Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign

Source: TREND MICRO

CVE-2023-36025 affects Microsoft Windows Defender SmartScreen and stems from the lack of checks and associated prompts on Internet Shortcut (.url) files. Threat actors can leverage this vulnerability by crafting .url files that download and execute malicious scripts that bypass the Windows Defender SmartScreen warning and checks. Read more.

Atomic Stealer rings in the new year with updated version

Source: Malwarebytes LABS

It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules. Some samples from crack websites made their way to VirusTotal around that time frame, followed by a malvertising campaign we observed in January 2024. Read more.

Financial Fraud APK Campaign

Source: Unit 42 PaloAlto Networks

The threat actors used this Android application to impersonate law enforcement authorities. They claimed that the victim’s bank account was suspected of being involved in money laundering or other financial-related crimes. They then sent the victim a download link to this application package, urging the victim to input their sensitive personal information into the malicious application. Read more.

Unprecedented Growth in Malicious Botnets Observed

Source: NETSCOUT

Analysis of the activity has uncovered a rise in the use of cheap or free cloud and hosting servers that attackers are using to create botnet launch pads. These servers are used via trials, free accounts, or low-cost accounts, which provide anonymity and minimal overhead to maintain. Read more.

You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance

Source: Akamai

The NoaBot botnet has most of the capabilities of the original Mirai botnet (such as a scanner module and an attacker module, hiding its process name, etc.), but we can also see many differences from Mirai’s original source code. First and foremost, the malware’s spreader is based in SSH, not based in Telnet like Mirai. Read more.

Unseen Threats in Software Development | The Perils of Trojanized NPM Packages

Source: SentinelOne

Because npm and npm packages can extend deep into the organization’s development environment, security is a crucial issue that must be addressed. Let’s look at some examples of how easily, and severely, npm can be leveraged by threat actors. Read more.

Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign

Source: TREND MICRO

In general, Water Curupira conducts campaigns for the purpose of dropping backdoors such as Cobalt Strike, leading to Black Basta ransomware attacks (coincidentally, Black Basta also returned to operations in September 2023). The threat actor conducted several DarkGate spam campaigns and a small number of IcedID campaigns in the early weeks of the third quarter of 2023, but has since pivoted exclusively to Pikabot. Read more.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla

Source: Zscaler

Threat actors strategically utilize words like “orders” and “invoices” in spam emails to encourage users to download malicious attachments containing CVE-2017-11882. Threat actors include a VBS file in their infection chain to add a layer of complexity to analysis and deobfuscation attempts. Threat actors use the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation. Read more.

Malware leveraging public infrastructure like GitHub on the rise

Source: ReversingLabs

Here are two novel techniques deployed on GitHub that were discovered by ReversingLabs. The first abuses GitHub Gists, and the second issues commands through git commit messages. Read more.

BlackCat Rises: Infamous Ransomware Gang Defies Law Enforcement

Source: Infosecurity Magazine

Despite law enforcement efforts to take down the notorious ALPHV/BlackCat ransomware gang, the cybercriminals are not going down without a fight. Latest developments have shown that the site that was supposedly ‘taken down’ by the FBI has now been ‘unseized.’ Read more.

Behind the Scenes of Matveev’s Ransomware Empire: Tactics and Team

Source: The Hacker News

Matveev is said to lead a team of six penetration testers – 777, bobr.kurwa, krbtgt, shokoladniy_zayac, WhyNot, and dushnila – to execute the attacks. The group has a flat hierarchy, fostering better collaboration between the members. Read more.

Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa

Source: Symantec

The attackers used a variety of tools in this activity, which occurred in November 2023, including leveraging the MuddyC2Go infrastructure, which was recently discovered and documented by Deep Instinct. Researchers on Symantec’s Threat Hunter Team, part of Broadcom, found a MuddyC2Go PowerShell launcher in the activity we investigated. Read more.

Millions of Xfinity customers’ info, hashed passwords feared stolen in cyberattack

Source: The Register

Millions of Comcast Xfinity subscribers’ personal data – including potentially their usernames, hashed passwords, contact details, and secret security question-answers – was likely stolen by one or more miscreants exploiting Citrix Bleed in October. Read more.

Cybercrooks Leveraging Anti Automation Toolkit for Phishing Campaigns

Source: Trellix

Trellix Advanced Research Center has tracked abuse of one more such tool used for quite some time now. Predator, a tool designed to combat bots and web crawlers, can distinguish web requests originating from automated systems, bots, or web crawlers. Read more.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin

Source: Wordfence

The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user’s site with an identifier of CVE-2023-45124, which is not currently a valid CVE. The email prompts the victim to download a “Patch” plugin and install it. Read more.

SQL Brute Force Leads to BlueSky Ransomware

Source: THE DFIR REPORT

While other reports point to malware downloads as initial access, in this report the threat actors gained access via a MSSQL brute force attack. They then leveraged Cobalt Strike and Tor2Mine to perform post-exploitation activities. Within one hour of the threat actors accessing the network, they deployed BlueSky ransomware network wide. Read more.

Cactus Ransomware Exploiting Qlik Sense Code Execution Vulnerability

Source: GBHackers

Cactus is ransomware that encrypts data, provides a ransom note (” cAcTuS.readme.txt “), and appends the. “CTS1 ” extension to filenames. They exploit via the combination or direct abuse of (CVE-2023-41266, CVE-2023-41265). Read more.

New SugarGh0st RAT targets Uzbekistan government and South Korea

Source: Cisco TALOS

We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. Read more.

Google Unveils RETVec – Gmail’s New Defense Against Spam and Malicious Emails

Source: The Hacker News

RETVec, which works on over 100 languages out-of-the-box, aims to help build more resilient and efficient server-side and on-device text classifiers, while also being more robust and computationally less expensive. Read more.

Booking.com Customers Scammed in Novel Social Engineering Campaign

Source: Infosecurity Magazine

The researchers said the campaign, which they believe has been running for at least a year, begins by deploying the Vidar infostealer to gain access partner hotels’ Booking.com credentials. This information is then used to send phishing emails to Booking.com customers and trick them into handing over their payment details, in many cases leading to money being stolen. Read more.

Apache ActiveMQ Jolokia Remote Code Execution Vulnerability (CVE-2022-41678) Notification

Source: Security Boulevard

In the configuration of ActiveMQ, jetty allows org.holokia.http.AgentServlet to process requests for/api/Jolokia. An authenticated attacker can send a specially crafted HTTP request to write a malicious file through the Jolokia service, thus implementing remote code execution. At present, the vulnerability PoC has been made public. Read more.

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks

Source: The Hacker News

A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. Read more.

Third-party data breach affecting Canadian government could involve data from 1999

Source: The Register

The government of Canada has confirmed its data was accessed after two of its third-party service providers were attacked. The third parties both provided relocation services for public sector workers and the government is currently analyzing a “significant volume of data” which could date back to 1999. Read more.

Play Ransomware Goes Commercial – Now Offered as a Service to Cybercriminals

Source: The Hacker News

The ransomware strain known as Play is now being offered to other threat actors “as a service,” new evidence unearthed by Adlumin has revealed. Read more.

DarkGate and PikaBot Phishing Campaign is Using Qakbot Tactics

Source: Security Boulevard

The operators behind a phishing campaign that is distributing the DarkGate and PikaBot malware is using many of the techniques attributed to the notorious QakBot operation that was taken down by law enforcement agencies in August. Read more.

Citrix warns admins to kill NetScaler user sessions to block hackers

Source: BLEEPING COMPUTER

Citrix reminded admins today that they must take additional measures after patching their NetScaler appliances against the CVE-2023-4966 ‘Citrix Bleed’ vulnerability to secure vulnerable devices against attacks. Besides applying the necessary security updates, they’re also advised to wipe all previous user sessions and terminate all active ones. Read more.

Anonymous Sudan DDoS Attack Cloudflare Decoded

Source: Security Boulevard

Cloudflare swiftly acknowledged the DDoS attack, emphasizing that it exclusively impacted the www.cloudflare.com website, leaving their broader range of products and services unscathed. A Cloudflare spokesperson assured users that no customer data or services were compromised during the incident. This emphasizes that the website operates on separate infrastructure designed to prevent any collateral damage. Read more.

Malware dev says they can revive expired Google auth cookies

Source: BLEEPING COMPUTER

The Lumma information-stealer malware (aka ‘LummaC2’) is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. Read more.

DPRK Hackers Masquerade as Tech Recruiters, Job Seekers

Source: DARK READING

North Korean threat actors are posing as both job recruiters and job seekers on the Web, deceiving companies and applicants for financial gain and, possibly, to gain access into Western organizations. Read more.

New Flaws in Fingerprint Sensors Let Attackers Bypass Windows Hello Login

Source: The Hacker News

The flaws were discovered by researchers at hardware and software product security and offensive research firm Blackwing Intelligence, who found the weaknesses in the fingerprint sensors from Goodix, Synaptics, and ELAN that are embedded into the devices. Read more.

Welltok Data Breach Impacted 8.5 Million Patients in the U.S.

Source: Security Affairs

The company disclosed a data breach that exposed the personal data of nearly 8.5 million patients (8,493,379) in the U.S.. On July 26, 2023, threat actors hacked the company’s MOVEit Transfer server. Read more.

ClearFake Campaign Spreads macOS AMOS Information Stealer

Source: Security Affairs

Threat actors spread Atomic Stealer (AMOS) macOS information stealer via a bogus web browser update as part of the ClearFake campaign. Read more.

PoC for Splunk Enterprise RCE flaw released (CVE-2023-46214)

Source: HELP NET SECURITY

A vulnerability researcher has published a detailed analysis of CVE-2023-46214 and has consolidated the steps required for exploitation into a Python script. If specific prerequisites are met, the script should open a remote command prompt. Read more.

Hackers Hijack Industrial Control System at US Water Utility

Source: SECURITY WEEK

The Municipal Water Authority of Aliquippa in Pennsylvania has confirmed that hackers took control of a system associated with a booster station over the weekend, but said there was no risk to the water supply. Read more.

GE servers hacked n DARPA Military Info Leaked

Source: Cybersecurity INSIDERS

General Electric, commonly referred to as GE, a multinational corporation engaged in the fields of renewable energy, aerospace, and power, has fallen prey to a cyber attack resulting in the leakage of sensitive information related to DARPA Military operations. Read more.

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Japan Aviation Electronics Targeted in Ransomware Attack

Source: SECURITY WEEK

While Japan Aviation Electronics has not found evidence of data exfiltration, the Alphv/BlackCat ransomware gang claims to have stolen roughly 150,000 documents from the company, including blueprints, contracts, confidential messages, and reports. Read more.

Microsoft Authenticator Restricts Suspicious MFA Notifications

Source: Latest Hacking News

The Redmond giant has recently announced introducing a new privacy feature to its authenticator app. With this feature, Microsoft Authenticator app now blocks suspicious multi-factor authentication notifications to prevent potential abuse. Read more.

Chinese multinational bank hit by ransomware

Source: HELP NET SECURITY

The state-owned Industrial and Commercial Bank of China (ICBC), which is one of the largest banks in the world, has been hit by a ransomware attack that led to disrupted trades in the US Treasury market. Read more.

After ChatGPT, Anonymous Sudan Took Down The CloudFlare Website

Source: Security Affairs

The hacktivist group Anonymous Sudan claimed responsibility for the massive distributed denial-of-service (DDoS) attack that took down the website of Cloudflare. Cloudflare confirmed that a DDoS attack took down its website for a few minutes and ponited out that it did not impact other products or services. Read more.

Threat Actors Leverage File-Sharing Service and Reverse Proxies for Credential Harvesting

Source: TREND MICRO

The attacker-controlled reverse proxies function as intermediary servers positioned between the target and a legitimate authentication endpoint, such as the Microsoft 365 login page. When a victim interacts with the fake login page, the reverse proxy presents the genuine login form, manages incoming requests, and conveys responses from the legitimate Microsoft 365 login page. Read more.

Iranian hackers launch malware attacks on Israel’s tech sector

Source: BLEEPING COMPUTER

Security researchers have tracked a new campaign from Imperial Kitten targeting transportation, logistics, and technology firms. Imperial Kitten is also known as Tortoiseshell, TA456, Crimson Sandstorm, and Yellow Liderc, and for several years it used the online persona Marcella Flores. Read more.

Unlucky Kamran: Android malware spying on Urdu-speaking residents of Gilgit-Baltistan

Source: welivesecurity

When opened on a mobile device, the Urdu version of the Hunza News website offers readers the possibility to download the Hunza News Android app directly from the website, but the app has malicious espionage capabilities. Read more.

Routers Targeted for Gafgyt Botnet [Guest Diary]

Source: SANS Internet Storm Center

The threat actor attempts to add my honeypot into a botnet so the threat actor can carry out DDoS attacks. The vulnerabilities used for the attack were default credentials and CVE-2017-17215. To prevent these attacks, make sure systems are patched and using strong credentials. Read more.

Keeping Up with Today’s Top Mobile Spyware Threat Trends

Source: CheckPoint

In this post, we will explore trends including the rise of new and more sophisticated types of mobile spyware: nation-level spyware and modified applications. We’ll also present several best practices to help you protect all your organization’s assets. Read more.

Police Seized BulletProftLink Phishing-as-a-Service (PhaaS) Platform

Source: Security Affairs

The Royal Malaysian Police announced to have dismantled the notorious BulletProftLink phishing-as-a-service (PhaaS) platform. A joint international operation conducted by the Malaysian police, the FBI, and the Australian Federal Police took down several domains employed in the cybercriminal operation. Read more.

It’s Still Easy for Anyone to Become You at Experian

Source: Krebs on Security

In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. Read more.

The Lorenz Ransomware Group Hit Texas-Based Cogdell Memorial Hospital

Source: Security Affairs

The Lorenz extortion group claimed responsibility for the security breach and added the hospital to its Tor leak site. The group claims to theft of more than 400GB of data, including internal files, patient medical images, and also employee email communications. Read more.

Microsoft Warns of Fake Skills Assessment Portals Targeting IT Job Seekers

Source: The Hacker News

A sub-cluster within the infamous Lazarus Group has established new infrastructure that impersonates skills assessment portals as part of its social engineering campaigns. Microsoft attributed the activity to a threat actor it calls Sapphire Sleet, describing it as a “shift in the persistent actor’s tactics.” Read more.

Chinese APT Targeting Cambodian Government

Source: Unit 42 by Palo Alto

Unit 42 has identified malicious Chinese APT infrastructure masquerading as cloud backup services. Monitoring telemetry associated with two prominent Chinese APT groups, we observed network connections predominately originating from the country of Cambodia, including inbound connections originating from at least 24 Cambodian government organizations. Read more.

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

“EtherHiding” — Hiding Web2 Malicious Code in Web3 Smart Contracts

Source: Guardio

“EtherHiding” presents a novel twist on serving malicious code by utilizing Binance’s Smart Chain contracts to host parts of a malicious code chain in what is the next level of Bullet-Proof Hosting. Read more.

Hackers Attacking Blockchain Engineers With Novel MacOS Malware

Source: GBHackers

Recently, cybersecurity researchers at Elastic Security Labs identified that hackers are actively attacking blockchain engineers of a crypto exchange platform with a new macOS malware. Read more.

CanesSpy Spyware Discovered in Modified WhatsApp Versions

Source: The Hacker News

These modified versions of the instant messaging app have been observed propagated via sketchy websites advertising such modded software as well as Telegram channels used primarily by Arabic and Azerbaijani speakers, one of which boasts of two million users. Read more.

EleKtra-Leak Campaign Uses AWS Cloud Keys Found on Public GitHub Repositories to Run Cryptomining Operation

Source: TechRepublic

New research from Palo Alto Networks’s Unit 42 exposes an active attack campaign in which a threat actor hunts for Amazon IAM credentials in real time in GitHub repositories and starts using them less than five minutes later. The final payload runs customized Monero cryptomining software on virtual machines deployed on the Amazon instances. Read more.

Apache ActiveMQ vulnerability used in ransomware attacks

Source: BLEEPING COMPUTER

The vulnerability may allow a remote attacker with network access to a broker to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Read more.

Who killed Mozi? Finally putting the IoT zombie botnet in its grave

Source: welivesecurity

Our investigation into this event led us to the discovery of a kill switch on September 27th, 2023. We spotted the control payload (configuration file) inside a user datagram protocol (UDP) message that was missing the typical encapsulation of BitTorrent’s distributed sloppy hash table (BT-DHT) protocol. Read more.

Unveiling a New Threat The Millenium RAT

Source: CYFIRMA

The analysed malware, Millenium-RAT-2.4, is a sophisticated Remote Access Tool (RAT) targeting Windows systems. This malware exemplifies a sophisticated range of malicious functionalities meticulously crafted to stealthily gather sensitive user data, evade detection through advanced anti-analysis techniques, establish persistence, and enable remote control over the compromised system. Read more.

GhostSec: From Fighting ISIS to Possibly Targeting Israel with RaaS

Source: uptycs

The hacker collective called GhostSec has unveiled an innovative Ransomware-as-a-Service (RaaS) framework called GhostLocker. They provide comprehensive assistance to customers interested in acquiring this service through a dedicated Telegram channel. Read more.

Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)

Source: Unit42 by Palo Alto Networks

While tracking the evolution of Pensive Ursa (aka Turla, Uroburos), Unit 42 researchers came across a new, upgraded variant of Kazuar. Not only is Kazuar another name for the enormous and dangerous cassowary bird, Kazuar is an advanced and stealthy .NET backdoor that Pensive Ursa usually uses as a second stage payload. Read more.

MuddyWater eN-Able spear-phishing with new TTPs

Source: deep instinct

Before launching the new campaign during the Israel-Hamas war, MuddyWater reused previously known remote administration tools, utilizing a new file-sharing service called “Storyblok.” On October 30th Deep Instinct identified two archives hosted on “Storyblok” containing a new multi-stage infection vector. Read more.

Arid Viper disguising mobile spyware as updates for non-malicious Android applications

Source: Cisco Talos

Since April 2022, Cisco Talos has been tracking a malicious campaign operated by the espionage-motivated Arid Viper advanced persistent threat (APT) group targeting Arabic-speaking Android users. In this campaign, the actors leverage custom mobile malware, also known as Android Package files (APKs), to collect sensitive information from targets and deploy additional malware onto infected devices. Read more.

Lazarus Targets Bloackchain Engineers With New KandyKorn macOS Malware

Source: Security Affairs

North Korea-linked Lazarus APT group were spotted using new KandyKorn macOS malware in attacks against blockchain engineers, reported Elastic Security Labs. Read more.

StripedFly Malware Operated Unnoticed for 5 Years, Infecting 1 Million Devices

Source: The Hacker News

The Russian cybersecurity vendor, which first detected the samples in 2017, said the miner is part of a much larger entity that employs a custom EternalBlue SMBv1 exploit attributed to the Equation Group in order to infiltrate publicly-accessible systems. Read more.

Unveiling Socks5Systemz: The Rise of a New Proxy Service via PrivateLoader and Amadey

Source: BITSIGHT

Bitsight has uncovered a proxy botnet delivered by PrivateLoader and Amadey, two loaders frequently employed by threat actors to distribute malware and build their botnets. We’ve named this proxy bot malware Socks5Systemz, which is also the name associated with the unique login panel consistently present in all active proxy bot C2 servers. Read more.

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Cybercrime Supply Chain 2023:
Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them

Source: Interisle

Interisle researchers, using data from the Cybercrime Information Center, analyzed more than 10 million cybercrime records and found distinct, persistent patterns of exploitation and abuse covering a 365-day period from September 2022 to August 2023. Read more.

Android Malware Masquerades As Chrome Browser Reads SMS & Intercepts Emails

Source: GBHackers

Cybersecurity researchers at K7 Security Labs recently identified Rusty Droid RAT, a stealthy Android malware masquerading as a Chrome browser to read SMS and intercept emails. Read more.

The Rise of S3 Ransomware: How to Identify and Combat It

Source: The Hacker News

Despite S3 being a secure service from a reputable provider, its pivotal role in handling vast amounts of sensitive data (customer personal information, financial data, intellectual property, etc.), provides a juicy target for threat actors. Read more.

Quishing: Tricks to look out for

Source: HELP NET SECURITY

By now, most people know what a QR code looks like and that they need to scan it to get to information “embedded” in it. Unfortunately, not many users know that QR codes are not inherently safe and may be used for malicious purposes. Read more.

New iLeakage attack steals emails, passwords from Apple Safari

Source: BLEEPING COMPUTER

Academic researchers created a new speculative side-channel attack they named iLeakage that works on all recent Apple devices and can extract sensitive information from the Safari web browser. Read more.

The Danger of Forgotten Pixels on Websites: A New Case Study

Source: The Hacker News

Recently, Reflectiz, an advanced website security solution provider, released a case study focusing on a forgotten and misconfigured pixel that had been associated with a leading global healthcare provider. This overlooked piece of code surreptitiously gathered private data without user consent, potentially exposing the company to substantial fines and damage to its reputation. Read more.

ServiceNow quietly addresses unauthenticated data exposure flaw from 2015

Source: The Register

ServiceNow’s widgets act as powerful APIs for the platform’s Service Portal. Despite a code change earlier this year to improve safety, the default configuration of these widgets was to set their records public, meaning that if they’re left unchanged, they will return the type of data an attacker specifies. Read more.

The Duck is Hiring in Italy: DUCKTAIL Spread via Compromised LinkedIn Profiles
By Clus

Source: DuskRise

Cluster25 observed a malicious campaign that employs LinkedIn messages as a vector for executing identity theft attacks. In this campaign, compromised LinkedIn accounts are utilized to send messages to users with the aim of compromising their accounts by illicitly procuring their cookies, session data, and browser credentials. Read more.

Trojanized PyCharm Software Version Delivered via Google Search Ads

Source: The Hacker News

A new malvertising campaign has been observed capitalizing on a compromised website to promote spurious versions of PyCharm on Google search results by leveraging Dynamic Search Ads. Read more.

Latest Cloudflare distributed denial-of-service report details record-setting attack

Source: silicon ANGLE

The record-breaking attack in question hit an unprecedented 201 million requests per second. The figure is notably higher than the previous largest recorded attack, which stood at 71 million rps and was detailed by Cloudflare in February. Read more.

A cascade of compromise: unveiling Lazarus’ new campaign

Source: SECURELIST

The adversary demonstrated a high level of sophistication, employing advanced evasion techniques and introducing SIGNBT malware for victim control. In addition, other malware found in memory included Lazarus’ prominent LPEClient, a tool known for victim profiling and payload delivery that has previously been observed in attacks on defense contractors and the cryptocurrency industry. Read more.

Citrix Bleed: Leaking Session Tokens with CVE-2023-4966

Source: Assetnote

Earlier this month Citrix released a security bulletin which mentioned “unauthenticated buffer-related vulnerabilities” and two CVEs. These issues affected Citrix NetScaler ADC and NetScaler Gateway. Read more.

Hackers Cripple Five Ontario Hospitals by Hitting a Single Service Provider

Source: Bitdefender

Five hospitals in Canada are unable to continue normal caretaking of patients due to a cyberattack against their joint service provider. Non-emergency patients are told to visit their local clinic. Read more.

Hacktivism in the Israel-Hamas Conflict | Citizen Data Leaked Using Old Malware

Source: SentinelOne

So far, the use of novel malware/scareware and tools such as Redline Stealer and PrivateLoader by these threat actors continue to target Israeli citizens, businesses, and critical sector entities, causing data leaks and widespread disruptions. Read more.

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Hackers Using Secure USB Drives To Attack Government Entities

Source: GBHackers

An ongoing attack on government agencies in the APAC region has been claimed to have compromised a secure USB device with hardware encryption. Read more.

Number of Cisco Devices Hacked via Unpatched Vulnerability Increases to 40,000

Source: SECURITY WEEK

The exploited vulnerability is CVE-2023-20198, a critical flaw affecting the IOS XE web interface that can be exploited by remote, unauthenticated attackers for privilege escalation. Read more.

Google Play Protect Introduces Real-Time Code-Level Scanning for Android Malware

Source: The Hacker News

Google has announced an update to its Play Protect with support for real-time scanning at the code level to tackle novel malicious apps prior to downloading and installing them on Android devices. Read more.

A Threat Actor Is Selling Access To Facebook And Instagram’s Police Portal

Source: Security Affairs

The portal allows law enforcement agencies to request data relating to users (IP, phones, DMs, device info) or request the removal of posts and the ban of accounts. Read more.

DarkGate malware campaign

Source: W/ Labs

It rapidly became apparent that the lure documents and targeting were very similar to recent DuckTail infostealer campaigns, and it was possible to pivot through opensource data from the DarkGate campaign to multiple other infostealers which are very likely being used by the same actor/group. Read more.

Another InfoStealer Enters the Field, ExelaStealer

Source: FORTINET

FortiGuard Labs research reveals that ExelaStealer is a largely open-source InfoStealer with paid customizations available from the threat actor. Read more.

Ragnar Locker ransomware group taken down

Source: Malwarebytes LABS

Even though it had a long run for a ransomware group, it seems the bell might be tolling for Ragnar Locker. On October 19, 2023, the group’s leak site was seized by an international group of law enforcement agencies. Read more.

Attacks on 5G Infrastructure From User Devices: ASN.1 Vulnerabilities in 5G Cores

Source: TREND MICRO

In the second part of this series, we will examine how attackers can trigger vulnerabilities by sending control messages masquerading as user traffic to cross over from user plane to control plane. Read more.

Clever malvertising attack uses Punycode to look like KeePass’s official website

Source: CISA

In a recent malvertising campaign, we observed a malicious Google ad for KeePass, the open-source password manager which was extremely deceiving. Read more.

CISA, NSA, FBI, and MS-ISAC Release Update to #StopRansomware Guide

Source: CISA

The update includes new prevention tips such as hardening SMB protocols, revised response steps, and added threat hunting insights. Read more.

Walmart Jumps to Top Spot as the Most Impersonated Brand for Phishing Scams in Q3 2023

Source: CHECK POINT

Our latest Brand Phishing Report for Q3 2023 highlights the brands that were most frequently imitated by cybercriminals in their attempts to steal individuals’ personal information or payment credentials during July, August and September 2023. Read more.

Email Security Best Practices for Phishing Prevention

Source: TREND MICRO

Trend Micro Research reported a 29% growth in phishing attacks blocked and detected in 2022. Explore the latest phishing trends and email security best practices to enhance your email security and reduce cyber risk. Read more.

Threat Actors Breached Okta Support System And Stole Customers’ Data

Source: Security Affairs

Okta revealed that threat actors breached its support case management system and stole sensitive data that can be used in future attacks. Read more.

Admin behind E-Root stolen creds souk extradited to US

Source: The Register

A Moldovan who allegedly ran the compromised-credential marketplace E-Root has been extradited from the UK to America to stand trial. Read more.

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Threat Actor Profile: Strox Phishing-as-a-Service

Source: PhishLABS

Strox has become one of the most complete phishing solutions for fraud actors available, offering advanced phishing kits, hosting services, mail spam scripts, and an automated market for selling stolen credentials. Read more.

The Art of Concealment: A New Magecart Campaign That’s Abusing 404 Pages

Source: Akamai

This campaign stands out because of its three advanced concealment techniques, one of which we had never seen before — specifically, manipulating the website’s default 404 error page to hide malicious code — that poses unique challenges for detection and mitigation. Read more.

Vulnerability Exposed in WordPress Plugin User Submitted Posts

Source: InfoSecurity Magazine

A new vulnerability in the User Submitted Posts WordPress plugin (versions 20230902 and below) has been discovered by the Patchstack team. With over 20,000 active installations, this popular plugin is used for user-generated content submissions and is developed by Plugin Planet. Read more.

ShellBot DDoS Malware Installed Through Hexadecimal Notation Addresses

Source: ASEC

ASEC has recently discovered a change in the distribution method of the ShellBot malware, which is being installed on poorly managed Linux SSH servers. The overall flow remains the same, but the download URL used by the threat actor to install ShellBot has changed from a regular IP address to a hexadecimal value. Read more.

Microsoft: State hackers exploiting Confluence zero-day since September

Source: BLEEPING COMPUTER

Microsoft says a Chinese-backed threat group tracked as ‘Storm-0062’ (aka DarkShadow or Oro0lxy) has been exploiting a critical privilege escalation zero-day in the Atlassian Confluence Data Center and Server since September 14, 2023. Read more.

Multiple Citrix NetScaler Flaw Leads to DoS Attack and Data Exposure

Source: GBHackers

Critical vulnerabilities in Citrix NetScaler ADC and NetScaler Gateway have exposed sensitive information and a denial of service attack. A malicious cyber actor can exploit one of these vulnerabilities to gain control of an affected machine. Citrix has published security upgrades to address the vulnerabilities impacting several products. Read more.

Microsoft Fixes Exploited Zero-Days in WordPad, Skype for Business

Source: SECURITY WEEK

Microsoft’s security response team on Tuesday pushed out a massive batch of software and OS updates to cover more than 100 vulnerabilities across the Windows ecosystem and warned that three of the flaws are already being exploited in the wild. Read more.

Microsoft to Phase Out NTLM in Favor of Kerberos for Stronger Authentication

Source: The Hacker News

Microsoft has announced that it plans to eliminate NT LAN Manager (NTLM) in Windows 11 in the future, as it pivots to alternative methods for authentication and bolster security. Read more.

#StopRansomware: AvosLocker Ransomware (Update)

Source: CISA

AvosLocker affiliates compromise organizations’ networks by using legitimate software and open-source remote system administration tools. AvosLocker affiliates then use exfiltration-based data extortion tactics with threats of leaking and/or publishing stolen data. Read more.

Fortinet Releases Security Updates for Multiple Products

Source: CISA

Fortinet has released security advisories addressing vulnerabilities in multiple products. These vulnerabilities may allow cyber threat actors to take control of the affected systems. Read more.

Juniper Networks Patches Over 30 Vulnerabilities in Junos OS

Source: SECURITY WEEK

The most severe of these issues is an incorrect default permissions bug that allows an unauthenticated attacker with local access to a vulnerable device to create a backdoor with root privileges. Read more.

Biggest DDoSes of all time generated by protocol 0-day in HTTP/2

Source: ars TECHNICA

Unlike other high-severity zero-days in recent years—Heartbleed or log4j, for example—which caused chaos from a torrent of indiscriminate exploits, the more recent attacks, dubbed HTTP/2 Rapid Reset, were barely noticeable to all but a select few engineers. Read more.

Ransomlooker, A New Tool To Track And Analyze Ransomware Groups’ Activities

Source: Security Affairs

The researchers have created the tool to help cybersecurity experts in their daily jobs by providing real-time updates and actionable insights. It offers various statistical insights into data, the ability to determine attack perpetrators, and incorporates filtering by country, industries, time span, and other parameters for journalistic investigations. Read more.

Dozens of Squid Proxy Vulnerabilities Remain Unpatched 2 Years After Disclosure

Source: SECURITY WEEK

Dozens of vulnerabilities affecting the Squid caching and forwarding web proxy remain unpatched two years after a researcher responsibly disclosed them to developers. Read more.

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Atlassian patches critical Confluence zero-day exploited in attacks

Source: BLEEPING COMPUTER

Australian software company Atlassian released emergency security updates to fix a maximum severity zero-day vulnerability in its Confluence Data Center and Server software, which has been exploited in attacks. Read more.

‘Gay furry hackers’ brag of second NATO break-in, steal and leak more data

Source: The Register

NATO is “actively addressing” multiple IT security incidents after a hacktivist group claimed it once again breached some of the military alliance’s websites, this time stealing what’s claimed to be more than 3,000 files and 9GB of data. Read more.

Defending new vectors: Threat actors attempt SQL Server to cloud lateral movement

Source: Microsoft

This attack technique demonstrates an approach we’ve seen in other cloud services such as VMs and Kubernetes cluster, but not in SQL Server. The attackers initially exploited a SQL injection vulnerability in an application within the target’s environment. Read more.

LLMs lower the barrier for entry into cybercrime

Source: Help Net Security

Cybercriminals employ evolving attack methodologies designed to breach traditional perimeter security, including secure email gateways, according to Egress. Read more.

Apple Rolls Out Security Patches for Actively Exploited iOS Zero-Day Flaw

Source: The Hacker News

Tracked as CVE-2023-42824, the kernel vulnerability could be abused by a local attacker to elevate their privileges. The iPhone maker said it addressed the problem with improved checks. Read more.

Mozilla Warns of Fake Thunderbird Downloads Delivering Ransomware

Source: Security Week

Mozilla issued a warning this week over malicious websites offering Thunderbird downloads after a ransomware group was caught using this technique to deliver malware. Read more.

Researcher Reveals New Techniques to Bypass Cloudflare’s Firewall and DDoS Protection

Source: The Hacker News

Firewall and distributed denial-of-service (DDoS) attack prevention mechanisms in Cloudflare can be circumvented by exploiting gaps in cross-tenant security controls, defeating the very purpose of these safeguards, it has emerged. Read more.

APT Profile: Dark Pink APT Group

Source: SOCRadar

The Dark Pink APT Group is one such entity that has recently caught the attention of security researchers and organizations worldwide. With a series of sophisticated cyberattacks under their belt, this group has become a topic of concern for many. Read more.

Let’s dig deeper: dissecting the new Android Trojan GoldDigger with Group-IB Fraud Matrix

Source: GROUP-IB

GoldDigger disguises itself as a fake Android application and can impersonate both a Vietnamese government portal and a local energy company. Its main goal is to steal banking credentials. Read more.

Qakbot-affiliated actors distribute Ransom Knight malware despite infrastructure takedown

Source: Cisco TALOS

The threat actors behind the Qakbot malware have been conducting a campaign since early August 2023 in which they have been distributing Ransom Knight ransomware and the Remcos backdoor via phishing emails. Read more.

Understanding Business Email Compromise (BEC) – A Guide

Source: AVERTIUM

In the world of cybersecurity, there are many different kinds of people and groups trying to carry out these attacks, from individual hackers to organized criminal organizations. To protect themselves effectively, organizations need to dive deep into how these attacks work, understand the methods these attackers use, and put strong defenses in place. Read more.

Blackbaud agrees to $49.5 million settlement for ransomware data breach

Source: BLEEPING COMPUTER

Cloud computing provider Blackbaud reached a $49.5 million agreement with attorneys general from 49 U.S. states to settle a multi-state investigation of a May 2020 ransomware attack and the resulting data breach. Read more.

Gaza-Linked Cyber Threat Actor Targets Israeli Energy and Defense Sectors

Source: The Hacker News

Targets of the campaign included organizations in the Israeli energy and defense sectors and entities loyal to Fatah, a Palestinian nationalist and social democratic political party headquartered in the West Bank region. Read more.

Spotify Cyberattack: Anonymous Sudan Asserts Involvement in Hour-Long Disruption

Source: The Cyber Express

The nature of the Spotify cyberattack is likely a Distributed Denial of Service (DDoS) attack, as Anonymous Sudan mentioned that it endured for a duration of one hour. Read more.