LACyber: Active Cyber Threats

Current Active Threats

Hackers Mostly Targeted Microsoft, Google, Apple Zero-days in 2022
Date: 2023-03-21

Hackers continue to target zero-day vulnerabilities in malicious campaigns, with researchers reporting that 55 zero-days were actively exploited in 2022, most targeting Microsoft, Google, and Apple products. Most of these vulnerabilities (53 out of 55) enabled the attacker to either gain elevated privileges or perform remote code execution on vulnerable devices.

Hitachi Energy Confirms Data Breach After Clop GoAnywhere Attacks
Date: 2023-03-20

Hitachi Energy, a subsidiary of the Japanese multinational conglomerate Hitachi, has confirmed a data breach that occurred after being hit by the Clop ransomware group's GoAnywhere attacks. Hitachi is a department of Japanese engineering and technology with an annual revenue of 10 billion. The attack resulted in the theft of sensitive data from several business units in the United States, Thailand, and Japan.

Alleged BreachForums Owner Pompompurin Arrested on Cybercrime Charges
Date: 2023-03-20

U.S. law enforcement arrested on Wednesday a New York man believed to be Pompompurin, the owner of the BreachForums hacking forum. According to court documents, he was charged with one count of conspiracy to solicit individuals to sell unauthorized access devices. During the arrest, the defendant allegedly admitted that his real name was Connor Brian Fitzpatrick and that he was Pompourin, the owner of the Breach Forums cybercrime forum.

New GoLang-Based HinataBot Exploiting Router and Server Flaws for DDoS Attacks
Date: 2023-03-20

Researchers at Akamai have spotted a new botnet dubbed “HinataBot” that is leveraging known flaws to compromise routers and servers, which in turn after being used to stage distributed denial-of-service attacks. Among the vulnerabilities exploited include, CVE-2014-8361 that impacts Realtek SDK devices and CVE-2017-17215 that impacts Hauwei HG532 routers.

Emotet Malware Now Distributed in Microsoft OneNote Files to Evade Defenses
Date: 2023-03-20

The Emotet malware is now distributed using Microsoft OneNote email attachments, aiming to bypass Microsoft security restrictions and infect more targets. Emotet is a notorious malware botnet historically distributed through Microsoft Word and Excel attachments that contain malicious macros. If a user opens the attachment and enables macros, a DLL will be downloaded and executed that installs the Emotet malware on the device. Once loaded, the malware will steal email contacts and email content for use in future spam campaigns. It will also download other payloads that provide initial access to the corporate network. This access is used to conduct cyberattacks against the company, which could include ransomware attacks, data theft, cyber espionage, and extortion.

Chinese Hackers Targeting Security and Network Appliances
Date: 2023-03-20

Chinese threat actors are turning security appliances into penetration pathways, forcing firewall maker Fortinet to again attempt to fend off hackers with a patch. Researchers from Mandiant say suspected Beijing hackers it tracks as UNC3886 has been targeting chip-based firewall and virtualization boxes. The group, it said in a Thursday blog post, exploited a now-patched path transversal zero-day vulnerability tracked as CVE-2022-41328 in the Fortinet operating system in order to gain persistence on FortiGate and FortiManager products. Such penetrations can give hackers years of interrupted access to internal networks. A threat cluster related to UNC3886 also targeted a Fortinet zero-day in a campaign that involved delivery of a custom backdoor "specifically designed to run on FortiGate firewalls.

Adobe Acrobat Sign Abused to Push Redline Info-Stealing Malware
Date: 2023-03-17

Cybercriminals are abusing the Adobe Acrobat Sign service to distribute Redline malware, a powerful information-stealing Trojan. Adobe Acrobat Sign is a cloud-based e-signature service that enables users to create, send, track, and manage electronic signatures. It is a free-to-try service that allows users to sign documents securely and remotely without physical paperwork. Avast researchers observed threat actors sending phishing emails to trick victims into opening malicious PDF documents.

onti-Based Ransomware ‘Meowcorp’ Gets Free Decryptor
Date: 2023-03-17

A decryption tool for a modified version of the Conti ransomware could help hundreds of victims recover their files for free. The utility works with data encrypted with a strain of the ransomware that emerged after the source code for Conti was leaked last year in March [1, 2]. Researchers at cybersecurity company Kaspersky found the leak on a forum where the threat actors released a cache of 258 private keys from a modified version of the Conti ransomware.

Fortinet Zero-Day Attacks Linked to Suspected Chinese Hackers
Date: 2023-03-17

A suspected Chinese hacking group has been linked to a series of attacks on government organizations exploiting a Fortinet zero-day vulnerability (CVE-2022-41328) to deploy malware. The security flaw allowed threat actors to deploy malware payloads by executing unauthorized code or commands on unpatched FortiGate firewall devices, as Fortinet disclosed last week. Further analysis revealed that the attackers could use the malware for cyber-espionage, including data exfiltration, downloading and writing files on compromised devices, or opening remote shells when receiving maliciously crafted ICMP packets.

Russia May Be Reviving Cyber Ops Ahead of Spring Offensive
Date: 2023-03-17

British intelligence reports that since early in January, the Russian military appears to have been "attempting to restart major operations" with a focus on capturing "the remaining Ukrainian-held parts of Donetsk Oblast," a territory the size of Massachusetts located in the eastern part of the country. In new analysis, Microsoft reports Russia in recent months appears to have increased cyberespionage efforts aimed at nations helping with the defense of Ukraine, mostly governments of European nations. Based on a recent flurry of activity by Russia, Microsoft foresees an uptick in ransomware, an emphasis on obtaining initial access to systems, and increased influence operations.

BianLian Ransomware Gang Shifts Focus to Pure Data Extortion
Date: 2023-03-17

The BianLian ransomware group has shifted its focus from encrypting its victims' files to only exfiltrating data found on compromised networks and using them for extortion. This operational development in BianLian was reported by cybersecurity company Redacted, who have seen signs of the threat group attempting to craft their extortion skills and increase the pressure on their victims.

US Federal Agency Hacked Using Old Telerik Bug to Steal Data
Date: 2023-03-17

Last year, a U.S. federal agency's Microsoft Internet Information Services (IIS) web server was hacked by exploiting a critical .NET deserialization vulnerability in the Progress Telerik UI for ASP[.]NET AJAX component. According to a joint advisory issued today by CISA, the FBI, and MS-ISAC, the attackers had access to the server between November 2022 and early January 2023 based on indicators of compromise (IOCs) found on the unnamed federal civilian executive branch (FCEB) agency's network.

CISA Warns of Adobe ColdFusion Bug Exploited as a Zero-Day
Date: 2023-03-16

CISA recently added a critical bug to its catalog of known exploited vulnerabilities. Tracked as CVE-2023-26360, the vulnerability relates to a Improper Access Control issue impacting Adobe ColdFusion versions 2021 (update 5 and earlier versions) and 2018 (Update 15 and earlier versions. Successful exploitation of the flaw could enable actors to elevate their privileges, access sensitive information, and even execute arbitrary code remotely. The vulnerability has been fixed in ColdFusion 2018 version 16 and ColdFusion 2021 version 6. Given the severity of the flaw, CISA is giving federal agencies three weeks, until April 5, to apply the security updates.

Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers Vulnerabilities
Date: 2023-03-16

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, RV082, RV320, and RV325 Routers could allow a remote attacker to bypass authentication or execute arbitrary commands on the underlying operating system of an affected device, "A vulnerability in the web-based management interface of Cisco Small Business RV016, RV042, RV042G, and RV082 Routers could allow an unauthenticated, remote attacker to bypass authentication on an affected device.

Winter Vivern APT hackers Use Fake Antivirus Scans to Install Malware
Date: 2023-03-16

An advanced hacking group named 'Winter Vivern' targets European government organizations and telecommunication service providers to conduct espionage. The group's activities align with the interests of the Russian and Belarusian governments, so it is believed that this is a pro-Russian APT (advanced persistent threat) group. Sentinel Labs reports that the threat group functions on limited resources; however, their creativity compensates for these limitations.

Veeam Backup & Replication CVE-2023-27532 Exploit Created
Date: 2023-03-16

On 7 March 2023, Veeam published a knowledge base article outlining CVE-2023-27532, a vulnerability in the Veeam Backup & Replication component that allowed an unauthenticated user to retrieve host credentials stored in the configuration database. This weakness could ultimately enable an attacker to gain access to hosts and devices managed by the Veeam Backup server. With access to the open TCP port 9401, any individual could obtain credentials and potentially move laterally throughout the network with the newly exposed username and passwords.

US SEC Amps Up Regulatory Proposals for Market Cybersecurity
Date: 2023-03-16

The Securities and Exchange Commission proposed a slew of new cybersecurity rules for the companies underpinning the U.S. stock market, the latest sign of increasing unhappiness among Biden administration officials about the private sector's management of digital risk. The commission approved a proposal that would place market entities under a mandate to report significant cybersecurity incidents to the agency after having concluded with "reasonable basis" that the incident occurred, or even is still in progress.

Yorotrooper Cyberspies Target CIS Energy Orgs, EU Embassies
Date: 2023-03-15

According to researchers, a new group of cybercriminals dubbed Yorotrooper is targeting European Union embassies, Central Asian diplomatic organizations, and energy companies in Ukraine and Kazakhstan. The threat actors access victims' networks through phishing emails containing malicious LNK attachments and decoy PDF documents. Researchers at Cisco Talos observed YoroTrooper exfiltrating significant amounts of data from infected endpoints, along with credentials, cookies, and browsing histories. "While YoroTrooper uses malware associated with other threat actors, such as PoetRAT and LodaRAT, Cisco's analysts have enough indications to believe this is a new cluster of activity.

Rubrik Confirms Data Theft in GoAnywhere Zero-Day Attack
Date: 2023-03-15

Cybersecurity company Rubrik has confirmed that its data was stolen using a zero-day vulnerability in the Fortra GoAnywhere secure file transfer platform. Rubrik is a cloud data management service that offers enterprise data backup and recovery services and disaster recovery solutions. In a statement from Rubrik CISO Michael Mestrovichon, the company disclosed that they were victims of a large-scale attack against GoAnywhere MFT devices worldwide using a zero-day vulnerability.

SAP Releases Security Updates Fixing Five Critical Vulnerabilities
Date: 2023-03-15

As part of the SAP Security Patch Day for the month of March, the software vendor addressed 19 vulnerabilities, five of which have been rated critical in severity. The critical vulnerabilities impact SAP Business Objects Business Intelligence Platform (CMC) and SAP NetWeaver.

US CISA to Warn Critical Infrastructure of Ransomware Risk
Date: 2023-03-15

The top U.S. cybersecurity agency says it's testing out scanning critical infrastructure organizations to detect vulnerabilities exploitable by ransomware hackers in a bid to have them patched before extortionists also catch them out. Congress called on the Critical Infrastructure and Security Agency to conduct a pilot scanning for ransomware vulnerabilities in legislation that became law last March. The Ransomware Vulnerability Warning Pilot became active on Jan. 30.

Exfiltration Malware Takes Center Stage in Cybersecurity Concerns
Date: 2023-03-15

SpyCloud has released their 2023 Annual Identity Exposure Report. The report identified over 22 million unique devices infected by malware last year. Of the 721.5 million exposed credentials recovered by SpyCloud, roughly 50% came from botnets, tools commonly used to deploy highly accurate information-stealing malware. The researchers warn of a distinctive spike in malware designed to exfiltrate data directly from devices and browsers, which has led to continued user exposure.

Critical Patches Issued for Microsoft Products - CVE-2023-23397- Microsoft Outlook Update, Script Available for Investigation
Date: 2023-03-15

A critical vulnerability in the ubiquitous Microsoft Outlook/365 applications suite is being actively abused in the wild and demands urgent patching. CVE-2023-23397, a CVSS 9.8 bug, lets a remote and unauthenticated attacker breach systems merely by sending a specially crafted email that allows them steal the recipient’s credentials

Critical Patches Issued for Microsoft Products
Date: 2023-03-15

Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for remote code execution in the context of the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Remote Code Execution and Camera Access Flaws Found in Smart Intercoms
Date: 2023-03-14

Researchers discovered 13 security flaws in smart intercoms that could allow hackers to access people's homes or listen in on conversations. These vulnerabilities include the ability for remote code execution, network access, and other types of unauthorized access.

Fortinet FortiOS Flaw Exploited in Targeted Cyberattacks on Government Entities
Date: 2023-03-14

It has come to attention that attackers leveraged a new FortiOS bug patched this month as a zero-day in attacks targeting government and large organizations, resulting in data loss and OS and file corruption. The vulnerability (CVE-2022-41328) in question has been rated medium in severity and can enable threat actors to execute unauthorized code or commands.

CISA Now Warns Critical Infrastructure of Ransomware-Vulnerable Devices
Date: 2023-03-14

Ransomware continues to be a pertinent threat to critical infrastructure with actors leveraging known vulnerabilities to target organizations across the globe. As a countermeasure CISA has announced a new pilot program to help critical infrastructure entities protect their information systems from ransomware attacks. The program dubbed “Ransomware Vulnerability Warning Pilot (RVWP), having started in January 30, 2023, will help organizations identify vulnerabilities in their systems that might by exploited by ransomware threat actors.

DEV-1101 Enables High-volume AiTM Campaigns with Open-source Phishing Kit
Date: 2023-03-14

Adversary-in-the-middle (AiTM) phishing kits are part of an increasing trend that is observed supplanting many other less advanced forms of phishing. AiTM phishing is capable of circumventing multifactor authentication (MFA) through reverse-proxy functionality. DEV-1101 is an actor tracked by Microsoft responsible for the development, support, and advertising of several AiTM phishing kits, which other cybercriminals can buy or rent. The availability of such phishing kits for purchase by attackers is part of the industrialization of the cybercriminal economy and lowers the barrier of entry for cybercrime.

North Korean Hackers Find Value in LinkedIn
Date: 2023-03-14

Business social media platform LinkedIn continues to pay dividends for North Korean hackers, including one group historically concentrated on South Korean targets that has expanded into pursuing security researchers and media industry workers in the West. A Pyongyang group tracked by Google threat intelligence unit Mandiant as UNC2970 masquerades as recruiters on LinkedIn in a bid to entice victims into opening a phishing payload disguised as a job description or skills assessment.

Cybersecurity Poised for Spending Boost in Biden Budget
Date: 2023-03-13

The Biden administration's spending blueprint for the coming federal fiscal year includes increased funding for cybersecurity at federal agencies and for Ukraine. The $1.7 trillion proposal for discretionary federal spending starting Oct. 1 includes $753 million in assistance for Ukraine. The money would be used by Kyiv to "counter Russian malign influence and to meet emerging needs related to security, energy, cybersecurity, disinformation, macroeconomic stabilization, and civil society resilience," a White House budget overview states. Additional budget documents containing more detail are set for release on Monday.

Medusa Ransomware Gang Picks up Steam as It Targets Companies Worldwide
Date: 2023-03-13

The Medusa ransomware gang is gaining momentum as it targets companies worldwide. The group first emerged in 2021 and has been observed utilizing a variety of tactics to compromise organizations, including phishing emails, exploiting vulnerable remote desktop services, and exploiting vulnerabilities in software. Bleeping Computer has analyzed Medusa's encryptor for Windows, but it is not transparent whether or not the group has an encryptor for Linux. The windows encryptor has command-line options that enable the attackers to customize how files get encrypted on infected devices. Additionally, the ransomware terminates over 280 Windows services and processes to prevent interference with file encryption, including services for mail servers, database servers, backup servers, and security software.

KamiKakaBot Malware Used in Latest Dark Pink APT Attacks on Southeast Asian Targets
Date: 2023-03-13

The Dark Pink advanced persistent threat (APT) actor has been linked to a fresh set of attacks targeting government and military entities in Southeast Asian countries with a malware called KamiKakaBot. Dark Pink, also called Saaiwc, was extensively profiled by Group-IB earlier this year, describing its use of custom tools such as TelePowerBot and KamiKakaBot to run arbitrary commands and exfiltrate sensitive information.

Clop Ransomware Gang Begins Extorting GoAnywhere Zero-Day Victims
Date: 2023-03-13

The Clop ransomware gang has begun extorting companies whose data was stolen using a zero-day vulnerability in the Fortra GoAnywhere MFT secure file-sharing solution. In February, the GoAnywhere MFT file transfer solution developers warned customers that a zero-day remote code execution vulnerability was being exploited on exposed administrative consoles. GoAnywhere is a secure web file transfer solution that allows companies to securely transfer encrypted files with their partners while keeping detailed audit logs of who accessed the files.

Xenomorph Android Malware Now Steals Data From 400 Banks
Date: 2023-03-10

The Xenomorph Android malware has upgraded with new capabilities, including an automated transfer system framework and the ability to steal login credentials from 400 banks. The malware was first discovered on the Google Play store in February 2022 with over 50,000 downloads. The latest version of the malware targets financial institutions in the United States, Spain, Turkey, Poland, Australia, Canada, Italy, Portugal, France, Germany, UAE, and India. "Some examples of targeted institutions include Chase, Citibank, American Express, ING, HSBC, Deutsche Bank, Wells Fargo, Amex, Citi, BNP, UniCredit, National Bank of Canada, BBVA, Santander, and Caixa. The list is too extensive to include here, but ThreatFabric has listed all targeted banks in the appendix of its report. Moreover, the malware targets 13 cryptocurrency wallets, including Binance, BitPay, KuCoin, Gemini, and Coinbase.

Internet Crime in 2022: Over $3 Billion Lost to Investment Scammers
Date: 2023-03-10

In 2022, investment scam losses were the most (common or dollar amount) scheme reported to the Internet Crime Complaint Center (IC3),” the FBI shared in its 2022 Internet Crime Report. This category includes crypto-investment scams such as liquidity mining, celebrity impersonation, “pig butchering, “and many more. Business email compromise (BEC) scams are the second most financially destructive overall, followed by tech support scams and personal data breaches.

Alleged Seller of Netwire RAT Arrested in Croatia
Date: 2023-03-10

This week, as part of a global law enforcement operation, federal authorities in Los Angeles successfully confiscated www[.]worldwiredlabs[.]com, a domain utilized by cybercriminals to distribute the NetWire remote access trojan (RAT), allowed perpetrators to assume control of infected computers and extract a diverse range of sensitive information from their unsuspecting victims.

Microsoft: Business Email Compromise Attacks Can Take Just Hours
Date: 2023-03-10

Microsoft’s Security Intelligence team recently investigated a business email compromise (BEC) attack and found that attackers move rapidly, with some steps taking mere minutes. The whole process, from signing in using compromised credentials to registering typosquatting domains and hijacking an email thread, took the threat actors only a couple of hours. This rapid attack progression ensures that the targets will have minimal opportunity to identify signs of fraud and take preventive measures.

SonicWall SMA Appliance Infected by a Custom Malware Allegedly Developed by Chinese Hacker
Date: 2023-03-10

Mandiant researchers reported that alleged China-linked threat actors, tracked as UNC4540, deployed custom malware on a SonicWall SMA appliance. The malware allows attackers to steal user credentials, achieve persistence through firmware upgrades, and provides shell access. The compromised device contained a set of files used by the attacker to gain highly privileged access to the appliance. The code itself contained a variety of bash scripts and a single ELF binary identified as a TinyShell variant.

Fortinet Plugs Critical RCE Hole in Fortios, Fortiproxy (CVE-2023-25610)
Date: 2023-03-09

Fortinet has patched 15 vulnerabilities in a variety of its products, including CVE-2023-25610, a critical flaw affecting devices running FortiOS and FortiProxy. None of the patched vulnerabilities is actively exploited, but Fortinet’s devices are often targeted by ransomware gangs and other cyber attackers, so implementing the offered security updates quickly is advised. Discovered by Fortinet infosec engineer Kai Ni, CVE-2023-25610 is a buffer underwrite (‘buffer underflow’) vulnerability found in the FortiOS and FortiProxy administrative interface. Linux-based FortiOS powers many Fortinet’s products, including its FortiGate firewalls and various switches. FortiProxy is a secure web proxy that protects users against internet-borne attacks.

Fake ChatGPT Chrome Extension Targeted Facebook Ad Accounts
Date: 2023-03-09

ChatGPT has garnered a lot of questions about its security and capacity for manipulation, partly because it is a new software that has seen unprecedented growth (hosting 100 million users just two months following its launch). Security concerns vary from the risk of data breaches to the program writing code on behalf of hackers. From malvertising, extension installation, hijacking Facebook accounts, and back again to propagation The fake ChatGPT extension discovered by Guardio is the latest security concern, affecting thousands daily. The scam starts with the malicious stealer extension, “Quick access to Chat GPT,” showing up on Facebook-sponsored posts as a quick way to get started with ChatGPT directly from your browser.

FBI Investigates Data Breach Impacting U.S. House Members and Staff
Date: 2023-03-09

The FBI is investigating a data breach that has affected US House members and staff. Hackers have gained sensitive personal information from DC Health Link's servers, which administers health plans. The US House Chief Administrative Officer notified impacted individuals via email. The email stated that "DC Health Link suffered a significant data breach yesterday potentially exposing the Personal Identifiable Information (PII) of thousands of enrollees. As a Member or employee eligible for health insurance through D.C. Health Link, your data may have been comprised" (Bleeping Computer, 2023). The scope and severity of the breach are currently unclear, and it does not appear that Members or the House of Representatives were the specific targets of the attack.

QR Codes: A Growing Vulnerability to Cybercrimes
Date: 2023-03-09

QR codes are increasingly being used by cybercriminals in attacks. “Invented in the 1990s, QR codes surged during the pandemic. They offered a way for people to access information and conduct activities in a touchless way. Insider Intelligence reports US smartphone users scanning a QR code will increase from 83.4 million in 2022 to 99.5 million in 2025.

IceFire Ransomware Now Encrypts Both Linux and Windows Systems
Date: 2023-03-09

Threat actors linked to the IceFire ransomware operation now actively target Linux systems worldwide with a new dedicated encryptor. SentinelLabs security researchers found that the gang has breached the networks of several media and entertainment organizations around the world in recent weeks, starting mid-February.

Emotet Malware Attacks Return After Three-Month Break
Date: 2023-03-08

Emotet, a notorious malware active since 2014, has resumed its attacks after a three-month break. The malware gets primarily distributed through phishing emails containing Microsoft word and Excel document attachments utilized for apprehending victims' emails and contacts for use in future Emotet campaigns or downloading additional payloads such as Cobalt Strike or other malware that commonly leads to ransomware attacks.

US Senators Aim to Block Foreign Tech that Poses Threat
Date: 2023-03-08

A dozen U.S. senators on Tuesday introduced bipartisan legislation backed by the White House charging the federal government with initiating a process to systematically block foreign technology from reaching the domestic market when the tech poses a national security threat. Backers say the bill, the Restricting the Emergence of Security Threats that Risk Information Communications Technology Act, could result in restrictions for the social media platform TikTok, which is owned by Chinese company ByteDance. The short form video app has operated under a cloud of Washington, D.C.-driven opposition dating to fears by the Trump administration that TikTok shares data with the Chinese government and could be used in Beijing influence operations.

New HiatusRAT Router Malware Covertly Spies On Victims
Date: 2023-03-08

This campaign is significantly smaller than some of the more prominent botnets such as Emotet or Chaos – both of which indiscriminately target vulnerable devices on the internet. It's been assessed that the threat actor most likely chose to keep the campaign small to evade detection, "As of mid-February 2023, there were approximately 2,700 DrayTek Vigor 2960 routers and approximately 1,400 DrayTek Vigor 3900 routers exposed on the internet, and Hiatus had compromised approximately 100 of these routers.

Taiwan Suspects Chinese Ships Cut Islands’ Internet Cables
Date: 2023-03-08

Matsu, an outlying island close to neighboring China leverages two undersea cables to provide Internet to it’s 14,000 residents. In the past five years, the Island has seen it’s Internet cables cut 27 times. Residents have struggled with paying electricity bills, making doctors appointments, and receiving packages due to the constant destruction of their Internet backbone.

New Malware Variant has “Radio Silence” Mode to Evade Detection
Date: 2023-03-08

The Sharp Panda cyber-espionage hacking group is targeting high-profile government entities in Vietnam, Thailand, and Indonesia with a new version of the ‘Soul’ malware framework. The particular malware was previously seen in espionage campaigns targeting critical Southeast Asian organizations, attributed to various Chinese APTs.

Russian Disinformation Campaign Records High-Profile Individuals on Camera
Date: 2023-03-07

Researchers at Proofpoint have discovered Russian-aligned hackers known as TA499 targeting individuals and organizations through video call requests. TA499 lures prominent business people and individuals who have supported Ukranian humanitarian efforts or have criticized the Russian Government. Threat actors will send fake video conferencing invitations that appear legitimate. The attacks primarily focus on organizations in the United States and Europe.

Publicity Stunt: Criminals Dump 2 Million Free Payment Cards
Date: 2023-03-07

Last week, the credit card market BidenCash, which sells compromised payment card data, released free details of 2 million payment cards. The market for carders - aka credit and debit card thieves - trumpets that the release is intended to celebrate its first anniversary. Whether actual fraudsters find that data dump useful is questionable, the payment cards included in the mess are nearing expiration or are likely already rendered useless by a security alert. BidenCash's leak is more akin to a free food sample you get on a toothpick at the grocery store than a genuine freebie.

Nvidia Working on Driver Fix for Windows BSOD, High CPU Usage
Date: 2023-03-07

Nvidia confirmed today that it's working to fix a driver issue causing high CPU usage and blue screens of death (BSODs) on Windows systems. The buggy driver is the GeForce Game Ready 531.18 WHQL driver released on February 28th that introduced support for RTX Video Super Resolution. This comes after customers have been complaining for days on the company's forums and on social media that the Nvidia Game Session Telemetry Plugin (NvGSTPlugin.dll) loaded by the Nvidia Display Container service leads to CPU spikes of 10% or more on Windows systems after closing games or rendering apps. In the Nvidia forum thread asking for feedback on this driver version, users are also reporting experiencing constant blue screens on up-to-date Windows installations and that reverting to an older driver version fixes the BSOD problems.

Old Windows ‘Mock Folders’ UAC Bypass Used to Drop Malware
Date: 2023-03-07

A new phishing campaign targets organizations in Eastern European countries with the Remcos RAT malware with aid from an old Windows User Account Control (UAC) bypass discovered over two years ago. The use of mock trusted directories to bypass Windows User Account Control stands out in the attack as it's been known since 2020 but remains effective today

Vulnerability in DJI Drones May Reveal Pilot’s Location
Date: 2023-03-07

Serious security vulnerabilities have been identified in multiple DJI drones. These weaknesses had the potential to allow users to modify crucial drone identification details such as its serial number and even bypass security mechanisms that enable authorities to track both the drone and its pilot. In special attack scenarios, the drones could even be brought down remotely in flight.

Draytek VPN Routers Hacked With New Malware to Steal Data, Evade Detection
Date: 2023-03-07

An ongoing hacking campaign called' Hiatus' targets DrayTek Vigor router models 2960 and 3900 to steal data from victims and build a covert proxy network. DrayTek Vigor devices are business-class VPN routers used by small to medium-size organizations for remote connectivity to corporate networks. The new hacking campaign, which started in July 2022 and is still ongoing, relies on three components: a malicious bash script, a malware named "HiatusRAT," and the legitimate 'tcpdump,' used to capture network traffic flowing over the router.

How to Prevent Microsoft OneNote Files from Infecting Windows with Malware
Date: 2023-03-07

Microsoft OneNote file has become a popular file format used by hackers to spread malware and breach corporate networks. Threat actors had previously abused macros in Microsoft Word and Excel, but after Microsoft disabled macros by default, threat actors turned towards other file formats to distribute malware. ISO files and password protected ZIP archives became popular choices.

CISA Warns That Royal Ransomware Is Picking Up Steam
Date: 2023-03-07

The Royal ransomware group targeting critical infrastructure in the United States and other countries is made up of experienced ransomware attackers and has strong similarities to Conti, the infamous Russia-linked hacking group, according to a new alert issued by U.S. authorities. The group is targeting major industries including manufacturing, communications, education and healthcare organizations in the U.S. and other countries, according to a joint advisory from the U.S. Cybersecurity and Infrastructure Security Agency and the FBI. The attackers appear to be particularly interested in hitting the U.S. healthcare sector, demanding ransoms from $250,000 to over $2 million.

US Government Orders States to Conduct Cyber Security Audits of Public Water Systems
Date: 2023-03-06

The Biden administration announced on Friday that it will make it mandatory for states to conduct cyber security audits of public water systems. Water systems are critical infrastructures that are increasingly exposed to the risk of cyberattacks by both cybercriminal organizations and nation-state actors, the US Environmental Protection Agency reported. “Cyberattacks against critical infrastructure facilities, including drinking water systems, are increasing, and public water systems are vulnerable,” said EPA Assistant Administrator Radhika Fox, as reported by the Associated Press. “Cyberattacks have the potential to contaminate drinking water.”

Phishing Campaign Targets Job Seekers, Employers
Date: 2023-03-06

The phishing campaigns target job seekers by sending emails that purport to belong to a recruitment agency, asking them to provide personal information or login credentials. The malware campaign attempts to drop prominent malware like AgentTesla, Emotet, Cryxos Trojans and Nemucod on victims' devices. Trellix researchers also observed that attackers are posing as job seekers to target employers.

Hatch Bank Discloses Data Breach After GoAnywhere MFT Hack
Date: 2023-03-03

Fintech banking platform Hatch Bank has reported a data breach after hackers stole the personal information of almost 140,000 customers from the company's Fortra GoAnywhere MFT secure file-sharing platform. Hatch Bank is a financial technology firm allowing small businesses to access bank services from other financial institutions.

Over 71k Impacted by Credential Stuffing Attacks on Chick-fil-A Accounts
Date: 2023-03-03

American fast food restaurant chain Chick-fil-A has started notifying roughly 71,000 individuals that their user accounts have been compromised in a two-month-long credential stuffing campaign. In a notification letter to impacted customers, a copy of which was submitted to multiple Attorney General offices, Chick-fil-A says the accounts were compromised in a series of automated attacks targeting both its website and mobile application.

Microsoft Releases Windows Security Updates for Intel CPU Flaws
Date: 2023-03-03

Microsoft has released out-of-band security updates for 'Memory Mapped I/O Stale Data (MMIO)' information disclosure vulnerabilities in Intel CPUs. The Mapped I/O side-channel vulnerabilities were initially disclosed by Intel on June 14th, 2022, warning that the flaws could allow processes running in a virtual machine to access data from another virtual machine.

Investment Scam Network Relies on Massive IT Infrastructure
Date: 2023-03-02

Security researchers uncovered an investment scam network that draws on an online infrastructure of hundreds of hosts and thousands of domains to target primarily Indian victims by impersonating Fortune 100 companies. Resecurity dubs the criminal group behind the fraud "Digital Smoke" and says it targeted victims across the globe but focused on India; in 2022, the researchers say, the groups took tens of billions of dollars from victims, and there has been a notable uptick in damages in the first months of this year. Digital Smoke used more than 350 hosting providers, and most domain names and hosting platforms were registered via the Chinese company Alibaba.

Trezor Warns of Massive Crypto Wallet Phishing Campaign
Date: 2023-03-02

Trezor is a hardware cryptocurrency wallet where users can store their crypto offline rather than through cloud-based wallets on their devices. Trezor is a tempting alternative to those who'd rather not have their crypto wallet connected to their PC to avoid malware and compromised devices. However, an ongoing phishing campaign masquerading as Trezor data breach notifications attempts to steal users' cryptocurrency and wallets.

Cisco Patches Critical Web UI RCE Flaw in Multiple IP Phones
Date: 2023-03-02

Cisco recently addressed several vulnerabilities impacting its IP phones which could enable unauthenticated remoted threat actors to execute arbitrary code or cause a denial of service condition. The most severe of the flaws is being tracked as CVE-2023-20078 and can allow an unauthenticated, remote attacker to inject arbitrary commands that are executed with root privileges.

Russian Government Bans Foreign Messaging Apps
Date: 2023-03-02

Russian government officials will no longer be able to use messaging apps developed and run by foreign companies, according to a new law which went into effect yesterday. Parts 8–10 of Article 10 of the new law – On Information, Information Technologies and Information Protection – apply to government agencies and organizations. “The law establishes a ban for a number of Russian organizations on the use of foreign messengers (information systems and computer programs owned by foreign persons that are designed and (or) used for exchanging messages exclusively between their users, in which the sender determines the recipients of messages and does not provide for placement by internet users publicly available information on the internet),” said regulator Roskomnadzor.

Dish Network Confirms Ransomware Attack Behind Multi-Day Outage
Date: 2023-03-01

The satellite broadcaster Dish Network experienced a multi-day network outage. The outage affected multiple services provided by Dish Network, such as Dish[.]com, the dish anywhere app, Boost Mobile, and other websites owned and operated by the provider. At first, Dish Network suspected that the cause of the outage was VPN issues.

Bitdefender Releases Free Decryptor for MortalKombat Ransomware Strain
Date: 2023-03-01

Romanian cybersecurity company Bitdefender has released a free universal decryptor for a nascent file-encrypting malware known as MortalKombat. MortalKombat is a new ransomware strain that emerged in January 2023. It's based on a commodity ransomware dubbed Xorist and has been observed in attacks targeting entities in the U.S., the Philippines, the U.K., and Turkey. Xorist, detected since 2010, is distributed as a ransomware builder, allowing cyber threat actors to create and customize their own version of the malware. This includes the ransom note, the file name of the ransom note, the list of file extensions targeted, the wallpaper to be used, and the extension to be used on encrypted files.

CISA Warns of Hackers Exploiting ZK Java Framework RCE Flaw
Date: 2023-03-01

CISA recently added a new vulnerability to its “Known Exploited Vulnerabilities Catalog.” Tracked as CVE-2022-36537 (CVSSL 7.5), the vulnerability was discovered last year by Markus Wulftange and is related to a remote code execution flaw impacting the ZK Framework versions 9.6.1, 9.6.0.1, 9.5.1.3, 9.0.1.2 and 8.6.4.1.

Healthcare Most Hit by Ransomware Last Year, FBI Finds
Date: 2023-03-01

Last year, the FBI's Internet Complaint Center received 870 complaints that "indicated organizations belonging to a critical infrastructure sector were victims of a ransomware attack," said David Scott, deputy assistant director of the FBI's Cyber Division, speaking at the Futurescot conference Monday in Glasgow, Scotland. Critical manufacturing and the government, including schools, followed healthcare as the most-attacked sectors, IC3 data shows. The top strain of observed ransomware was LockBit, followed by BlackCat and Hive, IC3 found. "That's just a small portion of the overall ransomware attacks; there are many, many more that didn't impact critical infrastructure," Scott said.

New Exfiltrator-22 Post-exploitation Kit Linked to Lockbit Ransomware
Date: 2023-02-28

Threat actors are promoting a new 'Exfiltrator-22' post-exploitation framework designed to spread ransomware in corporate networks while evading detection. Threat analysts at CYFIRMA claim that this new framework was created by former Lockbit 3.0 affiliates who are experts in anti-analysis and defense evasion, offering a robust solution in exchange for a subscription fee. The prices for Exfiltrator-22 range between $1,000 per month and $5,000 for lifetime access, offering continuous updates and support. Buyers of the framework are given an admin panel hosted on a bulletproof VPS (virtual private server) from where they can control the framework's malware and issue commands to compromised systems.

Critical Flaws in WordPress Houzez Theme Exploited to Hijack Websites
Date: 2023-02-28

Hackers are actively exploiting two critical-severity vulnerabilities in the Houzez theme and plugin for WordPress, two premium add-ons used primarily in real estate websites. The Houzez theme is a premium plugin that costs $69, offering easy listing management and a smooth customer experience. The vendor's site claims it is serving over 35,000 customers in the real estate industry. The two vulnerabilities were discovered by Patchstack's threat researcher Dave Jong and reported to the theme's vendor, 'ThemeForest,' with one flaw fixed in version 2.6.4 (August 2022) and the other in version 2.7.2 (November 2022). However, a new Patchstack report warns that some websites have not applied the security update, and threat actors actively exploit these older flaws in ongoing attacks.

U.S. Marshals Service Investigating Ransomware Attack, Data Theft
Date: 2023-02-28

On February 17, the U.S. Marshals Service suffered a ransomware and data exfiltration event affecting a stand-alone USMS system. The USMS bureau is a federal law enforcement agency operated within the Justice Department. The agency supports all elements of the Federal justice system by providing security for the Federal court facilities, executing federal court orders, apprehending criminals, assuring the safety of government witnesses and their families, and more.

LastPass: Incident 2 – Additional Attack Details
Date: 2023-02-28

LastPass revealed more information on a "coordinated second attack," where a threat actor accessed and stole data from the Amazon AWS cloud storage servers for over two months. LastPass disclosed a breach in December where threat actors stole partially encrypted password vault data and customer information, “The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.

Phone Attacks and MFA Bypass Drive Phishing in 2022
Date: 2023-02-28

Security researchers have recorded a 76% year-on-year (YoY) increase in financial losses stemming from phishing attacks, as sophisticated tactics and user knowledge gaps give threat actors the upper hand. Proofpoint compiled its 2023 State of the Phish report from interviews with 7500 consumers and 1050 IT security professionals across 15 counties, as well as 135 million simulated phishing attacks and over 18 million emails reported by customer end users over the past year.

Chromeloader Campaign Lures With Malicious VHDs for Popular Games
Date: 2023-02-27

Researchers at the Anhlab Security Emergency Response Center observed a new technique applied in the ChromeLoader browser hijacking and adware campaign, which now employs VHD files titled after popular games.

News Corp Says State Hackers Were on Its Network for Two Years
Date: 2023-02-27

Mass media and publishing giant News Corporation (News Corp) says that attackers behind a breach disclosed in 2022 first gained access to its systems two years before, in February 2020. This was revealed in data breach notification letters sent to employees affected by the data breach, who had some of their personal and health information accessed, while the threat actors had access to an email and document storage system used by several News Corp businesses. The incident affected multiple news arms of the publishing conglomerate, including The Wall Street Journal, the New York Post, and its U.K. news operations.

PureCrypter Malware Hits Govt Orgs With Ransomware, Info-Stealers
Date: 2023-02-27

A threat actor has been targeting government entities with PureCrypter malware downloader that has been seen delivering multiple information stealers and ransomware strains. Researchers at Menlo Security discovered that the threat actor used Discord to host the initial payload and compromised a non-profit organization to store additional hosts used in the campaign.’The campaign was found to have delivered several types of malware including Redline Stealer, AgentTesla, Eternity, Blackmoon and Philadelphia Ransomware,’ the researchers say. According to the researchers, the observed PureCrypter campaign targeted multiple government organization in the Asia-Pacific (APAC) and North America regions.

A World of Hurt for Fortinet and ManageEngine After Users Fail to Install Patches
Date: 2023-02-27

Organizations around the world are once again learning the risks of not installing security updates as multiple threat actors race to exploit two recently patched vulnerabilities that allow them to infect some of the most critical parts of a protected network.

Ukraine Finds 2-Year-Old Russian Backdoor
Date: 2023-02-27

Russian hackers breached and modified several Ukrainian state websites on Thursday morning using a backdoor planted nearly two years ago. The incident did not cause significant disruption, says the State Service of Special Communications and Information Protection of Ukraine. But discovery of an encrypted web shell created no later than Dec. 23, 2021, hiding on the server of an official website led to an investigation revealing several additional backdoors.

Dozens of Malicious 'HTTP' Libraries Found on PyPI
Date: 2023-02-24

Numerous amount of malicious libraries were discovered by researchers at Reversing Labs on the Python PyPi repository. "According to an advisory published Wednesday by Lucija Valentic, a software threat researcher at ReversingLabs, most of the discovered files were malicious packages posing as HTTP libraries. "The descriptions for these packages, for the most part, don't hint at their malicious intent," Valentic explained. "Some are disguised as real libraries and make flattering comparisons between their capabilities and those of known, legitimate HTTP libraries." In particular, the ReversingLabs spotted 41 malicious PyPI packages, which the security researchers divided into two types.

Ukraine Says Russian Hackers Backdoored Govt Websites in 2021
Date: 2023-02-24

The Computer Emergency Response Team of Ukraine (CERT-UA) says Russian state hackers have breached multiple government websites this week using backdoors planted as far back as December 2021. CERT-UA spotted the attacks after discovering a web shell on Thursday morning on one of the hacked websites that the threat actors (tracked as UAC-0056, Ember Bear, or Lorec53) used to install additional malware. This web shell was created in December 2021 and was used to deploy CredPump, HoaxPen, and HoaxApe backdoors one year ago, in February 2022, according to CERT-UA. The threat actors also used the GOST (Go Simple Tunnel) and the Ngrok tools during the early stages of their attack to deploy the HoaxPen backdoor.

Telus Investigating Leak of Stolen Source Code, Employee Data
Date: 2023-02-24

Canada's second-largest telecom, TELUS, is investigating a potential data breach after a threat actor shared samples online of what appears to be employee data. The threat actor subsequently posted screenshots that apparently show private source code repositories and payroll records held by the company.TELUS has so far not found evidence of corporate or retail customer data being stolen and continues to monitor the potential incident. On February 17, a threat actor put up what they claim to be TELUS' employee list (comprising names and email addresses) for sale on a data breach forum.

Experts Sound Alarm Over Growing Attacks Exploiting Zoho ManageEngine Products
Date: 2023-02-24

Multiple threat actors have been observed opportunistically weaponizing a now-patched critical security vulnerability impacting several Zoho ManageEngine products since January 20, 2023. Tracked as CVE-2022-47966 (CVSS score: 9.8), the remote code execution flaw allows a complete takeover of the susceptible systems by unauthenticated attackers. As many as 24 different products, including Access Manager Plus, ADManager Plus, ADSelfService Plus, Password Manager Pro, Remote Access Plus, and Remote Monitoring and Management (RMM), are affected by the issue.

Microsoft Urges Exchange Admins to Remove Some Antivirus Exclusions
Date: 2023-02-24

Microsoft says admins should remove some previously recommended antivirus exclusions for Exchange servers to boost the servers' security. As the company explained, exclusions targeting the Temporary ASP[.]NET Files and Inetsrv folders and the PowerShell and w3wp processes are not required since they're no longer affecting stability or performance. However, admins should make a point out of scanning these locations and processes because they're often abused in attacks to deploy malware.

Clasiopa Hackers Use New Atharvan Malware in Targeted Attacks
Date: 2023-02-23

Symantec Researchers have been tracking a hacking group dubbed Clasiopa. The threat actors have been targeting entities in the materials research sector by employing a remote access trojan called Atharvan. Currently, there is no indication of an initial access vector. However, "Symantec researchers found hints suggesting that Clasiopa uses brute force to gain access to public-facing servers.

Lazarus Group Using New WinorDLL64 Backdoor to Exfiltrate Sensitive Data
Date: 2023-02-23

A new backdoor associated with a malware downloader named Wslink has been discovered, with the tool likely used by the notorious North Korea-aligned Lazarus Group, new findings reveal. The payload, dubbed WinorDLL64 by ESET, is a fully-featured implant that can exfiltrate, overwrite, and delete files; execute PowerShell commands; and obtain comprehensive information about the underlying machine. Its other features comprise listing active sessions, creating and terminating processes, enumerating drives, and compressing directories.

Fruit Giant Dole Suffers Ransomware Attack Impacting Operations
Date: 2023-02-23

Dole Food Company, one of the world’ largest producers and distributors of fresh fruit and vegetables, has announced that it is dealing with a ransomware attack that impacted its operations. There are few details at the moment and the company is currently investigating "the scope of the incident," noting that the impact is limited. The company employs around 38,000 people and has an annual revenue of $6.5 billion. In a statement on its website, Dole says that it has already engaged with third-party experts who help with the remediation and security of impacted systems.

Researchers Find Hidden Vulnerabilities in Hundreds of Docker Containers
Date: 2023-02-23

Research revealed numerous high-severity/critical vulnerabilities hidden in hundreds of popular container images, downloaded billions of times collectively. This includes high-profile vulnerabilities with publicly known exploits. Some of the hidden vulnerabilities are known to be actively exploited in the wild and are part of the CISA known used vulnerabilities catalog, including CVE-2021-42013, CVE-2021-41773, and CVE-2019-17558.

NSA Shares Guidance on How to Secure Your Home Network
Date: 2023-02-23

The U.S. National Security Agency (NSA) has issued guidance to help remote workers secure their home networks and defend their devices from attacks. The guide published by the Defense Department's intelligence agency on Wednesday includes a long list of recommendations, including a short list of highlights urging teleworkers to ensure their devices and software are up to date.

New Privilege Escalation Bug Class Found on macOS and iOS
Date: 2023-02-22

Researchers have discovered six vulnerabilities on macOS and iOS and a new bug class. The new class of privilege escalation bugs, stems from the ForcedEntry attack, which abused a feature of macOS and iOS to distribute Pegasus Malware. The bugs include, various zero-day vulnerabilities similar to the ones exploited in the previous ForcedEntry attack. The bugs allow bypassing code signing to execute arbitrary code in several platforms, leading to escalation of privileges and sandbox escape on macOS and iOs. The CVSS scores of the vulnerabilities range between 5.1 and 7.1.

CISA adds IBM Aspera Faspex and Mitel MiVoice to Known Exploited Vulnerabilities Catalog
Date: 2023-02-22

CISA has added three new vulnerabilities to their Known Exploited Vulnerabilities Catalog. One of which resides in IBM’s Aspera Faspex, and two others in Mitel’s MiVoice.

CVE-2022-47986 is a remote execution vulnerability in IBM’s Aspera Faspex and received a CVSS score of 9.8. A remote attacker can use this vulnerability to execute arbitrary code on the system. The vulnerability is the result of a YAML deserialization issue. Shadowserver researchers have confirmed active exploitation of the vulnerability in the wild.
CVE-2022-41223 is a code injection vulnerability found in Mitel’s MiVoice Connect. A proof of concept was released by Assetnote earlier this month, and the vulnerability received a 6.8 CVSS score. Using the vulnerability, attackers with internal network access can execute code within the context of the application.
CVE-2022-40765 resides in Mitel’s Edge Gateway component of MiVoice Connect. It allows an authenticated attacker with internal network access to execute commands within the context of the system. This also received a CVSS score of 6.8.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts recommend private organizations also review the Catalog and address the vulnerabilities in their infrastructure.

Hydrochasma: New Threat Actor Targets Shipping Companies and Medical Labs in Asia
Date: 2023-02-22

Shipping companies and medical laboratories in Asia have been the subject of a suspected espionage campaign carried out by a never-before-seen threat actor dubbed Hydrochasma. The activity, which has been ongoing since October 2022, "relies exclusively on publicly available and living-off-the-land tools," Symantec, by Broadcom Software, said in a report shared with The Hacker News. There is no evidence available as yet to determine its origin or affiliation with known threat actors, but the cybersecurity company said the group may be having an interest in industry verticals that are involved in COVID-19-related treatments or vaccines.

VMware Patches Critical Vulnerability in Carbon Black App Control Product
Date: 2023-02-22

Yesterday, VMware patched a critical security vulnerability impacting its Carbon Black App Control product. Tracked as CVE-2023-20858 (CVSS score: 9.1), the flaw was discovered and disclosed to VMware by bug bounty hunter, Jari Jääskelä (@JJaaskela), and impacts App Control versions 8.7.x, 8.8.x, and 8.9.x. According to VMware, “a malicious actor with privileged access to the App Control administration console may be able to use specially crafted input allowing access to the underlying server operating system.

Samsung Announces Message Guard Feature to Neutralize Zero-Click Attacks
Date: 2023-02-22

Samsung announced the implementation of a new security feature called Message Guard that aims at protecting users from malicious code that can be installed via zero-click attacks. Zero-click exploits allow attackers to compromise the target device without any user interaction, for example, a threat actor can exploit a zero-day issue by sending an image to the victims.

Norwegian Authorities Seize $5.86 Million From Lazarus Group
Date: 2023-02-21

Norwegian authorities confiscated crypto assets worth nearly $5.68 million tied to the 2022 Ronin cryptocurrency bridge hack by North Korean state threat actor Lazarus Group. Norway's National Authority for Investigation and Prosecution of Economic and Environmental Crime - in Norwegian, it's known as the Økokrim - on Thursday revealed it had retrieved a part of the hacked amount from the Ronin attackers, who in March 2022 stole $620 million worth of cryptocurrency.

HardBit Ransomware Wants Insurance Details to Set the Perfect Price
Date: 2023-02-21

The upgraded version of HardBit ransomware attempts to broker a ransom payment covered by its victim's insurance. Once on the victim's system, the threat group will drop a note that does not inform the entities how much the hackers want in exchange for the decryption key. Instead, victims get 48 hours to contact the attacker over an open-sourced encryption peer-to-peer messaging app. However, the ransomware gang employs complex instructions for companies that possess cyber insurance. The ransomware group explains that sneaky insurance providers advise entities to keep their premiums a secret to derail negotiations and never pay the maximum amount of ransom leaving the companies to deal with cyber criminals. Further, the note clarifies that if the victim shares their insurance information with the HardBit ransomware group, it benefits both the ransomware group and the victim. The benefit described by HardBit is that if they knew exact insurance details, they could ask the insurer for said amount, and the insurance agent would be required to cover it.

Researchers Discover Numerous Samples of Information Stealer 'Stealc' in the Wild
Date: 2023-02-21

A new information stealer called Stealc that's being advertised on the dark web could emerge as a worthy competitor to other malware of its ilk. ‘The threat actor presents Stealc as a fully featured and ready-to-use stealer, whose development relied on Vidar, Raccoon, Mars, and RedLine stealers,’ SEKOIA said in a Monday report. The French cybersecurity company said it discovered more than 40 Stealc samples distributed in the wild and 35 active command-and-control (C2) servers, suggesting that the malware is already gaining traction among criminal groups.

MyloBot Botnet Spreading Rapidly Worldwide: Infecting Over 50,000 Devices Daily
Date: 2023-02-21

A sophisticated botnet known as MyloBot has compromised thousands of systems, with most of them located in India, the U.S., Indonesia, and Iran. That's according to new findings from BitSight, which said it's "currently seeing more than 50,000 unique infected systems every day," down from a high of 250,000 unique hosts in 2020. Furthermore, an analysis of MyloBot's infrastructure has found connections to a residential proxy service called BHProxies, indicating that the compromised machines are being used by the latter.

Frebniis Malware Exploits Microsoft IIS Feature
Date: 2023-02-21

Cybersecurity researchers have discovered a new malware that leverages a legitimate feature of Microsoft’s Internet Information Services (IIS) to install a backdoor in targeted systems. According to an advisory published last Thursday by Symantec, the malware, dubbed "Frebniis," was used by a previously unknown threat actor against targets in Taiwan.

CISA Warns of Windows and iOS Bugs Exploited as Zero-days
Date: 2023-02-17

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four security vulnerabilities exploited in attacks as zero-day to its list of bugs known to be abused in the wild. Two of them impact Microsoft products and allows attackers to gain remote code execution (CVE-2023-21823) and escalate privileges (CVE-2023-23376) on unpatched Windows systems by abusing flaws in the Common Log File System Driver and graphics components. A third one (CVE-2023-21715) can be exploited to bypass Microsoft Office macro policies to deliver malicious payloads via untrusted files.

98% of orgs with Office 365 harbor malicious emails inside their mailboxes. Threats like ransomware, spear phishing, and account takeover put your organization and employees at significant risk. Find out what’s hiding in your inbox.

Via security assessment, we can quickly identify security gaps, patches and software updates that are out of date, then advise steps to fix.

Via short questionnaire, we'll help you determine whether weakness exist in the way you protect your confidential data. In a few minutes, we'll produce a comprehensive profile of strengths and vulnerabilities of your IT security. Let us show you where protections should be placed before those vulnerabilities are exploited.

LA-Cyber can directly submit suspicious URLs and files through the ISAO’s Cyber Forum for rapid analysis to determine if they are known or zero-day cybersecurity threats.

Current Active Threats

Suggested Pages

Contact LACyber

Location:

Email:

Call: