN manager (NTLM) authentication information, which could potentially be used for sensitive data gathering and further malicious activities.

Blackcat Ransomware Turns off Servers Amid Claim They Stole $22 Million Ransom

BleepingComputer has uncovered new developments regarding the ALPHV/BlackCat ransomware gang's activities. According to reports, the gang has taken the drastic step of shutting down its servers amidst accusations of defrauding an affiliate out of a staggering $22 million. This affiliate is believed to have been responsible for the attack on Optum's Change Healthcare platform.

Hackers Stole ‘Sensitive' Data From Taiwan Telecom Giant: Ministry

Last Friday, Taiwan's Ministry of National Defense confirmed an attack on the country's largest telecom company, Chunghwa Telecom, enabling hackers to steal sensitive information including military and government contracts. The actors have advertised the data stolen on the dark web, allegedly claiming to have exfiltrated 1.7 TeraBytes of data from Chunghwa Telecom.

Five Eyes Warn of Ivanti Vulnerabilities Exploitation, Detection Tools Insufficient

On February 29, government agencies from the Five Eyes countries, comprising Australia, Canada, New Zealand, the UK, and the US, issued an urgent warning regarding the active exploitation of vulnerabilities found in Ivanti products. These vulnerabilities, which include CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893, affect all supported versions of Ivanti gateways, spanning from 9.x to 22.x.

Cybercriminals Harness AI for New Era of Malware Development

Observations made by researchers at Group-IB showcase cybercriminals increasingly harnessing the power of artificial intelligence to develop more advanced and potent malware, as evidenced by the escalating number of ransomware attacks and the collaborative efforts between ransomware groups and initial access brokers.

New Phishing Kit Leverages SMS, Voice Calls to Target Cryptocurrency Users

A new phishing kit has emerged, targeting cryptocurrency users by impersonating login pages of prominent cryptocurrency services, with a focus on mobile devices. The kit allows attackers to create fake single sign-on (SSO) pages, using a combination of email, SMS, and voice phishing to deceive victims into divulging sensitive information, including usernames, passwords, and even photo IDs.

'Savvy Seahorse' Hackers Debut Novel DNS CNAME Trick

A newly discovered threat actor, known as Savvy Seahorse, is orchestrating an investment scam by leveraging a sophisticated traffic distribution system (TDS) that exploits the Domain Name System (DNS). Savvy Seahorse impersonates reputable brands like Meta and Tesla through Facebook ads in multiple languages, enticing victims to create accounts on a fake investing platform.

Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28's MooBot Threat

A joint advisory from cybersecurity and intelligence agencies highlight the MooBot threat targeting users of Ubiquiti EdgeRouters. This botnet, orchestrated by Russia's APT28, has been operational since at least 2022 and has been employed in various cyber operations globally. APT28, known for its affiliation with Russia's Main Directorate of the General Staff, has been active since 2007 and is notorious for its sophisticated cyber campaigns.

Black Basta, bl00dy Ransomware Gangs Join ScreenConnect Attacks

The Black Basta and Bl00dy ransomware groups have recently been identified as participants in a wave of attacks targeting vulnerable ScreenConnect servers. These attacks exploit a critical authentication bypass vulnerability (CVE-2024-1709), which enables threat actors to create administrative accounts on internet-exposed servers.

China Launches New Cyber-Defense Plan for Industrial Networks

China's Ministry of Industry and Information Technology (MIIT) has unveiled a comprehensive strategy aimed at bolstering data security within the nation's industrial sector. This initiative, slated for completion by the end of 2026, is designed to mitigate major risks posed by cyber threats to over 45,000 companies operating in various industrial verticals.

Change Healthcare Cyber-Attack Leads to Prescription Delays Summary:

Health tech firm Change Healthcare was hit with a cyberattack on February 21, 2024, leading to a disruption of a number of its systems and services. According to Change Healthcare numerous applications across areas such as pharmacy, medical records, dental, payment services, and patient engagement are still experiencing connectivity issues. In particular, pharmacies have reported being unable to process patient prescriptions, preventing individuals from getting their medications on time.

New ScreenConnect RCE Flaw Exploited in Ransomware Attacks

Last week enterprise IT giant ConnectWise released patches to address a maximum-severity flaw impacting its remote access software, ScreenConnect. Tracked as CVE-2024-1709, the bug pertains to an authentication bypass that could potentially enable attackers to gain access to confidential information or critical systems.

X Protests Forced Suspension of Accounts on Orders of India's Government

and government regulation in the digital age, particularly in countries like India where social and political tensions often spill over into online platforms. The global government affairs team at X, previously known as Twitter, has taken action to suspend certain accounts and posts within India as per directives received from the country's government.

Unmasking I-Soon | The Leak That Revealed China's Cyber Operations

The leak from I-Soon, a company contracting for various Chinese government agencies including the Ministry of Public Security, Ministry of State Security, and People's Liberation Army, occurred over the weekend of February 16th. The source of the leak and motives behind it remain unknown, but it offers unprecedented insight into the operations of a state-affiliated hacking contractor.

LockBit Ransomware Secretly Building Next-Gen Encryptor Before Takedown

Researchers at Trend Micro have uncovered details on a new LockBit sample that the actors were secretly building prior to law enforcement's takedown of the group's infrastructure earlier this week. The new sample dubbed LockBit-NG-Dev, is written in the .NET programming language and appears to be compiled with CoreRT, whereas previous LockBit samples were written in C++.

'Lucifer' Botnet Turns Up the Heat on Apache Hadoop Servers

A new iteration of the Lucifer botnet has emerged, specifically aimed at organizations utilizing Apache Hadoop and Apache Druid big data technologies. The variant combines the insidious traits of cryptojacking and distributed denial of service capabilities, posing a significant threat to vulnerable systems.

LockBit Leaks Expose Nearly 200 Affiliates and Bespoke Data-Stealing Malware

This article provides an update on recent revelations regarding the LockBit ransomware group. Law enforcement authorities have disclosed that nearly 200 "affiliates" have registered with the group over the past two years. Affiliates are individuals who participate in the gang's ransomware-as-a-service model, utilizing LockBit's tools in exchange for a share of the profits obtained from victims.

Warning of North Korean Cyber Threats Targeting the Defense Sector

The Bundesamt für Verfassungsschutz (BfV) of Germany and the National Intelligence Service (NIS) of the Republic of Korea (ROK) have issued a joint Cyber Security Advisory (CSA) to alert about cyber campaigns likely conducted by North Korean actors targeting the defense sector. North Korea's focus on military strength drives them to steal advanced defense technologies globally, using cyber espionage as a cost-effective method.

Cactus Ransomware Gang Claims The Theft Of 1.5tb Of Data From Energy Management And Industrial Autom

The Cactus ransomware group, who claimed responsibility for an attack on Schneider Electric, says they have stolen 1.5TBs of data from the energy management and industrial automation company. According to reports, the companies Sustainability Business division was targeted on January 17th. Impacts were felt as the companies cloud services faced outages, however, other divisions of the company were not impacted.

US Gov Dismantled The Moobot Botnet Controlled by Russia-Linked APT28

n January 2024, a court-authorized operation was able to take down Moobot Botnet, a network of hundreds of small office/home office (SOHO) routers under the control of the Russia-linked group APT28. This court order enabled law enforcement to use the Moobot malware to copy and delete stolen and malicious data and files from compromised routers.

Over 13,000 Ivanti gateways vulnerable to actively exploited bugs

This year, Ivanti has disclosed several vulnerabilities impacting its Connect Secure, Policy Secure, and ZTA gateways. Tracked as CVE-2024-22024, CVE-2023-46805, CVE-2024-21887, CVE-2024-21893, and CVE-2024-21888, these flaws range from high to critical in severity and pertain to a case of authentication bypass, server-side-request forgery, arbitrary command execution, and command injection. S

Russian Turla Hackers Target Polish NGOs with New TinyTurla-NG Backdoor

Cisco Talos disclosed details of a three-month-long campaign where Russia-linked threat actor Turla has been targeting Polish non-governmental organizations with a new backdoor dubbed TinyTurla-NG. This campaign has been ongoing since December 18, 2023, with researchers suspecting that the activity may have actually commenced in November 2023 based on malware compilation dates.

U.S. Internet Leaked Years of Internal, Customer Emails

A Minnesota-based Internet Service Provider U.S. Internet Corp has suffered a significant data leak. Specifically, a business unit called Securence, which specializes in providing filtered, secure email services to business, educational institutions and government agencies worldwide was accidently publishing more than a decade's worth of it's own internal emails, and that of thousands of clients, in plain text on the Internet where anyone could view it.

MFA and Software Supply Chain Security: It's No Magic Bullet

In a recent article from ReversingLabs, the importance of Multifactor Authentication (MFA) in securing software development environments, particularly in light of recent high-profile attacks such as SolarWinds, Codecov, and Kaseya. The report highlights how attackers target developer accounts to manipulate code, access secrets, and wreak havoc on organizations and their customers.

Warzone RAT Infrastructure Seized

On February 9, 2024, the Justice Department announced the seizure of internet domains selling the Warzone RAT malware, a sophisticated Remote Access Trojan. Domains including www[.]warzone[.]ws were seized, with two suspects arrested in Malta and Nigeria for selling the malware. The operation, led by the FBI and supported by Europol and J-CAT, aimed to disrupt cybercriminals using the malware.

FCC Makes AI-Generated Voices in Robocalls Illegal

The Federal Communications Commission (FCC) has made AI-generated voices in robocalls illegal under the Telephone Consumer Protection Act (TCPA), with a Declaratory Ruling that took effect immediately. This ruling aims to combat the rising trend of robocall scams that use AI-generated voices to deceive consumers, imitate celebrities, and spread misinformation.

Notorious Bumblebee Malware Re-emerges with New Attack Methods

The Bumblebee malware, known for its role as an initial access broker facilitating the download and execution of additional payloads like Cobalt Strike and Meterpreter, has made a comeback with fresh tactics after a period of dormancy. Proofpoint researchers observed a significant shift in the attack chain, diverging from previous Bumblebee patterns.

Bank of America Customer Data Stolen in Data Breach

Bank of America is warning its customers of a data breach exposing their personal information after one of its third-party service providers, Infosys McCamish System (IMS) fell victim to a cyber attack in November of last year. LockBit claimed responsibility for the attack, listing IMS on its data leak site on November 4.