Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

The Anatomy of a BlackCat (ALPHV) Attack

Source: SYGNIA

In 2023, Sygnia’s IR team was engaged by a client to investigate suspicious activities in the client’s network. The activities were ultimately identified as a financial extortion attack executed by the BlackCat (ALPHV) ransomware group or one of its affiliates, and included a massive data exfiltration. Read more.

Delving into Dalvik: A Look Into DEX Files

Source: MANDIANT

Through a case study of the banking trojan sample, this blog post aims to give an insight into the Dalvik Executable file format, how it is constructed, and how it can be altered to make analysis easier. Additionally, we are releasing a tool called dexmod that exemplifies Dalvik bytecode patching and helps modify DEX files. Read more.

Server Killers Alliances: Here Is The List Of Hacker Groups

Source: GBHackers

A new tweet from Daily Dark Web reports that a group called The Server Killers has formed an alliance and is planning to launch cyber attacks on Moldova. Read more.

TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant

Source: KROLL

The Kroll Cyber Threat Intelligence (CTI) team discovered new malware resembling the VBScript based BABYSHARK malware that we’ve called TODDLERSHARK. Read more.

Cyber Dragon Attacks And Disables Linkedin

Source: PRIVACY Affairs

The lesser-known but dangerous hacking group Cyber Dragon took Linkedin offline recently as a result of a massive breach. As users reported, both the website and the app were down for more than 24 hours intermittently. Read more.

New Fakext malware targets Latin American banks

Source: Security Intelligence

In November 2023, security researchers at IBM Security Trusteer found new widespread malware dubbed Fakext that uses a malicious Edge extension to perform man-in-the-browser and web-injection attacks. Read more.

Check Point Research Alerts: Financially Motivated Magnet Goblin Group Exploits 1-Day Vulnerabilities to target Publicly Facing Servers

Source: CHECK POINT

Rapid Exploitation of 1-Day Vulnerabilities: Threat actor group Magnet Goblin’s hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, particularly targeting public-facing servers and edge devices. In some cases, the deployment of the exploits is within 1 day after a POC is published, significantly increasing the threat level posed by this actor. Read more.

TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids

Source: Proofpoint

TA4903 is a financially motivated cybercriminal threat actor that spoofs both U.S. government entities and private businesses across many industries. The actor mostly targets organizations located in the United States, but occasionally those located globally, with high-volume email campaigns. Proofpoint assesses with high confidence the objectives of the campaigns are to steal corporate credentials, infiltrate mailboxes, and conduct follow-on business email compromise (BEC) activity. Read more.

Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware

Source: The Hacker News

Threat actors have been leveraging fake websites advertising popular video conferencing software such as Google Meet, Skype, and Zoom to deliver a variety of malware targeting both Android and Windows users since December 2023. “The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems,” Zscaler ThreatLabz researchers said. Read more.

Ukraine’s GUR Hacked The Russians Ministry of Defense

Source: Security Affairs

The documents revealed the leadership of the Russian Ministry, including other high-ranking officials within the divisions of Russian Ministry of Defense. This encompasses deputies, assistants, and specialists, individuals who used the electronic document management systems known as ‘bureaucrat’. Read more.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 – v0.7.3 Analysis

Source: ITOCHU Cyber Intelligence Inc.

According to information released by security vendors, APT campaigns using LODEINFO target Japanese media, diplomacy, public institutions, defense industries, and think tanks. It is also suggested that the infamous APT group called APT10 is involved given the similarities in their methods and malwares. Read more.

Spoofing 802.11 Wireless Beacon Management Frames with Manipulated Power Values Resulting in Denial of Service for Wireless Clients

Source: Trustwave

So, the story starts in Ubuntu, in dmesg to be exact. Dmesg (diagnostic messages) prints kernel-related messages for those of you not familiar. So, there I was, minding my own business, not at all looking into wireless, actually looking into some Bluetooth research (watch this space!). I had to install some required packages and suddenly Ubuntu crashed on me. I look into dmesg to see what the fuss is all about, no real answer… but I noticed this line that had to do with the wireless interface. Read more.

Exploits released for critical Jenkins RCE flaw, patch now

Source: BLEEPING COMPUTER

Multiple proof-of-concept (PoC) exploits for a critical Jenkins vulnerability allowing unauthenticated attackers to read arbitrary files have been made publicly available, with some researchers reporting attackers actively exploiting the flaws in attacks. Read more.

Nigerian ‘Yahoo Boys’ Behind Social Media Sextortion Surge in the US

Source: Infosecurity Magazine

Their typical approach is to “bomb” high schools, youth sports teams and universities with fake accounts, using advanced social engineering tactics to coerce their victims into a compromising situation. Read more.

The Intricacies of Atomic Stealer (AMOS) and the Emergence of Xehook Stealer on Dark Web

Source: The Cyber Express

A new information stealer has arrived on the dark web. Known as the Atomic Stealer (AMOS), this information stealer, this information-stealing malware is designed for a phishing campaign associated with the rise of dead cookie restoration and Xehook Stealer. Read more.

Russia-Linked APT Group Midnight Blizzard Hacked Hewlett Packard Enterprise (HPE)

Source: The Hacker News

Hewlett Packard Enterprise (HPE) revealed that alleged Russia-linked cyberespionage group Midnight Blizzard gained access to its Microsoft Office 365 cloud-based email environment. The attackers were collecting information on the cybersecurity division of the company and other functions. Read more.

NSPX30: A sophisticated AitM-enabled implant evolving since 2005

Source: welivesecurity

ESET researchers provide an analysis of an attack carried out by a previously undisclosed China-aligned threat actor we have named Blackwood, and that we believe has been operating since at least 2018. The attackers deliver a sophisticated implant, which we named NSPX30, through adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software. Read more.