Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

The Anatomy of a BlackCat (ALPHV) Attack

Source: SYGNIA

In 2023, Sygnia’s IR team was engaged by a client to investigate suspicious activities in the client’s network. The activities were ultimately identified as a financial extortion attack executed by the BlackCat (ALPHV) ransomware group or one of its affiliates, and included a massive data exfiltration. Read more.

Delving into Dalvik: A Look Into DEX Files

Source: MANDIANT

Through a case study of the banking trojan sample, this blog post aims to give an insight into the Dalvik Executable file format, how it is constructed, and how it can be altered to make analysis easier. Additionally, we are releasing a tool called dexmod that exemplifies Dalvik bytecode patching and helps modify DEX files. Read more.

Server Killers Alliances: Here Is The List Of Hacker Groups

Source: GBHackers

A new tweet from Daily Dark Web reports that a group called The Server Killers has formed an alliance and is planning to launch cyber attacks on Moldova. Read more.

TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant

Source: KROLL

The Kroll Cyber Threat Intelligence (CTI) team discovered new malware resembling the VBScript based BABYSHARK malware that we’ve called TODDLERSHARK. Read more.

Cyber Dragon Attacks And Disables Linkedin

Source: PRIVACY Affairs

The lesser-known but dangerous hacking group Cyber Dragon took Linkedin offline recently as a result of a massive breach. As users reported, both the website and the app were down for more than 24 hours intermittently. Read more.

New Fakext malware targets Latin American banks

Source: Security Intelligence

In November 2023, security researchers at IBM Security Trusteer found new widespread malware dubbed Fakext that uses a malicious Edge extension to perform man-in-the-browser and web-injection attacks. Read more.

Check Point Research Alerts: Financially Motivated Magnet Goblin Group Exploits 1-Day Vulnerabilities to target Publicly Facing Servers

Source: CHECK POINT

Rapid Exploitation of 1-Day Vulnerabilities: Threat actor group Magnet Goblin’s hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, particularly targeting public-facing servers and edge devices. In some cases, the deployment of the exploits is within 1 day after a POC is published, significantly increasing the threat level posed by this actor. Read more.

TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids

Source: Proofpoint

TA4903 is a financially motivated cybercriminal threat actor that spoofs both U.S. government entities and private businesses across many industries. The actor mostly targets organizations located in the United States, but occasionally those located globally, with high-volume email campaigns. Proofpoint assesses with high confidence the objectives of the campaigns are to steal corporate credentials, infiltrate mailboxes, and conduct follow-on business email compromise (BEC) activity. Read more.

Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware

Source: The Hacker News

Threat actors have been leveraging fake websites advertising popular video conferencing software such as Google Meet, Skype, and Zoom to deliver a variety of malware targeting both Android and Windows users since December 2023. “The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems,” Zscaler ThreatLabz researchers said. Read more.

Ukraine’s GUR Hacked The Russians Ministry of Defense

Source: Security Affairs

The documents revealed the leadership of the Russian Ministry, including other high-ranking officials within the divisions of Russian Ministry of Defense. This encompasses deputies, assistants, and specialists, individuals who used the electronic document management systems known as ‘bureaucrat’. Read more.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

LockBit ransomware returns, restores servers after police disruption

Source: BLEEPING COMPUTER

On Saturday, LockBit announced it was resuming the ransomware business and released damage control communication admitting that “personal negligence and irresponsibility” led to law enforcement disrupting its activity in Operation Cronos. Read more.

A Cyber Attack Hit The Royal Canadian Mounted Police

Source: Security Affairs

The Canadian government declared that two of its contractors, Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services, have been hacked, resulting in the exposure of sensitive information belonging to an undisclosed number of government employees. Read more.

Russian hackers shift to cloud attacks, US and allies warn

Source: BLEEPING COMPUTER

APT29’s initial cloud breach vectors also include the use of stolen access tokens that enable them to hijack accounts without using credentials, compromised residential routers to proxy their malicious activity, MFA fatigue to bypass multi-factor authentication (MFA), and registering their own devices as new devices on the victims’ cloud tenants. Read more.

Attackers exploiting ConnectWise ScreenConnect flaws, fixes available for all users (CVE-2024-1709, CVE-2024-1708)

Source: HELP NET SECURITY

ConnectWise shared the existence of the two flaws on Monday (February 19), when it said that they’ve been reported through their vulnerability disclosure channel via the ConnectWise Trust Center, and urged customers that are self-hosted or on-premise to update their servers to version 23.9.8 as soon as possible. Read more.

Feds remove Ubiquiti router botnet used by Russian intelligence

Source: SC Media

The botnet was built by cybercriminals outside the GRU who initially installed Moobot malware on Ubiquiti Edge OS routers that could be compromised because they used publicly known default administrator passwords. Read more.

Earth Preta Campaign Uses DOPLUGS to Target Asia

Source: TREND MICRO

In this blog entry, we focus on the Earth Preta campaign, providing an analysis of the DOPLUGS malware variant that the group used, including backdoor command behavior, integration with the KillSomeOne module, and its evolution. Read more.

Migo – a Redis Miner with Novel System Weakening Techniques

Source: CADO

The malware, named Migo by the developers, aims to compromise Redis servers for the purpose of mining cryptocurrency on the underlying Linux host. Read more.

Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

Source: CISCO TALOS

We have observed evidence that the distribution campaigns for these malware families are related, with Astaroth and Mekotio being distributed under the same Google Cloud Project and Google Cloud storage bucket. Ousaban is also being dropped as part of the Astaroth infection process. Read more.

How BRICS Got “Rug Pulled” – Crypto Counterfeiting Is On The Rise

Source: Resecurity

A notable example of this deceptive practice is the emergence of a counterfeit token named ‘BRICS’ recently detected by Resecurity, which exploited the focus on the investment interest and potential expansion of the BRICS intergovernmental organization, comprising countries like Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates. Read more.

Meta Warns of 8 Spyware Firms Targeting iOS, Android, and Windows Devices

Source: The Hacker News

These firms, per Meta, also engaged in scraping, social engineering, and phishing activity that targeted a wide range of platforms such as Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch, and Telegram. Read more.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Maldocs of Word and Excel: Vigor of the Ages

Source: CHECK POINT RESEARCH

In our research, we show the statistics on attacked industries and countries and highlight the payloads – many of them are in the top prevalent malware lists – delivered by maldocs. We investigate lures used in different attack campaigns and describe several tricks that can help maldocs fool automated sandboxes, even though the CVEs used are well-known and well-aged. Read more.

I Know What Your Password Was Last Summer…

Source: LARES

An interesting aspect we regularly encounter when compromising organisations is the psychology behind how people choose their passwords. This insight reveals patterns and tendencies in password creation within windows environments, shedding light on common vulnerabilities and the human factors influencing password security. Read more.

Coyote: A multi-stage banking Trojan abusing the Squirrel installer

Source: SECURELIST

This malware utilizes the Squirrel installer for distribution, leveraging NodeJS and a relatively new multiplatform programming language called Nim as a loader to complete its infection. We have named this newly discovered Trojan “Coyote” due to the role of coyotes as natural predators of squirrels. Read more.

Raspberry Robin Keeps Riding the Wave of Endless 1-Days

Source: CHECK POINT RESEARCH

Most importantly, Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed. Those 1-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a 0-day and was sold on the Dark Web. Read more.

Chinese hackers fail to rebuild botnet after FBI takedown

Source: BLEEPING COMPUTER

Before KV-botnet’s takedown, it allowed the Volt Typhoon threat group (aka Bronze Silhouette) to proxy malicious activity through hundreds of compromised small office/home offices (SOHO) across the U.S. to evade detection. Read more.

2023 Cybersecurity Lingo for Stronger Digital Defense

Source: THE CYBER EXPRESS

The language of cybersecurity can be compared with a digital sword when it comes to ever-changing environments in cyberspace, where shadows keep both danger and safety. Ending 2023 leads us into a lexical exploration of the complex fabric of cyberslang, where cyber sentinels use secret cybersecurity jargon to secure the virtual world. Read more.

Nearly 4-year-old Cisco vuln linked to recent Akira ransomware attacks

Source: The Register

The vulnerability lies in the web services interface of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software, allowing attackers to extract secrets stored in memory in clear text such as usernames and passwords – à la CitrixBleed. Read more.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 – v0.7.3 Analysis

Source: ITOCHU Cyber Intelligence Inc.

According to information released by security vendors, APT campaigns using LODEINFO target Japanese media, diplomacy, public institutions, defense industries, and think tanks. It is also suggested that the infamous APT group called APT10 is involved given the similarities in their methods and malwares. Read more.

Spoofing 802.11 Wireless Beacon Management Frames with Manipulated Power Values Resulting in Denial of Service for Wireless Clients

Source: Trustwave

So, the story starts in Ubuntu, in dmesg to be exact. Dmesg (diagnostic messages) prints kernel-related messages for those of you not familiar. So, there I was, minding my own business, not at all looking into wireless, actually looking into some Bluetooth research (watch this space!). I had to install some required packages and suddenly Ubuntu crashed on me. I look into dmesg to see what the fuss is all about, no real answer… but I noticed this line that had to do with the wireless interface. Read more.

Exploits released for critical Jenkins RCE flaw, patch now

Source: BLEEPING COMPUTER

Multiple proof-of-concept (PoC) exploits for a critical Jenkins vulnerability allowing unauthenticated attackers to read arbitrary files have been made publicly available, with some researchers reporting attackers actively exploiting the flaws in attacks. Read more.

Nigerian ‘Yahoo Boys’ Behind Social Media Sextortion Surge in the US

Source: Infosecurity Magazine

Their typical approach is to “bomb” high schools, youth sports teams and universities with fake accounts, using advanced social engineering tactics to coerce their victims into a compromising situation. Read more.

The Intricacies of Atomic Stealer (AMOS) and the Emergence of Xehook Stealer on Dark Web

Source: The Cyber Express

A new information stealer has arrived on the dark web. Known as the Atomic Stealer (AMOS), this information stealer, this information-stealing malware is designed for a phishing campaign associated with the rise of dead cookie restoration and Xehook Stealer. Read more.

Russia-Linked APT Group Midnight Blizzard Hacked Hewlett Packard Enterprise (HPE)

Source: The Hacker News

Hewlett Packard Enterprise (HPE) revealed that alleged Russia-linked cyberespionage group Midnight Blizzard gained access to its Microsoft Office 365 cloud-based email environment. The attackers were collecting information on the cybersecurity division of the company and other functions. Read more.

NSPX30: A sophisticated AitM-enabled implant evolving since 2005

Source: welivesecurity

ESET researchers provide an analysis of an attack carried out by a previously undisclosed China-aligned threat actor we have named Blackwood, and that we believe has been operating since at least 2018. The attackers deliver a sophisticated implant, which we named NSPX30, through adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software. Read more.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign

Source: TREND MICRO

CVE-2023-36025 affects Microsoft Windows Defender SmartScreen and stems from the lack of checks and associated prompts on Internet Shortcut (.url) files. Threat actors can leverage this vulnerability by crafting .url files that download and execute malicious scripts that bypass the Windows Defender SmartScreen warning and checks. Read more.

Atomic Stealer rings in the new year with updated version

Source: Malwarebytes LABS

It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules. Some samples from crack websites made their way to VirusTotal around that time frame, followed by a malvertising campaign we observed in January 2024. Read more.

Financial Fraud APK Campaign

Source: Unit 42 PaloAlto Networks

The threat actors used this Android application to impersonate law enforcement authorities. They claimed that the victim’s bank account was suspected of being involved in money laundering or other financial-related crimes. They then sent the victim a download link to this application package, urging the victim to input their sensitive personal information into the malicious application. Read more.

Unprecedented Growth in Malicious Botnets Observed

Source: NETSCOUT

Analysis of the activity has uncovered a rise in the use of cheap or free cloud and hosting servers that attackers are using to create botnet launch pads. These servers are used via trials, free accounts, or low-cost accounts, which provide anonymity and minimal overhead to maintain. Read more.

You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance

Source: Akamai

The NoaBot botnet has most of the capabilities of the original Mirai botnet (such as a scanner module and an attacker module, hiding its process name, etc.), but we can also see many differences from Mirai’s original source code. First and foremost, the malware’s spreader is based in SSH, not based in Telnet like Mirai. Read more.

Unseen Threats in Software Development | The Perils of Trojanized NPM Packages

Source: SentinelOne

Because npm and npm packages can extend deep into the organization’s development environment, security is a crucial issue that must be addressed. Let’s look at some examples of how easily, and severely, npm can be leveraged by threat actors. Read more.

Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign

Source: TREND MICRO

In general, Water Curupira conducts campaigns for the purpose of dropping backdoors such as Cobalt Strike, leading to Black Basta ransomware attacks (coincidentally, Black Basta also returned to operations in September 2023). The threat actor conducted several DarkGate spam campaigns and a small number of IcedID campaigns in the early weeks of the third quarter of 2023, but has since pivoted exclusively to Pikabot. Read more.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla

Source: Zscaler

Threat actors strategically utilize words like “orders” and “invoices” in spam emails to encourage users to download malicious attachments containing CVE-2017-11882. Threat actors include a VBS file in their infection chain to add a layer of complexity to analysis and deobfuscation attempts. Threat actors use the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation. Read more.

Malware leveraging public infrastructure like GitHub on the rise

Source: ReversingLabs

Here are two novel techniques deployed on GitHub that were discovered by ReversingLabs. The first abuses GitHub Gists, and the second issues commands through git commit messages. Read more.

BlackCat Rises: Infamous Ransomware Gang Defies Law Enforcement

Source: Infosecurity Magazine

Despite law enforcement efforts to take down the notorious ALPHV/BlackCat ransomware gang, the cybercriminals are not going down without a fight. Latest developments have shown that the site that was supposedly ‘taken down’ by the FBI has now been ‘unseized.’ Read more.

Behind the Scenes of Matveev’s Ransomware Empire: Tactics and Team

Source: The Hacker News

Matveev is said to lead a team of six penetration testers – 777, bobr.kurwa, krbtgt, shokoladniy_zayac, WhyNot, and dushnila – to execute the attacks. The group has a flat hierarchy, fostering better collaboration between the members. Read more.

Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa

Source: Symantec

The attackers used a variety of tools in this activity, which occurred in November 2023, including leveraging the MuddyC2Go infrastructure, which was recently discovered and documented by Deep Instinct. Researchers on Symantec’s Threat Hunter Team, part of Broadcom, found a MuddyC2Go PowerShell launcher in the activity we investigated. Read more.

Millions of Xfinity customers’ info, hashed passwords feared stolen in cyberattack

Source: The Register

Millions of Comcast Xfinity subscribers’ personal data – including potentially their usernames, hashed passwords, contact details, and secret security question-answers – was likely stolen by one or more miscreants exploiting Citrix Bleed in October. Read more.

Cybercrooks Leveraging Anti Automation Toolkit for Phishing Campaigns

Source: Trellix

Trellix Advanced Research Center has tracked abuse of one more such tool used for quite some time now. Predator, a tool designed to combat bots and web crawlers, can distinguish web requests originating from automated systems, bots, or web crawlers. Read more.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry

Source: The Hacker News

A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Read more.

PikaBot distributed via malicious search ads

Source: Malwarebytes LABS

In the past few days, researchers including ourselves have observed PikaBot, a new malware family that appeared in early 2023, distributed via malvertising. PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577. Read more.

Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol

Source: SECURE LIST

The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities. Read more.

Rhadamanthys v0.5.0 – A Deep Dive into the Stealer’s Components

Source: CHECKPOINT RESEARCH

In this article we do a deep dive into the functionality and cooperation between the modules. The first part of the article describes the loading chain that is used to retrieve the package with the stealer components. In the second part, we take a closer look at those components, their structure, abilities, and implementation. Read more.

Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet

Source: SECURITY WEEK

Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure. Read more.

Gaza Cybergang | Unified Front Targeting Hamas Opposition

Source: SentinelLABS

SentinelLabs’ analysis reinforces the suspected ties between Gaza Cybergang and WIRTE, historically considered a distinct cluster with loose relations to the Gaza Cybergang. Read more.

Rhysida Ransomware

Source: ShadowStackRE

On December 12th 2023 Rhysida claimed to have penetrated and encrypted Insomniac Games from Burbank, California. The studio founded in 1994 and currently owned by Sony Interactive Entertainment, has been responsible for such hits as the recently released ‘Marvel’s Spider-man’ series and the ‘Ratchet & Clank’ series. Read more.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin

Source: Wordfence

The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user’s site with an identifier of CVE-2023-45124, which is not currently a valid CVE. The email prompts the victim to download a “Patch” plugin and install it. Read more.

SQL Brute Force Leads to BlueSky Ransomware

Source: THE DFIR REPORT

While other reports point to malware downloads as initial access, in this report the threat actors gained access via a MSSQL brute force attack. They then leveraged Cobalt Strike and Tor2Mine to perform post-exploitation activities. Within one hour of the threat actors accessing the network, they deployed BlueSky ransomware network wide. Read more.

Cactus Ransomware Exploiting Qlik Sense Code Execution Vulnerability

Source: GBHackers

Cactus is ransomware that encrypts data, provides a ransom note (” cAcTuS.readme.txt “), and appends the. “CTS1 ” extension to filenames. They exploit via the combination or direct abuse of (CVE-2023-41266, CVE-2023-41265). Read more.

New SugarGh0st RAT targets Uzbekistan government and South Korea

Source: Cisco TALOS

We assess with high confidence that the SugarGh0st RAT is a new customized variant of Gh0st RAT, an infamous trojan that’s been active for more than a decade, with customized commands to facilitate the remote administration tasks as directed by the C2 and modified communication protocol based on the similarity of the command structure and the strings used in the code. Read more.

Google Unveils RETVec – Gmail’s New Defense Against Spam and Malicious Emails

Source: The Hacker News

RETVec, which works on over 100 languages out-of-the-box, aims to help build more resilient and efficient server-side and on-device text classifiers, while also being more robust and computationally less expensive. Read more.

Booking.com Customers Scammed in Novel Social Engineering Campaign

Source: Infosecurity Magazine

The researchers said the campaign, which they believe has been running for at least a year, begins by deploying the Vidar infostealer to gain access partner hotels’ Booking.com credentials. This information is then used to send phishing emails to Booking.com customers and trick them into handing over their payment details, in many cases leading to money being stolen. Read more.

Apache ActiveMQ Jolokia Remote Code Execution Vulnerability (CVE-2022-41678) Notification

Source: Security Boulevard

In the configuration of ActiveMQ, jetty allows org.holokia.http.AgentServlet to process requests for/api/Jolokia. An authenticated attacker can send a specially crafted HTTP request to write a malicious file through the Jolokia service, thus implementing remote code execution. At present, the vulnerability PoC has been made public. Read more.

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

New Agent Tesla Malware Variant Using ZPAQ Compression in Email Attacks

Source: The Hacker News

A new variant of the Agent Tesla malware has been observed delivered via a lure file with the ZPAQ compression format to harvest data from several email clients and nearly 40 web browsers. Read more.

Third-party data breach affecting Canadian government could involve data from 1999

Source: The Register

The government of Canada has confirmed its data was accessed after two of its third-party service providers were attacked. The third parties both provided relocation services for public sector workers and the government is currently analyzing a “significant volume of data” which could date back to 1999. Read more.

Play Ransomware Goes Commercial – Now Offered as a Service to Cybercriminals

Source: The Hacker News

The ransomware strain known as Play is now being offered to other threat actors “as a service,” new evidence unearthed by Adlumin has revealed. Read more.

DarkGate and PikaBot Phishing Campaign is Using Qakbot Tactics

Source: Security Boulevard

The operators behind a phishing campaign that is distributing the DarkGate and PikaBot malware is using many of the techniques attributed to the notorious QakBot operation that was taken down by law enforcement agencies in August. Read more.

Citrix warns admins to kill NetScaler user sessions to block hackers

Source: BLEEPING COMPUTER

Citrix reminded admins today that they must take additional measures after patching their NetScaler appliances against the CVE-2023-4966 ‘Citrix Bleed’ vulnerability to secure vulnerable devices against attacks. Besides applying the necessary security updates, they’re also advised to wipe all previous user sessions and terminate all active ones. Read more.

Anonymous Sudan DDoS Attack Cloudflare Decoded

Source: Security Boulevard

Cloudflare swiftly acknowledged the DDoS attack, emphasizing that it exclusively impacted the www.cloudflare.com website, leaving their broader range of products and services unscathed. A Cloudflare spokesperson assured users that no customer data or services were compromised during the incident. This emphasizes that the website operates on separate infrastructure designed to prevent any collateral damage. Read more.

Malware dev says they can revive expired Google auth cookies

Source: BLEEPING COMPUTER

The Lumma information-stealer malware (aka ‘LummaC2’) is promoting a new feature that allegedly allows cybercriminals to restore expired Google cookies, which can be used to hijack Google accounts. Read more.

DPRK Hackers Masquerade as Tech Recruiters, Job Seekers

Source: DARK READING

North Korean threat actors are posing as both job recruiters and job seekers on the Web, deceiving companies and applicants for financial gain and, possibly, to gain access into Western organizations. Read more.

New Flaws in Fingerprint Sensors Let Attackers Bypass Windows Hello Login

Source: The Hacker News

The flaws were discovered by researchers at hardware and software product security and offensive research firm Blackwing Intelligence, who found the weaknesses in the fingerprint sensors from Goodix, Synaptics, and ELAN that are embedded into the devices. Read more.

Welltok Data Breach Impacted 8.5 Million Patients in the U.S.

Source: Security Affairs

The company disclosed a data breach that exposed the personal data of nearly 8.5 million patients (8,493,379) in the U.S.. On July 26, 2023, threat actors hacked the company’s MOVEit Transfer server. Read more.

ClearFake Campaign Spreads macOS AMOS Information Stealer

Source: Security Affairs

Threat actors spread Atomic Stealer (AMOS) macOS information stealer via a bogus web browser update as part of the ClearFake campaign. Read more.

PoC for Splunk Enterprise RCE flaw released (CVE-2023-46214)

Source: HELP NET SECURITY

A vulnerability researcher has published a detailed analysis of CVE-2023-46214 and has consolidated the steps required for exploitation into a Python script. If specific prerequisites are met, the script should open a remote command prompt. Read more.

Hackers Hijack Industrial Control System at US Water Utility

Source: SECURITY WEEK

The Municipal Water Authority of Aliquippa in Pennsylvania has confirmed that hackers took control of a system associated with a booster station over the weekend, but said there was no risk to the water supply. Read more.

GE servers hacked n DARPA Military Info Leaked

Source: Cybersecurity INSIDERS

General Electric, commonly referred to as GE, a multinational corporation engaged in the fields of renewable energy, aerospace, and power, has fallen prey to a cyber attack resulting in the leakage of sensitive information related to DARPA Military operations. Read more.

Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

IPStorm botnet dismantled by FBI as hacker pleads guilty to three charges

Source: SC Media

The Federal Bureau of Investigation (FBI) dismantled an international botnet comprising more than 23,000 proxies after the hacker responsible for the network reached a plea deal with authorities. Read more.

Scattered Spider

Source: CISA

The FBI and CISA are releasing this joint Cybersecurity Advisory (CSA) in response to recent activity by Scattered Spider threat actors against the commercial facilities sectors and subsectors. This advisory provides tactics, techniques, and procedures (TTPs) obtained through FBI investigations as recently as November 2023. Read more.

UK labels AI Tools as a cyber threat to National Elections

Source: Cybersecurity INSIDERS

Britain has identified the continued use of AI tools as a significant cyber threat to the upcoming national elections slated for January 2025. Emphasizing the increasing difficulty for security experts to track and neutralize these deepfake threats, particularly in the context of digital elections, the nation has raised concerns about potential interference. Read more.

Samsung Hacked: Customers Personal Information Exposed

Source: GBHackers

The breach was formally confirmed in an email received by this reporter on the night of November 15. Samsung traced the detection of the cyber incursion back to November 13. Although the specific third-party business application remains undisclosed, Samsung ascribes the breach to a flaw. Customers who made purchases between July 1, 2019, and June 30, 2020, are presumed to be impacted. Read more.

Hackers Could Exploit Google Workspace and Cloud Platform for Ransomware Attacks

Source: The Hacker News

A set of novel attack methods has been demonstrated against Google Workspace and the Google Cloud Platform that could be potentially leveraged by threat actors to conduct ransomware, data exfiltration, and password recovery attacks. Read more.

Attacker – hidden in plain sight for nearly six months – targeting Python developers

Source: Checkmarx

For nearly half a year, a threat actor has been planting malicious Python packages into the open-source repository. Many of the malicious packages were camouflaged with names closely resembling popular legitimate Python packages. Consequently, they received thousands of downloads. Read more.

TA402 Uses Complex IronWind Infection Chains to Target Middle East-Based Government Entities

Source: Proofpoint

From July through October 2023, Proofpoint researchers observed TA402 engage in phishing campaigns that delivered a new initial access downloader dubbed IronWind. The downloader was followed by additional stages that consisted of downloaded shellcode. Read more.

Children’s tablet has malware and exposes kids’ data, researcher finds

Source: TechCrunch

The Dragon Touch KidzPad Y88X contains traces of a well-known malware, runs a version of Android that was released five years ago, comes pre-loaded with other software that’s considered malware and a “potentially unwanted program” because of “its history and extensive system level permissions to download whatever application it wants,” and includes an outdated version of an app store designed specifically for kids, according to Hancock’s report, which was released on Thursday and seen by TechCrunch ahead of its publication. Read more.

New ‘Octo’ malware tricks Android users into giving up bank details

Source: RNZ

Netsafe says it’s not aware of New Zealanders being tricked into giving up their bank details by a sophisticated new malware but it is possible they have without realising. The ABC reported that Russian cyber criminals have targeted hundreds of bank customers across the Tasman with a malware called Octo. Read more.

ALPHV/BlackCat Take Extortion Public

Source: TREND MICRO

ALPHV filed a complaint with the Security and Exchange Commission (SEC) stating their victim (MeridianLink) had not disclosed a breach within the 4 day requirement from the SEC. It appears this is an attempt to influence MeridianLink to pay the ransom sooner than later. This is an interesting spin on the traditional tactic used and one that could become more pronounced in 2024. Read more.

Phishing page with trivial anti-analysis features

Source: SANS Internet Storm Center

Anti-analysis features in phishing pages – especially in those, which threat actors send out as e-mail attachments – are nothing new[1,2]. Nevertheless, sometimes the way that these mechanisms are implemented may still leave one somewhat mystified. This has happened to me a few weeks ago when I found what appeared to be a generic phishing message in one of my spam traps. Read more.

CISA Releases The Mitigation Guide: Healthcare and Public Health (HPH) Sector

Source: CISA

This guide provides defensive mitigation strategy recommendations and best practices to combat pervasive cyber threats affecting this critical infrastructure sector. It also identifies known vulnerabilities for organizations to assess their networks and minimize risks before intrusions occur. Read more.

Blacksuit Ransomware linked to Royal Ransomware

Source: Cybersecurity INSIDERS

As per an advisory from the FBI and US-CISA, a forthcoming ransomware variant is set to enter the cybersecurity landscape, marking itself as a rebrand or offshoot of the Royal Ransomware gang, notorious for purportedly amassing around $275 million in 2022. Read more.

CitrixBleed Vulnerability Exploitation Suspected in Toyota Ransomware Attack

Source: SECURITY WEEK

Toyota Financial Services Europe & Africa this week confirmed being targeted in a cyberattack, which appears to have been conducted by a known ransomware group. The Toyota subsidiary said it recently detected unauthorized activity on systems in a limited number of locations. In response, it took some systems offline and they are gradually being brought back online. Read more.