LACyber: Active Cyber Threats

Current Active Threats

Camaro Dragon Strikes with New TinyNote Backdoor for Intelligence Gathering
Date: 2023-06-02

The Chinese nation-stage group known as Camaro Dragon has been linked to yet another backdoor that's designed to meet its intelligence-gathering goals. Israeli cybersecurity firm Check Point, which dubbed the Go-based malware TinyNote, said it functions as a first-stage payload capable of ‘basic machine enumeration and command execution via PowerShell or Goroutines.’ What the malware lacks in terms of sophistication, it makes up for it when it comes to establishing redundant methods to retain access to the compromised host by means of multiple persistency tasks and varied methods to communicate with different servers.

Malicious Chrome Extensions With 75M Installs Removed From Web Store
Date: 2023-06-02

Google has removed from the Chrome Web Store 32 malicious extensions that could alter search results and push spam or unwanted ads. Collectively, they come with a download count of 75 million. The extensions featured legitimate functionality to keep users unaware of the malicious behavior that came in obfuscated code to deliver the payloads. Cybersecurity researcher Wladimir Palant analyzed the PDF Toolbox extension (2 million downloads) available from Chrome Web Store and found that it included code that was disguised as a legitimate extension API wrapper.

New Horabot Campaign Takes Over Victim’s Gmail, Outlook Accounts
Date: 2023-06-02

A previously unknown campaign involving the Hotabot botnet malware has targeted Spanish-speaking users in Latin America since at least November 2020, infecting them with a banking trojan and spam tool. The malware enables the operators to take control of the victim's Gmail, Outlook, Hotmail, or Yahoo email accounts, steal email data and 2FA codes arriving in the inbox, and send phishing emails from the compromised accounts. The new Horabot operation was discovered by analysts at Cisco Talos, who report that the threat actor behind it is likely based in Brazil. The multi-stage infection chain begins with a tax-themed phishing email sent to the target, with an HTML attachment that is supposedly a payment receipt. Opening the HTML launches a URL redirection chain that lands the victim on an HTML page hosted on an attacker-controlled AWS instance.

Top 3 API Security Risks and How to Mitigate Them
Date: 2023-06-02

The application programming interface (API) is an unsung hero of the digital revolution. It provides the glue that sticks together diverse software components in order to create new user experiences. But in providing a direct path to back-end databases, APIs are also an attractive target for threat actors. It doesn’t help that they have exploded in number over recent years, leading many deployments to go undocumented and unsecured. According to one recent study, 94% of global organizations have experienced API security problems in production over the past year with nearly a fifth (17%) suffering an API-related breach. It’s time to gain visibility and control of these digital building blocks.

New MOVEit Transfer Zero-Day Mass-Exploited in Data Theft Attacks
Date: 2023-06-01

Cybercriminals are taking advantage of a zero-day vulnerability in the MOVEit Transfer software. This vulnerability allows them to illicitly obtain data from targeted organizations. MOVEit Transfer is a managed file transfer (MFT) software designed by Ipswitch, a subsidiary of Progress Software Corporation based in the United States. It facilitates secure file transfers between enterprises, business partners, and customers using protocols like SFTP, SCP, and HTTP-based uploads.

SpinOk Trojan Compromises 421 Million Android Devices
Date: 2023-06-01

Security researchers have recently detected a novel Android Trojan that has the potential to compromise a staggering 421 million devices. In a recently released advisory on Monday, the Doctor Web team revealed details about this Trojan, referred to as Android[.]Spy.SpinOk. Android[.]Spy.SpinOk possesses numerous spyware capabilities, such as gathering files and capturing clipboard content. This Trojan spreads by being concealed within other applications, thereby infecting a vast number of devices.

Experts Warn of Backdoor-like Behavior Within Gigabyte Systems
Date: 2023-06-01

This should be treated as Critical if you are a user of Gigabyte systems. We may upgrade this to High severity should reports of active exploitation occur.

Researchers from firmware security firm Eclypsium have discovered a suspected backdoor-like behavior within Gigabyte systems. The experts discovered that the firmware in Gigabyte systems drops and executes a Windows native executable during the system startup process. The executable is utilized for insecure downloading and execution of additional payloads. The experts pointed out that this is the same behavior observed for other OEM backdoor-like features like Computrace backdoor (a.k.a. LoJack DoubleAgent) and firmware implants such as Sednit LoJax, MosaicRegressor, Vector-EDK,.

Terminator Antivirus Killer is a Vulnerable Windows Driver in Disguise
Date: 2023-06-01

A threat actor known as Spyboy is promoting a tool called "Terminator" on a Russian-speaking hacking forum that can allegedly terminate any antivirus, XDR, and EDR platform. However, CrowdStrike says that it's just a fancy Bring Your Own Vulnerable Driver (BYOVD) attack.

Hackers Exploit Critical Zyxel Firewall Flaw in Ongoing Attacks
Date: 2023-06-01

A critical command injection flaw in Zyxel networking devices is being exploited by hackers in widespread attackers to install malware. Tracked as CVE-2023-28771, the flaw resides in the default configuration of impacted firewall and VPN devices and can be abused to perform unauthenticated remote code execution via a specially crafted IKEv2 packet to UDP port 500 on the impacted device.

Improved BlackCat Ransomware Strikes with Lightning Speed and Stealthy Tactics
Date: 2023-06-01

The threat actors behind BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth in an attempt to bypass security guardrails and achieve their goals. The new version, dubbed Sphynx and announced in February 2023, packs a ‘number of updated capabilities that strengthen the group's efforts to evade detection,’ IBM Security X-Force said in a new analysis. The ‘product’ update was first highlighted by vx-underground in April 2023. Trend Micro, last month, detailed a Linux version of Sphynx that's ‘focused primarily on its encryption routine.

Dark Pink Hackers Continue to Target Govt and Military Organizations
Date: 2023-05-31

In 2023, the Dark Pink APT hacking group remains highly active, focusing its attacks on government, military, and education organizations in Indonesia, Brunei, and Vietnam. This threat group has been operational since around mid-2021, primarily concentrating its efforts on targets in the Asia-Pacific region. However, it was only in January 2023 that the group gained public attention following a report by Group-IB. According to the researchers, a thorough analysis of the group's past activities has revealed further instances of breaches.

RomCom RAT Using Deceptive Web of Rogue Software Sites for Covert Attacks
Date: 2023-05-31

The threat actors behind RomCom RAT are leveraging a network of fake websites advertising rogue versions of popular software at least since July 2022 to infiltrate targets. Cybersecurity firm Trend Micro is tracking the activity cluster under the name Void Rabisu, which is also known as Tropical Scorpius (Unit 42) and UNC2596 (Mandiant). ‘

Microsoft Details Critical Apple macOS Vulnerability Allowing SIP Protection Bypass
Date: 2023-05-31

Researchers at Microsoft, Jonathan Bar Or, Michael Pearse, and Anurag Bohra, recently disclosed details of a now-patched flaw in Apple macOS that could be exploited by threat actors with root access to bypass security enforcements and perform arbitrary actions on unpatched devices. Tracked as CVE-2023-32369 (aka ‘Migraine’), the flaw could permit actors to bypass a security feature dubbed System Integrity Protection (SIP) which is designed to limit the actions a root user can perform on protected files and folders. By abusing this flaw, “an attacker can create files that are protected by SIP and therefore undeletable by ordinary means.

Human Error Fuels Industrial APT Attacks, Kaspersky Reports
Date: 2023-05-31

Cybersecurity firm Kaspersky has identified the primary factors contributing to advanced persistent threat (APT) attacks in industrial sectors. The first of them, discussed in a new report published today, is the absence of isolation in operational technology (OT) networks” (Info Security Magazine, 2023). Kaspersky observed engineering workstations being connected to both the IT and OT networks. Previously air-gapped OT/ICS environments are being more commonly connected to the Internet.

Gouda Hacker: Charges Tie to Ransomware Hit Affecting Cheese
Date: 2023-05-31

Mikhail Matveev, 31, the Russian national whom prosecutors accused of wielding not one but three strains of ransomware. Two federal indictments unsealed this month accuse Matveev - aka Wazawaka, m1x, Boriselcin, Uhodiransomwar - of operating as an affiliate for the LockBit, Babuk and Hive ransomware groups. Security experts say the indictments are notable because they don't target ransomware-as-a-service group chiefs but rather a foot soldier who was directly responsible for hacking into victims' networks and using the ransomware to extort them.

Beware of the New Phishing Technique “File Archiver in the Browser” That Exploits Zip Domains
Date: 2023-05-30

Phishers have devised a novel phishing technique known as "file archiver in the browser" that capitalizes on victims visiting a .ZIP domain. This method involves emulating a file archiver software within a web browser, as revealed by security researcher mr.d0x. Recently, Google introduced eight additional top-level domains (TLDs), including .zip and .mov. However, cybersecurity professionals are cautioning about potential malicious activities associated with these domains.

New Hacking Forum Leaks Data of 478,000 RaidForums Members
Date: 2023-05-30

A database for the notorious RaidForums hacking forums has been leaked online, allowing threat actors and security researchers insight into the people who frequented the forum. RaidForums was a very popular and notorious hacking and data leak forum known for hosting, leaking, and selling data stolen from breached organizations. Threat actors who frequented the forum would hack into websites or access exposed database servers to steal customer information.

Barracuda Warns of Zero-Day Exploited to Breach Email Security Gateway Appliances
Date: 2023-05-30

CISA has added a recently patched zero-day zero vulnerability to its know catalog of actively exploited flaws, urging federal agencies to apply the fixes by June 16, 2023. Tracked as CVE-2023-2868, the flaw is related to a remote code injection impacting Barracuda Email Security Gateway (ESG) appliances, versions 5.1.3.001 through 9.2.0.006.

Invoice and CEO Scams Dominate Fraud Impacting Businesses
Date: 2023-05-30

Losses to fraud reported by the organization's more than 300 member firms, which provide credit, banking, markets and payment services in the U.K., declined 8% from 2021, although still involved 3 million cases of fraud. "These numbers are big but slightly down on where we were in 2021, both in terms of the number of cases and the value of losses," said Lee Hopley, director of economic insight and research at UK Finance. The industry reported preventing about $1.5 billion worth of fraud in 2022, although she said the actual amount is likely higher, given the challenges of measuring fraud prevention.

Lazarus Hackers Target Windows IIS Web Servers for Initial Access
Date: 2023-05-30

The notorious North Korean state-backed hackers, known as the Lazarus Group, are now targeting vulnerable Windows Internet Information Services (IIS) web servers to gain initial access to corporate networks. Lazarus is primarily financially motivated, with many analysts believing that the hackers' malicious activities help fund North Korea's weapons development programs. However, the group has also been involved in several espionage operations. The latest tactic of targeting Windows IIS servers was discovered by South Korean researchers at the AhnLab Security Emergency Response Center (ASEC).

Date: 2023-05-30

New OT Malware Possibly Related To Russian Emergency Response Exercises
Date: 2023-05-26

COSMICENERGY’s capabilities and overall attack strategy appear reminiscent of the 2016 INDUSTROYER incident, which issued IEC-104 ON/OFF commands to interact with RTUs and, according to one analysis, may have made use of an MSSQL server as a conduit system to access OT. Leveraging this access, an attacker can send remote commands to affect the actuation of power line switches and circuit breakers to cause power disruption. COSMICENERGY accomplishes this via its two derivative components, which we track as PIEHOP and LIGHTWORK. PIEHOP is a disruption tool written in Python and packaged with PyInstaller that is capable of connecting to a user-supplied remote MSSQL server for uploading files and issuing remote commands to a RTU. PIEHOP utilizes LIGHTWORK to issue the IEC-104 commands "ON" or "OFF" to the remote system and then immediately deletes the executable after issuing the command.

BlackByte Ransomware Claims City of Augusta Cyberattack
Date: 2023-05-26

The City of Augusta in Georgia, USA, has verified that the recent disruption to its IT system was a result of unauthorized intrusion into its network. While the administration has not revealed specific details about the nature of the cyberattack, the BlackByte ransomware group has publicly acknowledged the city of Augusta as one of its targeted victims.

Microsoft 365 Phishing Attacks Use Encrypted RPMSG Messages
Date: 2023-05-26

Attackers are now using encrypted RPMSG attachments sent via compromised Microsoft 365 accounts to steal Microsoft credentials in targeted phishing attacks designed to evade detection by email security gateways. RPMSG files (also known as restricted permission message files) are encrypted email message attachments created using Microsoft's Rights Management Services (RMS) and offer an extra layer of protection to sensitive info by restricting access to authorized recipients. To access and read the encrypted contents of RPMSG attachments, recipients are required to either authenticate using their Microsoft account or acquire a one-time passcode for decryption.

New Buhti Ransomware Uses Leaked Payloads and Public Exploits
Date: 2023-05-26

A relatively new ransomware operation calling itself Buhti appears to be eschewing developing its own payload and is instead utilizing variants of the leaked LockBit and Babuk ransomware families to attack Windows and Linux systems. While the group doesn’t develop its own ransomware, it does utilize what appears to be one custom-developed tool, an information stealer designed to search for and archive specified file types. Buhti, which first came to public attention in February 2023, was initially reported to be attacking Linux computers. However, Symantec’s Threat Hunter Team has also uncovered attempts to attack Windows computers on compromised networks.

‘Operation Magalenha’ Targets Credentials of 30 Portuguese Banks
Date: 2023-05-26

A report from Sentinel Labs has revealed the details of this campaign, shedding light on the tools utilized by the threat actor, the different methods of infection employed, and the techniques employed to distribute their malware. The analyst obtained information regarding the origin and tactics of the threat actor through the discovery of a server misconfiguration that inadvertently exposed files, directories, internal correspondence, and other sensitive data.

North Korea-Linked Lazarus APT Targets Microsoft IIS Servers to Deploy Malware
Date: 2023-05-25

Researchers at AnhLab Security Emergency Response Center (ASEC) have revealed that the Lazarus APT Group, a cybercriminal organization associated with North Korea, has been focusing its attention on exploiting vulnerable Microsoft IIS servers. Through the use of DLL side-loading, the attackers deploy a malicious Dll file named msvcr100[.]dll, which is strategically placed in the same directory as a legitimate application called Wordconv[.]exe. By exploiting the Windows ISS web server process the malicious library is executed to carry out their nefarious activities.

Chinese Hackers Breach US Critical Infrastructure in Stealthy Attacks:
Date: 2023-05-25

This advisory highlights the recent state-sponsored cyber activity by the People's Republic of China (PRC) and provides crucial information for network defenders to identify and mitigate this activity. The advisory focuses on network and host artifacts, particularly command lines used by the cyber actor, and includes indicators of compromise (IOCs) for reference. However, defenders should exercise caution and evaluate matches to determine their significance, considering the possibility of false positive indicators resulting from benign activity.

New PowerExchange Malware Backdoors Microsoft Exchange Servers
Date: 2023-05-25

FortiEDR research lab has identified a targeted attack against a government entity in the United Arab Emirates, involving a custom PowerShell-based backdoor called PowerExchange. The backdoor utilizes the victim's Microsoft Exchange server as its command and control (C2) server, operating through an email-based C2 protocol. The investigation revealed multiple implants and a unique web shell named ExchangeLeech, capable of credential harvesting. The indicators point to an Iranian threat actor as the perpetrator of these attacks. The attack chain starts with email phishing and the execution of a malicious .NET executable. The backdoor establishes communication with the Exchange server, sends and receives commands through mailboxes, and executes malicious payloads.

North Korean APT Group Kimsuky Shifting Attack Tactics
Date: 2023-05-25

North Korean hackers belonging to the Kimsuky group are employing custom-built malware to carry out information exfiltration campaigns against organizations supporting human rights activists and North Korean defectors. The cybersecurity firm SentinelOne discovered a new variant of the RandomQuery malware, which is commonly used by the Pyongyang threat actor. Kimsuky specializes in targeting think tanks and journalists. The distribution of the malware is facilitated through compiled HTML files, a tactic frequently utilized by North Korean hackers. The objective of this particular campaign is file enumeration and information exfiltration, “The variation of RandomQuery in this campaign has the "single objective of file enumeration and information exfiltration," in contrast to recently observed North Korean use of the malware to support a wider array of functions such as keylogging and the execution of additional malware.

GoldenJackal State Hackers Silently Attacking Govts Since 2019
Date: 2023-05-24

Kaspersky recently disclosed the activities of a lesser-known advanced persistent threat group called GoldenJackal. This group has been engaged in espionage against government and diplomatic organizations in Asia since 2019. To maintain a cover presence, the threat actors have been cautious in their operations. They carefully choose their targets and limit the frequency of their attacks, aiming to minimize the risk of detection. Kaspersky, which has been monitoring GoldenJackal since 2020, has revealed that the group is active in Afghanistan, Azerbaijan, Iran, Iraq, Pakistan, and Turkey.

SuperMailer Abuse Bypasses Email Security for Super-Sized Credential Theft
Date: 2023-05-24

A large-scale operation focused on harvesting credentials has emerged, utilizing a legitimate email newsletter program called SuperMailer to distribute a substantial volume of phishing emails. The intention behind this campaign is to bypass secure email gateway protections. Recent findings from Cofense, as of May 23, reveal that SuperMailer-generated emails account for a significant portion of all credential phishing attempts, constituting approximately 5% of the firm's telemetry for May.

IT Employee Piggybacked on Cyberattack for Personal Gain
Date: 2023-05-24

A former IT employee of an Oxford-based company has been convicted of blackmailing his employer and unauthorized access to a computer for personal gain. After a cyber security incident at the company, the employee took advantage of the breach by accessing a board member's private emails, altering the original blackmail email, and changing the payment address.

State-Aligned Actors Targeting SMBs Globally
Date: 2023-05-24

Proofpoint researchers have discovered that advanced persistent threat (APT) actors are increasingly targeting small and medium-sized businesses (SMBs), governments, militaries, and major corporations through compromised SMB infrastructure in phishing campaigns. These threat actors are also launching financially motivated attacks against SMB financial services firms and carrying out supply chain attacks affecting SMBs. Proofpoint emphasizes the tangible risk that APT actors pose to SMBs today through the compromise of their infrastructure.

Barracuda Warns of Email Gateways Breached via Zero-Day Flaw
Date: 2023-05-24

Barracuda, a company specializing in email and network security solutions, informed its customers that some of their Email Security Gateway (ESG) appliances were breached due to a recently patched zero-day vulnerability. The vulnerability was discovered on May 19 and was promptly addressed with security patches on May 20 and 21. Barracuda confirmed unauthorized access to a subset of ESG appliances but assured customers that its other products were unaffected. Impacted organizations were notified, and Barracuda advised them to review their environments for any potential spread of the threat actors to other devices on the network. Details regarding the number of affected customers and potential data impact were not provided.

A Deeper Insight Into the Cloudwizard APT’s Activity Revealed a Long-Running Activity
Date: 2023-05-23

Researchers warn of a threat actor known as CloudWizard APT, which is actively targeting organizations operating in the Russo-Ukraine conflict region. In March 2023, Kaspersky reearchers dicovered the new APT group, referred to as Bad Magic or Red Stinger, engaging in cyber attacks against entities in the same area. The attackers utilized PowerMagic and CommonMagic implants in their operations. During their investigation, the researchers discovered another set of highly advanced malicious activities linked to the same threat actor, demonstrating even greater sophistication.

Food Distributor Sysco Says Cyberattack Exposed 126,000 Individuals
Date: 2023-05-23

A multinational company headquartered in Houston, Texas, Sysco is one of the largest distributors of food products, kitchen equipment, smallware, and tabletop products to restaurants, lodging establishments, healthcare and education organizations, and other entities” (Security Week, 2023). The company initially disclosed the incident in early May, in a Form 10-Q filing with the US Securities and Exchange Commission (SEC), when it revealed that the data breach was identified on March 5, 2023, but said that the attackers likely had unauthorized access to its systems starting January 14, 2023.

BatLoader Campaign Impersonates ChatGPT and Midjourney to Deliver Redline Stealer
Date: 2023-05-23

In early May, researchers at eSentire Threat Response Unit (TRU) spotted an ongoing BatLoader campaign using Google Search Ads to redirect victims to imposter web pages for AI-based services like ChatGPT and Midjourney” (Info Security Magazine, 2023). Threat actors are using BatLoader in the form of an MSIX Windows App Installer file to deliver Redline Stealer.

Batloader Campaign Impersonates ChatGPT and Midjourney to Deliver Redline Stealer
Date: 2023-05-22

In the campaign observed by the researchers, threat actors are using BatLoader in the form of MSIX Windows App Installer files to deliver the Redline Stealer. In February 2023, eSentire reported another BatLoader campaign targeting users searching for AI tools.“Both AI services are extremely popular but lack first-party standalone apps (i.e., users interface with ChatGPT via their web interface while Midjourney uses Discord). This vacuum has been exploited by threat actors looking to drive AI app-seekers to imposter web pages promoting fake apps.

Vulnerability in Zyxel Firewalls May Soon Be Widely Exploited (CVE-2023-28771)
Date: 2023-05-22

Rapid7 researchers have issued a warning regarding a recently patched command injection vulnerability (CVE-2023-28771) in various Zyxel firewalls. They have published a technical analysis and a Proof of Concept (PoC) script that demonstrates the vulnerability, enabling the attacker to gain a reverse root shell. The affected devices include Zyxel APT, USG FLEX, and VPN firewalls running ZDL firmware versions v4.60 to v5.35, as well as Zyxel ZyWALL/USG gateways/firewalls running ZLD v4.60 to v4.73. These firewall devices perform network traffic monitoring and control, possess VPN and SSL inspection capabilities, and provide additional protection against malware and other threats.

Phishing Vendor Sells IP Addresses to Duck Anomaly Detection
Date: 2023-05-22

A large-scale phishing-as-a-service operation is shifting tactics to allow attackers to avoid anomaly detection by using localized IP addresses, warns Microsoft. The computing giant discovered the provider in 2021 after detecting a phishing campaign that used more than 300,000 domains and unique subdomains in a single run. BulletProofLink, also referred to as BulletProftLink or Anthrax, sells access to phishing kits, email templates, hosting, and automated series "at a relatively low cost.”

Shifting Tactics Fuel Surge in Business Email Compromise
Date: 2023-05-22

Business email fraud continues to rise, with the Federal Bureau of Investigation (FBI) reporting more than 21,000 complaints with adjusted losses over $2.7 billion. Microsoft has observed an increase in sophistication and tactics by threat actors specializing in business email compromise (BEC), including leveraging residential internet protocol (IP) addresses to make attack campaigns appear locally generated. This new tactic is helping criminals further monetize Cybercrime-as-a-Service (CaaS) and has caught federal law enforcement’s attention because it allows cybercriminals to evade “impossible travel” alerts used to identify and block anomalous login attempts and other suspicious account activity.

CISA Warns of Samsung ASLR Bypass Flaw Exploited in Attacks
Date: 2023-05-22

CISA warned last Friday of a security vulnerability affecting Samsung devices which has been used in attacks to bypass Android address space layout randomization (ASLR) protection. ASLR is an Android security feature that randomizes the memory addresses where key app and OS components are loaded into the device's memory. This makes it more difficult for attackers to exploit memory-related vulnerabilities and successfully launch attacks like buffer overflow, return-oriented programming, or other memory-based exploits.

Trojan-Rigged Phishing Attacks Pepper China-Taiwan Conflict
Date: 2023-05-19

New findings reveal a significant increase in cyber espionage attacks targeting Taiwanese organizations, coinciding with recent political tensions. According to research by Trellix, the number of malicious phishing emails aimed at Taiwanese companies surged between April 7 to the 10th of this year. The most affected sectors were networking/IT, manufacturing, and logistics.

LockBit Leaks 1.5TB of Data Stolen From Indonesia's BSI Bank
Date: 2023-05-19

The LockBit ransomware group has leaked 1.5 terabytes of personal and financial data from Bank Syariah Indonesia (BSI) after failed ransom negotiations. The stolen data includes information from approximately 15 million customers and employees of the country's largest Islamic bank. BSI has restored its key banking services under the supervision of Bank Indonesia. BSI initially experienced disruptions due to a cyberattack, but LockBit claims the bank misled customers by attributing the issues to technical maintenance.

8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency
Date: 2023-05-19

The notorious cryptojacking group tracked as 8220 Gang has been spotted weaponizing a six-year-old security flaw in Oracle WebLogic servers to ensnare vulnerable instances into a botnet and distribute cryptocurrency mining malware. The flaw in question is CVE-2017-3506 (CVSS score: 7.4), which, when successfully exploited, could allow an unauthenticated attacker to execute arbitrary commands remotely. ‘This allows attackers to gain unauthorized access to sensitive data or compromise the entire system,’ Trend Micro researcher Sunil Bharti said in a report published this week. 8220 Gang, first documented by Cisco Talos in late 2018, is so named for its original use of port 8220 for command-and-control (C2) network communications.

Apple Fixes Three New Zero-Days Exploited to Hack iPhones, Macs
Date: 2023-05-19

Apple recently patched three new zero-day flaws which were exploited in attacks targeting vulnerable iPhones, Macs, and iPad. Tracked as CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373, the vulnerabilities reside in the multi-platform WebKit browser engine.

Hackers Target Vulnerable Wordpress Elementor Plugin After PoC Released
Date: 2023-05-19

Hackers are now actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in massive Internet scans, attempting to exploit a critical account password reset flaw disclosed earlier in the month. The critical-severity flaw is tracked as CVE-2023-32243 and impacts Essential Addons for Elementor versions 5.4.0 to 5.7.1, allowing unauthenticated attackers to arbitrarily reset the passwords of administrator accounts and assume control of the websites. The flaw that impacted over a million websites was discovered by PatchStack on May 8th, 2023, and fixed by the vendor on May 11th, with the release of the plugin's version 5.7.2.

Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise
Date: 2023-05-18

Every day, numerous Android phone users worldwide unknowingly contribute to the financial gains of an organization known as the Lemon Group simply by owning their devices. What these users are unaware of is that the Lemon Group has pre-infected their phones even before they purchase them. As a result, the Lemon Group secretly exploits these devices, utilizing them to steal and sell SMS messages and one-time passwords (OTPs), display unwanted advertisements, create online messaging and social media accounts, and carry out various other activities.

BianLian Skips Encryption On Way To Extortion
Date: 2023-05-18

The U.S. cybersecurity agency has warned that the BianLian ransomware group is shifting from malicious encryption to pure extortion. Instead of double extortion, the group now demands a ransom for keeping stolen data secret. The group's change in tactics is likely influenced by the release of a free decryptor by cybersecurity firm Avast. BianLian gains initial access to networks through compromised remote desktop protocol credentials, acquired from brokers or through phishing. They implant a customized backdoor and install remote management tools like TeamViewer.

MalasLocker Ransomware Targets Zimbra Servers, Demands Charity Donation
Date: 2023-05-18

A new ransomware operation is hacking Zimbra servers to steal emails and encrypt files. However, instead of demanding a ransom payment, the threat actors claim to require a donation to charity to provide an encryptor and prevent data leaking. The ransomware operation, dubbed MalasLocker by BleepingComputer, began encrypting Zimbra servers towards the end of March 2023, with victims reporting in both the BleepingComputer and Zimbra forums that their emails were encrypted.

Cisco Warns of Critical Switch Bugs With Public Exploit Code
Date: 2023-05-18

Yesterday, Cisco published an advisory, warning customers of four critical remote code execution vulnerabilities (CVE-2023-20159, CVE-2023-20160, CVE-2023-20161, and CVE-2023-20189) impacting several of its Small Business Series Switches. The four flaws received a CVSS score of 9.8 out of 10 and are due to an improper validation of requests sent to the targeted switches’ web interfaces. A successful exploit of the issues could enable unauthenticated actors to execute arbitrary code with root privileges on targeted devices.

New ZIP Domains Spark Debate Among Cybersecurity Experts
Date: 2023-05-18

Cybersecurity researchers and IT admins have raised concerns over Google's new ZIP and MOV Internet domains, warning that threat actors could use them for phishing attacks and malware delivery. Earlier this month, Google introduced eight new top-level domains (TLD) that could be purchased for hosting websites or email addresses. The new domains are .dad, .esq, .prof, .phd, .nexus, .foo, and for the topic of our article, the .zip and .mov domain TLDs.

FBI Confirms BianLian Ransomware Switch to Extortion Only Attacks
Date: 2023-05-17

A recent collaboration between government agencies in the United States and Australia, led by CISA, has resulted in a joint Cybersecurity Advisory. The advisory highlights the latest tactics, techniques, and procedures (TTPs) employed by the BianLian ransomware group, which has been actively targeting critical infrastructure in both countries since June 2022. As part of the broader #StopRansomware initiative, this advisory draws on investigations conducted by the FBI and the Australian Cyber Security Centre (ACSC) up until March 2023.

Russian Ransomware Affiliate Charged With Attacks On Critical Infrastructure
Date: 2023-05-17

The U.S Justice Department of The Treasury recently imposed sanctions on Mikhail Matveev, a Russian citizen, for his role in launching cyberattacks against U.S law enforcement, businesses, and critical infrastructure. Matveev is known for his affiliation with various Russia-linked ransomware variants such as Hive LockBit and Babuk. According to the Treasury,

State-Sponsored Sidewinder Hacker Group's Covert Attack Infrastructure Uncovered
Date: 2023-05-17

Group-IB recently uncovered a previously undocumented attack infrastructure utilized by the SideWinder, a prolific state-sponsored group, to target entities located in Pakistan and China. The infrastructure unearthed encompasses 55 domains and IP addresses which were identified by researchers as phishing domains mimicking various organizations in the news, government, telecommunications, and financial sectors.

Feds Charge Russian, Chinese Nationals With Illegal Exports
Date: 2023-05-17

U.S. federal prosecutors have announced indictments and arrests related to illegal technology exports to Russia, China, and Iran. The cases involve individuals accused of smuggling military and dual-use technology, including tactical military antennas, lasers, pressure sensors, and other electronics. The Biden administration has vowed to crack down on export violations and has created the Disruptive Technology Strike Force. The cases highlight the efforts to prevent advanced technology from falling into the hands of foreign adversaries who may use them to threaten national security and democratic values.

Hackers Infect TP-Link Router Firmware to Attack EU Entities
Date: 2023-05-17

A Chinese state-sponsored hacking group named "Camaro Dragon" infects residential TP-Link routers with a custom "Horse Shell" malware used to attack European foreign affairs organizations. The backdoor malware is deployed in a custom and malicious firmware designed specifically for TP-Link routers so that the hackers can launch attacks appearing to originate from residential networks.

Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks
Date: 2023-05-16

During last week’s Black Hat Asia 2023 conference, Israeli industrial cybersecurity firm OTORIO disclosed several vulnerabilities in cloud management platforms associated with three industrial cellular router vendors that could expose OT networks to external attacks. In total 11 vulnerabilities were disclosed, which could enable threat actors to execute code remotely and take control over hundreds of thousands of devices and OT networks. In particular, the flaws impact cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks to remotely manage and operate devices.

BEC Attackers Spoof CC'd Execs to Force Payment
Date: 2023-05-16

Security experts have discovered a fresh advancement in business email compromise tactics aimed at intensifying the recipient's urgency to settle a counterfeit invoice. Referred to as "VIP Invoice Authentication Fraud" by Armorblox, this strategy involves deceptive emails that imitate reputable vendors or familiar third parties regularly receiving payments from the targeted organization. The scammer initiates an invoice request targeting an individual, often in the finance team of the targeted organization. What sets this tactic apart from others is that the scammer also includes the recipient's boss in the email thread, using a fake email domain that closely resembles the boss's actual email address.

New RA Group ransomware targets U.S. orgs in double-extortion attacks
Date: 2023-05-16

A new ransomware group named 'RA Group' is targeting pharmaceutical, insurance, wealth management, and manufacturing firms in the United States and South Korea. The new ransomware operation started in April 2023, when they launched a data leak site on the dark web to publish victims' details and stolen data, engaging in the typical 'double-extortion' tactic used by most ransomware gangs.

PharMerica Reports Breach Affecting Nearly 6 Million People
Date: 2023-05-16

PharMerica, an institutional pharmacy, suffered a significant data breach in March, affecting nearly 6 million current and deceased patients. Hackers, allegedly from the Money Message ransomware group, accessed personal information such as names, birthdates, Social Security numbers, medications, and health insurance details. The group leaked spreadsheets containing patient data on the dark web and also posted internal business documents,

Open-source Cobalt Strike Port 'Geacon' Used in macOS Attacks
Date: 2023-05-16

Geacon, a Go-based implementation of the beacon from the widely abused penetration testing suite Cobalt Strike, is being used more and more to target macOS devices. Both Geacon and Cobalt Strike are utilities that legitimate organizations use to simulate attacks against their networks and improve defenses, but threat actors have also relied on them for attacks.

CISA Warns of Critical Ruckus Bug Used to Infect Wi-Fi Access Points
Date: 2023-05-16

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned last Friday of a critical remote code execution (RCE) flaw in the Ruckus Wireless Admin panel actively exploited by a recently discovered DDoS botnet. While this security bug (CVE-2023-25717) was addressed in early February, many owners are likely yet to patch their Wi-Fi access points. Furthermore, no patch is available for those who own end-of-life models affected by this issue.

Enigmatic Hacking Group Operating in Ukraine
Date: 2023-05-15

A newly uncovered hacking group with a string of cyberespionage successes is targeting Ukrainian and pro-Russian targets alike, its motivations uncertain in a conflict that offers little to no middle ground. Malwarebytes in a Wednesday blog post dubs the threat actor "Red Stinger," saying the group is the same as the "Bad Magic" threat actor revealed by Kaspersky in March. Malwarebytes says it traced Red Stinger activities back to 2020, while Kaspersky says it spotted the group in October 2022 - the dates suggesting an investment in stealthy techniques and operational security.

Discord Discloses Data Breach After Support Agent Got Hacked
Date: 2023-05-15

Discord, a popular communication platform, recently experienced a data breach after one of its support agents was hacked. The incident was reported by Discord on their official blog. The breach occurred due to unauthorized access to the support agent's account, which allowed the attacker to gain access to certain user data. Discord confirmed that the breach did not affect the entire user database and that only a small portion of users were impacted.

Researchers Uncover Powerful Backdoor and Custom Implant in Year-Long Cyber Campaign
Date: 2023-05-15

Symantec recently disclosed details of a year-long running campaign targeting government, aviation, education, and telecom sectors located in South and Southeast Asia. Dubbed Lancefly, the operation commenced in mid-2022 and continued until the first quarter of 2023. According to researchers, they observed the actors deploying a powerful backdoor dubbed Merdoor, which has been around since 2018.

XWorm Malware Exploits Follina Vulnerability in New Wave of Attacks
Date: 2023-05-15

Cybersecurity researchers have discovered an ongoing phishing campaign that makes use of a unique attack chain to deliver the XWorm malware on targeted systems. Securonix, which is tracking the activity cluster under the name MEME#4CHAN, said some of the attacks have primarily targeted manufacturing firms and healthcare clinics located in Germany. ‘The attack campaign has been leveraging rather unusual meme-filled PowerShell code, followed by a heavily obfuscated XWorm payload to infect its victims," security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a new analysis.

Multinational Tech Firm ABB Hit by Black Basta Ransomware Attack
Date: 2023-05-15

ABB, a leading provider of electrification and automation technology, has suffered a Black Basta ransomware attack that has reportedly impacted its business operations. The multinational company, headquartered in Zurich, Switzerland, employs approximately 105,000 workers and recorded $29.4 billion in revenue for 2022. ABB's services include the development of industrial control systems and SCADA systems for energy suppliers and manufacturing.

Stealthier Version of Linux BPFDoor Malware Spotted in the Wild
Date: 2023-05-15

A new, stealthier variant of the Linux malware 'BPFDoor' has been discovered, featuring more robust encryption and reverse shell communications. BPFDoor is a stealthy backdoor malware that has been active since at least 2017 but was only discovered by security researchers around 12 months ago. The malware gets its name from the use of the 'Berkley Packet Filter' (BPF) for receiving instructions while bypassing incoming traffic firewall restrictions.

Bl00dy Ransomware Gang Strikes Education Sector with Critical PaperCut Vulnerability
Date: 2023-05-15

U.S. cybersecurity and intelligence agencies have warned of attacks carried out by a threat actor known as the Bl00dy Ransomware Gang that attempt to exploit vulnerable PaperCut servers against the education facilities sector in the country. The attacks took place in early May 2023, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) said in a joint cybersecurity advisory issued Thursday.

Fake In-Browser Windows Updates Push Aurora Info-Stealer Malware
Date: 2023-05-15

A malvertising campaign was recently detected using an in-browser Windows update simulation to deceive users and distribute the Aurora information-stealing malware. Aurora which is coded in Golang, has been advertised on hacker forums for over a year as a highly capable info stealer with low anti-virus detection rates. The campaign, as reported by Malwarebytes researchers, relies on popunder ads on adult content websites with high traffic to redirect unsuspecting users to a location where they are served malware.

Feds Warn of Rise in Attacks Involving Veeam Software Flaw
Date: 2023-05-15

Federal authorities have issued a warning about an increase in cyberattacks targeting Veeam's backup application in the healthcare sector. The attacks exploit a high-severity vulnerability (CVE-2023-27532) in Veeam Backup & Replication, potentially leading to unauthorized access, data theft, or ransomware deployment. The vulnerability affects all versions of the software and poses a significant threat to healthcare environments that rely on Veeam for protecting and restoring files and applications.

New Ransomware Decryptor Recovers Data From Partially Encrypted Files
Date: 2023-05-15

A new 'White Phoenix' ransomware decryptor allows victims to partially recover files encrypted by ransomware strains that use intermittent encryption. Intermittent encryption is a strategy employed by several ransomware groups that alternates between encrypting and not encrypting chunks of data. This method allows a file to be encrypted much faster while still leaving the data unusable by the victim.

Microsoft Fixes BlackLotus Vulnerability, Again
Date: 2023-05-15

Microsoft issued an optional patch Tuesday as part of its monthly dump of fixes that addresses for the second time a Secure Boot zero-day vulnerability exploited by BlackLotus UEFI malware. In all, the Redmond giant pushed out 38 security fixes in its May patch cycle, addressing three zero-day flaws - two of which are under active exploitation, including the UEFI flaw - and six bugs rated critical. Security researchers earlier this year spotted the BlackLotus bootkit for sale on hacker forums for $5,000.

Experts Detail New Zero-Click Windows Vulnerability for NTLM Credential Theft
Date: 2023-05-15

Cybersecurity researchers have shared details about a now-patched security flaw in Windows MSHTML platform that could be abused to bypass integrity protections on targeted machines. The vulnerability, tracked as CVE-2023-29324 (CVSS score: 6.5), has been described as a security feature bypass. It was addressed by Microsoft as part of its Patch Tuesday updates for May 2023. Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected, but pointed out Microsoft, Exchange servers with the March update omit the vulnerable feature. ‘An unauthenticated attacker on the internet could use the vulnerability to coerce an Outlook client to connect to an attacker-controlled server,’ Barnea said in a report shared with The Hacker News.

Cybersecurity Firm Dragos Discloses Cybersecurity Incident, Extortion Attempt
Date: 2023-05-15

Industrial cybersecurity company Dragos today disclosed what it describes as a "cybersecurity event" after a known cybercrime gang attempted to breach its defenses and infiltrate the internal network to encrypt devices. While Dragos states that the threat actors did not breach its network or cybersecurity platform, they got access to the company's SharePoint cloud service and contract management system” (Bleeping Computer, 2023). "On May 8, 2023, a known cybercriminal group attempted and failed at an extortion scheme against Dragos. No Dragos systems were breached, including anything related to the Dragos Platform," the company said.

New ‘Greatness’ Service Simplifies Microsoft 365 Phishing Attacks
Date: 2023-05-12

The platform Greatness, which offers a phishing-as-a-Service, witnessed a surge in its activities as it focuses on targeting organizations that use Microsoft 365 in the United States, Canada, the U.K., Australia, and South Africa. As a widely cloud-based productivity platform, Microsoft 365 is highly coveted by cybercriminals who seek to pilfer data or login credentials for exploitation in network intrusions. According to a recent report from Cisco Talos, researchers have revealed that the Greatness phishing platform was established in the middle of 2022, with a significant upsurge in its operations in December 2022, and then again in March 2023.

Critical Ruckus RCE Flaw Exploited By New DDoS Botnet Malware
Date: 2023-05-10

A new malware botnet named 'AndoryuBot' is targeting a critical-severity flaw in the Ruckus Wireless Admin panel to infect unpatched Wi-Fi access points for use in DDoS attacks. Tracked as CVE-2023-25717, the flaw impacts all Ruckus Wireless Admin panels version 10.4 and older, allowing remote attackers to perform code execution by sending unauthenticated HTTP GET requests to vulnerable devices. The flaw was discovered and fixed on February 8, 2023. Still, many have not applied the available security updates, while end-of-life models impacted by the security problem will not get a patch.

Food Distribution Giant Sysco Warns of Data Breach After Cyberattack
Date: 2023-05-10

Sysco, a major global food distribution company, has confirmed that its network was breached earlier this year by attackers who stole sensitive information, including business, customer, and employee data. In an internal memo sent to employees on May 3rd and seen by BleepingComputer, the company revealed that customer and supplier data in the U.S. and Canada, as well as personal information belonging to U.S. employees, may have been impacted in the incident.

Top 5 Password Cracking Techniques Used by Hackers
Date: 2023-05-10

Phishing is often stated as the most successful initial access method for both cybercriminals and more sophisticated nation state actors. Gaining access to valid accounts is one of the easiest and most powerful tools for a threat actors. Why spend the resources breaching powerful security tools, when you can simply trick an employee into clicking a bad link, or by cracking their password?

Multiple Vulnerabilities in Aruba Products Could Allow for Arbitrary Code Execution.
Date: 2023-05-10

Multiple vulnerabilities have been discovered in Aruba Products, the most severe of which could allow for arbitrary code execution. Aruba Mobility Conductor is an advanced WLAN deployed as a virtual machine (VM) or installed on an x86-based hardware appliance. Aruba Mobility Controller is a WLAN hardware controller in a virtualized environment managing WLAN Gateways and SD-WAN Gateways that are managed by Aruba Central.

BEC Campaign via Israel Spotted Targeting Large Multinational Companies
Date: 2023-05-10

Abnormal Security researchers have identified a threat group based in Israel that is responsible for a series of business email compromise (BEC) campaigns. The group's primary targets are large and multinational corporations with annual revenue exceeding $10 billion. Since February 2021, the group has launched approximately 350 BEC campaigns, with email attacks directed at employees in 61 countries spanning six continents. The attackers impersonate the targeted employee's CEO and subsequently redirect the communication to a second external persona, typically a mergers and acquisitions attorney who oversees the payment process. In certain cases, when the attack advances to the second state, the perpetrators may ask to switch from email communications to a WhatsApp voice call to expedite the attack and minimize the chances of leaving behind any traceable evidence.

FBI Seizes 13 More Domains Linked to DDoS-For-Hire Services
Date: 2023-05-09

The U.S. Justice Department announced today the seizure of 13 more domains linked to DDoS-for-hire platforms, also known as 'booter' or 'stressor' services. This week's seizures are part of a coordinated international law enforcement effort (known as Operation PowerOFF) to disrupt online platforms allowing anyone to launch massive distributed denial-of-service (DDoS) attacks against any target for the right amount of money.

Microsoft Warns of State-Sponsored Attacks Exploiting Critical PaperCut Vulnerability
Date: 2023-05-09

Iranian nation-state groups have now joined financially motivated actors in actively exploiting a critical flaw in PaperCut print management software, Microsoft said. The tech giant's threat intelligence team said it observed both Mango Sandstorm (Mercury) and Mint Sandstorm (Phosphorus) weaponizing CVE-2023-27350 in their operations to achieve initial access.

Five Takeaways From the Russian Cyber-Attack on Viasat's Satellites
Date: 2023-05-09

The cyber-attack on US firm Viasat’s KA-SAT satellites in Ukraine on February 24, 2022, prompted one of the largest formal attributions of a cyber-attack to a nation-state in history. Nearly 20 countries accused Russia of being responsible, including a dozen EU member states and the Five Eyes countries (US, UK, Australia, New Zealand and Canada). This cyber intrusion, which preceded Russia’s invasion of its neighbor by just a few hours, was thoroughly discussed during the third edition of CYSAT, an event dedicated to cybersecurity in the space industry that took place in Paris, France on April 26-27, 2023.

Western Digital Says Hackers Stole Customer Data in March Cyberattack
Date: 2023-05-09

Western Digital Co. has taken its store offline and sent customers data breach notifications after confirming that hackers stole sensitive personal information in a March cyberattack. The company emailed the data breach notifications late Friday afternoon, warning that customers' data was stored in a Western Digital database stolen during the attack.

Fleckpe Trojan Infects 620K Devices via Google Play
Date: 2023-05-09

The Google Play store was found to have hosted Android malware disguised as legitimate applications, which have been downloaded over 620,000 times since 2022. The malicious apps were disguised as photo-editing apps, camera editors and smartphone wallpaper packs, and infected 11 legitimate applications before being taken down. Once downloaded, the malware executes a payload from the app asset, which sends the infected device's mobile code to a command-and-control server. The server then sends a paid subscription page, which the Trojan opens in an invisible web browser to subscribe the user.

Meet Akira — A New Ransomware Operation Targeting the Enterprise
Date: 2023-05-08

The Akira ransomware operation is gradually expanding its list of victims by infiltrating corporate networks globally, encrypting files, and demanding ransoms amounting to millions of dollars. The operation began in March 2023 and has already targeted 16 companies in diverse industries such as finance, education, real estate, manufacturing, and consulting. Although there was ransomware named Akira released in 2017, there is no connection between these two operations.

MSI’s Firmware, Intel Boot Guard Private Keys Leaked
Date: 2023-05-08

The cybercriminals who breached Taiwanese multinational MSI last month have apparently leaked the company’s private code signing keys on their dark web site. MSI (Micro-Star International) is a corporation that develops and sells computers (laptops, desktops, all-in-one PCs, servers, etc.) and computer hardware (motherboards, graphics cards, PC peripherals, etc.). The company confirmed in early April that it had been hacked. A ransomware group called Money Message claimed responsibility for the breach, said they grabbed (among other things) some of the company’s source code, and asked for $4 million to return/delete it.

New Cactus Ransomware Encrypts Itself to Evade Antivirus
Date: 2023-05-08

Researchers at Kroll corporate investigation have uncovered a new ransomware operation dubbed Cactus which is exploiting known vulnerabilities in Fortinet VPN appliances to gain initial access to the networks of large commercial entities. What’s more is that this group employs an unusual tactic of evading defenses and scanning from antivirus solutions.

WordPress Custom Field Plugin Bug Exposes Over 1M Sites to XSS Attacks
Date: 2023-05-08

Security researchers warn that the 'Advanced Custom Fields' and 'Advanced Custom Fields Pro' WordPress plugins, with millions of installs, are vulnerable to cross-site scripting attacks (XSS). The two plugins are among WordPress's most popular custom field builders, with 2,000,000 active installs on sites worldwide.

Kimsuky Hackers Use New Recon Tool to Find Security Gaps
Date: 2023-05-05

The Kimusky hacking group, known by aliases such as Thalium and Velvet Chollima, has been using a new version of its reconnaissance malware called ReconShark to conduct a cyberespionage campaign on a global scale. According to Sentinel Labs, the group has broadened its target range to include government organizations, research centers, universities, and think tanks in the US, Europe, and Asia. South Korean and German authorities warned in March 2023 that Kimusky had distributed malicious Chrome extensions and Android spyware as a remote access trojan to target Gmail accounts. Kaspersky previously reported in August 2022 that the group had targeted politicians, diplomats, university professors, and journalists in South Korea using a multi-stage target validation scheme to ensure the successful infection of only valid targets.

Microsoft Patches Serious Azure Cloud Security Flaws
Date: 2023-05-04

Microsoft has patched three vulnerabilities in its Azure cloud platform that could have allowed attackers to access sensitive info on a targeted service, deny access to the server, or scan the internal network to mount further attacks, researchers have found. Researchers from the Ermetic Research Team discovered the flaws in the Azure API Management Service, which allows organizations to create, manage, secure, and monitor APIs across all of their environments, they revealed in a blog post published Thursday.

Russian Hackers Use WinRAR to Wipe Ukraine State Agency’s Data
Date: 2023-05-04

The Russian 'Sandworm' hacking group has been linked to an attack on Ukrainian state networks where WinRar was used to destroy data on government devices. In a new advisory, the Ukrainian Government Computer Emergency Response Team (CERT-UA) says the Russian hackers used compromised VPN accounts that weren't protected with multi-factor authentication to access critical systems in Ukrainian state networks. Once they gained access to the network, they employed scripts that wiped files on Windows and Linux machines using the WinRar archiving program.

City of Dallas Hit by Royal Ransomware Attack Impacting It Services
Date: 2023-05-04

The City of Dallas, Texas, has suffered a Royal ransomware attack, causing it to shut down some of its IT systems to prevent the attack's spread. Dallas is the ninth largest city in the United States, with a population of approximately 2.6 million people, according to US census data. Local media reported that the City's police communications and IT systems were shut down Monday morning due to a suspected ransomware attack. This has led to 911 dispatchers having to write down received reports for officers rather than submit them via the computer-assisted dispatch system. The Dallas County Police Department's website was also offline for part of the day due to the security incident but has since been restored

Hackers Start Using Double DLL Sideloading to Evade Detection
Date: 2023-05-04

A group of hackers, also known as Dragon Breath, Golden Eye Dog, or APT-Q-27, is utilizing multiple sophisticated versions of the traditional DLL sideloading technique to avoid detection. These attack variations start with an initial approach that uses legitimate applications, such as Telegram, to sideload a second-stage payload, which may also be legitimate, and in turn, loads a malicious malware loader DLL.

Drone Goggles Maker Claims Firmware Sabotaged to ‘Brick’ Devices
Date: 2023-05-04

Orqa, a maker of First Person View (FPV) drone racing goggles, claims that a contractor introduced code into its devices' firmware that acted as a time bomb designed to brick them. On early Saturday, Orqa started receiving reports from customers surprised to see their FPV.One V1 goggles enter bootloader mode and become unusable.

Google Chrome Will Lose the “Lock” Icon for HTTPS-Secured Sites
Date: 2023-05-03

n September 2023, Google Chrome will stop showing the lock icon when a site loads over HTTPS, partly due to the now ubiquitous use of the protocol. It took many years, but the unceasing push by Google, other browser makers and Let’s Encrypt to make HTTPS the norm for accessing resources on the Web resulted in an unmitigated success; according to Google, over 95% of page loads in Chrome on Windows are now over an encrypted, secure channel using HTTPS.

FBI Seizes 9 Crypto Exchanges Used to Launder Ransomware Payments
Date: 2023-05-03

In a recent announcement from the FBI, the agency stated it carried out an operation alongside with the Virtual Currency Response Team, the National Police of Urkaine, and legal prosecutors in the country to seize several cryptocurrency exchange sites that were being used by scammed and cybercriminals, including ransomware actors to launder money from victims.

98% of orgs with Office 365 harbor malicious emails inside their mailboxes. Threats like ransomware, spear phishing, and account takeover put your organization and employees at significant risk. Find out what’s hiding in your inbox.

Via security assessment, we can quickly identify security gaps, patches and software updates that are out of date, then advise steps to fix.

Via short questionnaire, we'll help you determine whether weakness exist in the way you protect your confidential data. In a few minutes, we'll produce a comprehensive profile of strengths and vulnerabilities of your IT security. Let us show you where protections should be placed before those vulnerabilities are exploited.

LA-Cyber can directly submit suspicious URLs and files through the ISAO’s Cyber Forum for rapid analysis to determine if they are known or zero-day cybersecurity threats.

Current Active Threats

Suggested Pages

Contact LACyber

Location:

Email:

Call: