In a recent analysis, Palo Alto Networks Unit 42 researcher Chema Garcia revealed a targeted cyber threat affecting organizations in the Middle East, Africa, and the United States. The unknown threat actor is distributing a sophisticated backdoor named Agent Racoon, developed using the .NET framework. The malware exploits the domain name service (D...
More details have emerged about a malicious Telegram bot called Telekopye that’s used by threat actors to pull off large-scale phishing scams. “Telekopye can craft phishing websites, emails, SMS messages, and more,” ESET security researcher Radek Jizba said in a new analysis. The threat actors behind the operation – codenamed Nean...
A subgroup within the infamous Lazarus Group, recognized as Sapphire Sleet, has recently altered its modus operandi by employing a variant of the Phobos ransomware in its financially motivated cyberattacks. This strategic shift has been documented by cybersecurity researchers at Cisco Talos, who have observed an uptick in activities carried out by ...
The well-known Lazarus Group has evolved, with a faction now setting up deceptive platforms masquerading as skill assessment portals, part of their new social engineering tactics. Identified by Microsoft as Sapphire Sleet, this alteration marks a change in the group’s persistent methods. Sapphire Sleet, also recognized as APT38, BlueNoroff, C...
Introduction In an age where we rely heavily on mobile applications for various aspects of our daily lives, ensuring their security is paramount. Google is taking a significant step to bolster app safety in the Play Store by introducing the “Independent Security Review” badge. This badge is designed to provide users with more informatio...
Signal, the renowned encrypted messaging app, has firmly pushed back against recent reports of an alleged zero-day vulnerability in its software. The company conducted a thorough investigation and stated that it found no concrete evidence to substantiate the claim. In a series of messages posted on social media platform X (formerly Twitter), Signal...
In a noteworthy development, a cyber campaign known as “Stayin’ Alive” has been actively targeting prominent government and telecom organizations across Asia since 2021. The campaign, discovered by cybersecurity firm Check Point, is characterized by its deployment of basic backdoors and loaders to deliver more advanced malware in ...
Ukraine, a nation that has been no stranger to cyber threats, is again in the spotlight. The Ukrainian Computer Emergency Response Team (CERT-UA) has recently reported a series of cyberattacks targeting the country’s telecommunications providers. This alarming development raises concerns about critical infrastructure security and underscores ...
In a recent cybersecurity incident, Microsoft has shed light on a thwarted cyber attack, where hackers made an unsuccessful attempt to breach a cloud environment through an SQL Server instance. The assault kicked off with the exploitation of an SQL injection vulnerability present in a particular application. This initial breach granted unauthorized...
What are the APIs? known as application programming interfaces, are the backbone of modern software applications, enabling seamless communication and data exchange between different systems and platforms. They provide developers with an interface to interact with external services, allowing them to integrate various functionalities into their appli...
North Korean nation-state actors linked to the Reconnaissance General Bureau (RGB) have been connected to the JumpCloud hack due to a security oversight that exposed their IP address. The threat intelligence firm Mandiant, owned by Google, attributes the activity to UNC4899, which has similarities with other groups known as Jade Sleet and TraderTra...
A warning has been issued regarding a sophisticated form of voice phishing (vishing) called “Letscall” that specifically targets individuals in South Korea. This advanced technique involves deceiving victims into downloading malicious apps from a fake Google Play Store website. Once installed, the malware redirects incoming calls to a c...
An e-crime actor, known as Neo_Net, has been identified as the perpetrator of an Android mobile malware campaign targeting global financial institutions, with a specific focus on Spanish and Chilean banks. The campaign, which occurred between June 2021 and April 2023, resulted in the theft of over 350,000 EUR and the compromise of Personally Identi...
Cybersecurity researchers have uncovered new information about the Romanian threat actor Diicot, revealing its potential for launching distributed denial-of-service (DDoS) attacks. Diicot, also known as Mexals, was initially discovered in July 2021 and was linked to a cryptojacking campaign. Recent analysis shows that Diicot is now using an off-the...
A large-scale cryptocurrency scam has been uncovered, involving over 1,000 fraudulent websites that have deceived users since January 2021. Trend Micro researchers have linked this scam to a Russian-speaking threat actor called “Impulse Team.” The scam operates through an advanced fee fraud scheme, where victims are tricked into believi...
A recent malware campaign has been discovered that utilizes the Satacom downloader to distribute stealthy malware for cryptocurrency theft. The malware aims to steal BTC from victims’ accounts by injecting malicious code into targeted cryptocurrency websites. The campaign primarily targets users of popular cryptocurrency platforms such as Coi...
WordPress Releases Automatic Update to Fix Critical Jetpack Plugin Vulnerability WordPress has taken immediate action to address a critical flaw in the widely used Jetpack plugin, which is installed on over five million websites. The automatic update was prompted by the discovery of a vulnerability during an internal security audit. The flaw stems ...
A sophisticated and stealthy information-stealing malware called Bandit Stealer has recently emerged, posing a significant threat to web browsers and cryptocurrency wallets. Trend Micro, a leading cybersecurity company, highlighted the malware’s capability to potentially expand to other platforms due to its development using the Go programmin...
A significant security vulnerability has been exposed in the Open Authorization (OAuth) implementation of Expo.io, a popular application development framework. Assigned the CVE identifier CVE-2023-28131, this vulnerability carries a high severity rating of 9.6 on the CVSS scoring system. API security firm Salt Labs has reported that the flaw leaves...
Kimsuky, a North Korean advanced persistent threat (APT) group, has been using custom malware called RandomQuery as part of its reconnaissance and information exfiltration operation. The group’s ongoing targeted campaign, primarily geared towards information services and organizations supporting human rights activists and North Korean defecto...
Python Package Index (PyPI), the official repository for third-party software in the Python programming language, has temporarily disabled user sign-ups and the ability to upload new packages until further notice. The PyPI administrators made this decision due to a recent surge in malicious users and projects on the platform, which has overwhelmed ...
New findings from Group-IB shed light on the payment structure within the Qilin ransomware-as-a-service (RaaS) scheme, revealing that ransomware affiliates receive a significant share of each ransom payment, ranging from 80% to 85%. Group-IB managed to infiltrate the group in March 2023, leading to insights into the payment structure and inner work...
A new phishing-as-a-service (PhaaS or PaaS) platform called Greatness has been utilized by cybercriminals to target business users of Microsoft 365 cloud service since mid-2022. This Phishing kit provides affiliates with a link and attachment builder to create convincing decoy and login pages that have features like pre-filled victim email addresse...
Microsoft has released its Patch Tuesday updates for May 2023, which include fixes for 38 security vulnerabilities, including one zero-day flaw currently being actively exploited. The Zero Day Initiative (ZDI) from Trend Micro reports that this is the lowest number of security fixes released since August 2021, but warns that this number is likely t...
Italian corporate banking clients are under attack from an ongoing financial fraud campaign that uses a web-inject toolkit called drIBAN since at least 2019. According to Cleafy researchers Federico Valentini and Alessandro Strino, the main goal of drIBAN fraud operations is to infect Windows workstations in corporate environments and alter legitim...
North Korea’s ScarCruft, also known as APT37, InkySquid, Nickel Foxcroft, Reaper, RedEyes, and Ricochet Chollima, is a threat group that targets South Korean individuals and entities through spear-phishing attacks. The group’s malware of choice, RokRAT, is capable of credential theft, data exfiltration, system information gathering, com...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an Industrial Control Systems (ICS) medical advisory warning of a critical flaw that affects Illumina medical devices. The Universal Copy Service (UCS) software in several DNA sequencing instruments, including the iSeq 100, MiSeq, NextSeq 550, and NovaSeq 6000, is impacted by t...
Alloy Taurus, a Chinese nation-state group notorious for attacking telecom companies since 2012, has been spotted using a Linux variation of the backdoor PingPull and a new unnamed tool called Sword2033. Palo Alto Networks Unit 42 discovered these malicious activities recently, targeting South Africa and Nepal. These attacks also include financial ...
A group backed by the Iranian government, dubbed Mint Sandstorm, has been connected to cyber-attacks targeting critical US infrastructure from late 2021 to mid-2022. Microsoft’s Threat Intelligence team stated that this subgroup is skilled and operationally mature, capable of swiftly developing custom tools and exploiting N-day vulnerabilitie...
Google has released an urgent update to fix a zero-day vulnerability in Chrome that is being actively exploited, making it the first such bug to be addressed this year. The vulnerability, tracked as CVE-2023-2033, is a high-severity type confusion issue in the V8 JavaScript engine. Google acknowledged that an exploit for the vulnerability exists in...
Experts in cybersecurity have uncovered the mechanics behind a cryptocurrency stealer malware distributed through 13 malignant NuGet packages. This supply chain attack targeted .NET developers and employed a sophisticated typosquatting campaign. Impersonating legitimate packages, the attackers executed PowerShell code to obtain a secondary binary f...
MSI, the Taiwanese PC company, has officially confirmed that it was the victim of a cyber attack on its systems. The company promptly initiated incident response and recovery measures after detecting network anomalies and alerted law enforcement agencies. However, MSI did not disclose any specifics about the attack or whether any proprietary inform...
cybersecurity experts have unveiled a previously unknown and highly sophisticated ransomware variant, Rorschach, which is both advanced and swift. Rorschach ransomware distinguishes itself from other strains with its exceptional customization and unique technical features not previously seen in ransomware, according to a report by Check Point Resea...
Actively exploited by unidentified cybercriminals, a recently patched security vulnerability is found within the WordPress Elementor Pro website builder plugin. Affecting versions 3.11.6 and earlier, this broken access control flaw was resolved by the plugin developers in the 3.11.7 version, released on March 22. In the release notes, the Tel Aviv-...
A newly identified North Korean cyber group, APT43, has been linked to multiple campaigns aimed at gathering strategic intelligence in line with Pyongyang’s geopolitical interests since 2018. Tracked by Google-owned Mandiant, APT43’s objectives include both espionage and financial motives, employing methods such as credential harvesting...
On Friday, Microsoft provided insights to assist users in identifying indicators of compromise (IoCs) linked to a recently patched Outlook vulnerability. Known as CVE-2023-23397 (CVSS score: 9.8), this critical vulnerability involves a privilege escalation issue that could be exploited to steal NT Lan Manager (NTLM) hashes and execute a relay attac...
A new campaign targeting poorly managed Linux SSH servers has been identified, deploying various strains of malware called ShellBot. The AhnLab Security Emergency Response Center (ASEC) reported that ShellBot, also known as PerlBot, is a DDoS bot malware developed in Perl, which typically uses the IRC protocol for communication with its C&C ser...
Mandiant, the threat intelligence firm, has linked the zero-day exploitation of a medium-severity security flaw in the Fortinet FortiOS operating system to a suspected Chinese hacking group. The attack is part of a broader campaign to deploy backdoors onto Fortinet and VMware solutions and maintain persistent access to victim environments. Mandiant...
Recently, a critical security flaw in Progress Telerik was exploited by multiple threat actors, including a nation-state group, to gain unauthorized access to an unnamed federal entity in the U.S. The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Cent...
A malicious Chrome browser extension branded as ChatGPT has been discovered to hijack Facebook accounts and create rogue admin accounts. This highlights one of the different methods cyber criminals are using to distribute malware. Guardio Labs researcher Nati Tal warns that by hijacking high-profile Facebook business accounts, the threat actor crea...
The Lazarus Group, believed to be linked to North Korea, has been observed exploiting undisclosed software vulnerabilities to breach a South Korean financial business entity twice within a year. The first attack in May 2022 involved the use of a vulnerable version of a widely-used certificate software, while the second attack in October 2022 exploi...
Cybersecurity experts have uncovered a new information stealer called SYS01stealer, which targets critical government infrastructure employees, manufacturing companies, and other sectors. Israeli cybersecurity firm Morphisec reports that the attack campaign aims to steal sensitive information, such as login data, cookies, and Facebook ad and busine...
Chinese threat actor Sharp Panda has been targeting high-profile government entities in Southeast Asia since late last year in a cyber espionage campaign. Israeli cybersecurity company Check Point has identified the use of a new version of the Soul modular framework as characterizing the intrusions, marking a departure from the group’s attack...
A new ATM malware strain called FiXS has been detected attacking Mexican banks since the beginning of February 2023. Latin American cybersecurity firm Metabase Q reported that the ATM malware is concealed within another program that appears to be non-malicious. FiXS is not dependent on any specific vendor, is vendor-agnostic, and can infect any tel...
The Mustang Panda actor, which is aligned with China, has been observed using a new custom backdoor named MQsTTang as part of an ongoing social engineering campaign that started in January 2023. ESET researcher Alexandre Côté Cyr reported that MQsTTang seems to be a standalone backdoor not based on existing malware families or publicly available...
The threat group known as Lucky Mouse has released a Linux version of its SysUpdate malware toolkit, enabling it to target Linux devices. The updated artifact, which dates back to July 2022, has new features aimed at avoiding security software and resisting reverse engineering. Lucky Mouse, also known as APT27, Bronze Union, Emissary Panda, and...
On March 1, 2023, Cisco released security updates for its IP Phone series 6800, 7800, 7900, and 8800 to address a critical command injection vulnerability (CVE-2023-20078) rated 9.8 on the CVSS scoring system. The flaw is caused by a web-based management interface, which lacks proper user-supplied input validation, allowing an unauthenticated, remo...
Jamf Threat Labs has discovered that Trojanized versions of legitimate applications are being used to deploy evasive cryptocurrency mining malware on macOS systems. The malware, called XMRig coin miner, is executed by an unauthorized modification in Final Cut Pro, an Apple video editing software. The malware makes use of the Invisible Internet Proj...
Apple has released revised security advisories to address three new vulnerabilities that could impact iOS, iPadOS, and macOS. One of the vulnerabilities is a race condition in the Crash Reporter component that could allow a malicious actor to read arbitrary files as root, while the other two vulnerabilities in the Foundation framework could be weap...
The Norwegian police agency Økokrim has announced the seizure of $5.84 million worth of cryptocurrency, which was stolen by the Lazarus Group in March 2022 after the Axie Infinity Ronin Bridge hack. The Oslo-based crime-fighting unit stated that this case highlights its capacity to trace the money trail on the blockchain, even when criminals use...
Cisco has recently released security updates to address a severe vulnerability in the ClamAV open-source antivirus engine, which could result in remote code execution on susceptible devices. The vulnerability is tracked as CVE-2023-20032, with a CVSS score of 9.8, and it pertains to remote code execution in the HFS+ file parser component. Versions ...
The notorious APT37, a North Korea-linked threat actor, has recently been spotted utilizing a new piece of malware called M2RAT in its ongoing attacks against its southern neighbor. These developments signify a further evolution of the group’s tools and tactics. APT37, also known as Reaper, RedEyes, Ricochet Chollima, and ScarCruft, is associ...
The malicious black hat redirect malware campaign has now grown larger and more insidious, infecting over 10,800 websites with over 70 bogus domains, mimicking URL shorteners. The main objective of this malware is to artificially increase traffic to pages that contain Google Ads, generating revenue from AdSense ID, which is used for ad fraud. The...
Cloudflare, the web infrastructure company, stopped an unprecedented DDoS attack on Monday with a record-breaking peak of over 71 million requests per second. This historic “hyper-volumetric” attack was the largest HTTP DDoS attack on record, surpassing the previous 46 million RPS attack that was mitigated by Google Cloud in June 2022. ...
Apple has taken swift action to safeguard its users by releasing security updates for its various operating systems, including iOS, iPadOS, macOS, and Safari, to fix a critical zero-day vulnerability. The flaw, tracked as CVE-2023-23529, is a type of confusion bug in the WebKit browser engine that could allow malicious actors to execute arbitrary c...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to the public, adding three newly discovered security vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. This move is a result of evidence suggesting that these flaws are being actively abused in the wild. Among the three is CVE-2022-24990, a se...
Reddit, the well-known social news aggregation platform, has fallen victim to a vicious and calculated phishing attack. On February 5th, 2023, the attackers targeted Reddit’s employees with plausible-sounding prompts that redirected them to a fake website that appeared to be Reddit’s intranet portal. The sole purpose of this deceitful a...
The OpenSSL Project has taken immediate action to safeguard its users by releasing critical fixes to address several severe security vulnerabilities in its open-source encryption toolkit. One such vulnerability, tracked as CVE-2023-0286, is a high-severity bug that could potentially put users at risk of malicious attacks. According to the advisory ...
Eight unpatched security vulnerabilities have been found in open-source and freemium document management systems (DMS) offered by four vendors, LogicalDOC, Mayan, ONLYOFFICE, and OpenKM.These flaws were revealed by cybersecurity firm Rapid7 and allow for a malicious actor to trick a user into saving a harmful document on the platform, and once inde...
A Russia-affiliated adversary has been caught utilizing new information-stealing malware in cyberattacks aimed at Ukraine. Named Graphiron by Symantec, a subsidiary of Broadcom, the malware is the work of an espionage group known as Nodaria, which is monitored by the Computer Emergency Response Team of Ukraine (CERT-UA) under the label UAC-0056. Ac...
On February 7, 2023, a Russian national, Denis Mihaqlovic Dubnikov, admitted to money laundering and concealing the source of funds obtained through Ryuk ransomware attacks in a U.S. court. Dubnikov, who was arrested in Amsterdam in November 2021 and later extradited from the Netherlands in August 2022, will be sentenced on April 11, 2023. Accordin...
The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about ongoing cyber attacks targeting state authorities in the country that use a legitimate remote access software named Remcos. The widespread phishing campaign has been traced back to a threat actor known as UAC-0050, and the agency has described the nature of the atta...
A collaborative law enforcement effort by Germany, the Netherlands, and Poland resulted in the dismantling of the encrypted messaging platform Exclu.Eurojust reported the arrests of 45 individuals in Belgium and the Netherlands, including users, administrators, and owners of the service. During raids in 79 locations, authorities seized €5.5 million...
Cybercriminals are exploiting known weaknesses in the Sunlogin software to deploy the Sliver Command-and-Control (C2) framework for post-exploitation activities. This was uncovered by the AhnLab Security Emergency Response Center (ASEC), which discovered that security flaws in the Chinese-developed remote desktop program, Sunlogin, are being taken ...
GitHub, a subsidiary of Microsoft, announced that unknown attackers managed to extract encrypted code signing certificates related to some versions of GitHub Desktop for Mac and Atom applications. To ensure security, the company is revoking the affected certificates. As a result, certain versions of GitHub Desktop for Mac, including 3.0.2 to 3.1.2 ...
The National Cyber Security Centre (NCSC) of the United Kingdom has issued a warning about spear-phishing attacks orchestrated by state-sponsored actors from Russia and Iran. The attacks are aimed at specific sectors, including academia, defense, government organizations, NGOs, and think tanks, as well as politicians, journalists, and activists, an...
The actors responsible for the Gootkit malware have made significant modifications to their toolset, incorporating new components and obfuscations into their infection methods. The Google-owned cybersecurity firm, Mandiant, is keeping a close eye on the cluster of activity known as UNC2565 and has determined that the usage of the Gootkit malware is...
Ukraine has been the target of a recent cyber attack from Russia, utilizing a previously unseen data wiper called SwiftSlicer. The attack was attributed to Sandworm, a state-sponsored group linked to Military Unit 74455 of the GRU, the Main Intelligence Directorate of the General Staff of the Armed Forces of the Russian Federation. ESET disclosed...
On Tuesday, GoTo (formerly LogMeIn), the parent company of LastPass, announced that an unknown party had successfully accessed encrypted backups of certain customers’ data, along with the encryption key for some of these backups, in a November 2022 incident. The company has identified that a third-party cloud storage service was targeted, whi...
Two security vulnerabilities have been identified in the Samsung Galaxy Store application for Android devices that could potentially be exploited by a local attacker to install arbitrary applications or redirect potential victims to fraudulent web pages. The vulnerabilities, designated as CVE-2023-21433 and CVE-2023-21434, were discovered by NCC Gr...
Researchers have successfully dismantled an extensive ad fraud scheme, known as VASTFLUX, that affected over 1,700 applications from 120 publishers and impacted around 11 million devices. According to fraud prevention firm HUMAN, VASTFLUX was a malvertising attack that injected malicious JavaScript code into digital ad creatives, allowing the fraud...
According to a report by the BlackBerry Research and Intelligence Team, the Russian state-sponsored cyber espionage group known as Gamaredon has continued its digital attacks against Ukraine, utilizing the popular messaging app Telegram to target the country’s military and law enforcement sectors. The group, also known by various other names ...
An individual going by the name of Lolip0p has uploaded three malicious packages to the Python Package Index (PyPI) repository, which are designed to install malware on developer systems that download them. The packages, named color slab (versions 4.6.11 and 4.6.12), httpslib (versions 4.6.9 and 4.6.11), and libhttps (version 4.6.12), were uploaded...
On Friday, DevOps platform CircleCI announced that it had experienced a data breach as a result of a “sophisticated attack” on December 16, 2022. The incident involved an employee’s laptop being compromised by unknown actors, who then used malware to steal the employee’s two-factor authentication-backed credentials to gain a...
A significant portion of internet-exposed Cacti servers remain unpatched against a recently discovered critical security vulnerability that has been actively exploited in the wild, according to attack surface management platform Censys. Out of a total of 6,427 servers, only 26 were found to be running a patched version of Cacti (1.2.23 and 1.3.0). ...
A recent surge in attacks utilizing the Gootkit malware loader has targeted the Australian healthcare sector, according to cybersecurity firm Trend Micro. The malware, also known as Gootloader, is known for using search engine optimization (SEO) poisoning tactics to gain initial access. It typically works by compromising legitimate infrastructure a...
A previously unknown actor of an “advanced persistent threat” (APT) is targeting government and military organizations in the Asia-Pacific region, according to a report from Singapore-based cybersecurity firm Group-IB.The group, which is tracking the campaign under the name “Dark Pink,” has attributed seven successful attack...
As of 2023, it is important for SaaS companies to be aware of the potential cybersecurity threats that may arise. In order to ensure the safety of your systems and data, it is crucial to focus on the following four key areas: web application weaknesses, misconfiguration mistakes, vulnerable software and patching, and weak internal security...
