Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption
Source: Microsoft
The vulnerability, identified as CVE-2024-37085, involves a domain group whose members are granted full administrative access to the ESXi hypervisor by default without proper validation. Read more.
“EchoSpoofing” — A Massive Phishing Campaign Exploiting Proofpoint’s Email Protection to Dispatch Millions of Perfectly Spoofed Emails
Source: Guardio
Dubbed “EchoSpoofing”, this issue allowed threat actors to dispatch millions of perfectly spoofed phishing emails, leveraging Proofpoint’s customer base of well-known companies and brands such as Disney, IBM, Nike, Best Buy, and Coca-Cola. Read more.
Malicious Python Package Targets macOS Developers To Access Their GCP Accounts
Source: Checkmarx
A package called “lr-utils-lib” was uploaded to PyPi in early June 2024, containing malicious code that executes automatically upon installation. The malware uses a list of predefined hashes to target specific macOS machines and attempts to harvest Google Cloud authentication data. The harvested credentials are sent to a remote server. Read more.
WhatsApp for Windows lets Python, PHP scripts execute with no warning
Source: BLEEPING COMPUTER
A security issue in the latest version of WhatsApp for Windows allows sending Python and PHP attachments that are executed without any warning when the recipient opens them. For the attack to be successful, Python needs to be installed, a prerequisite that may limit the targets to software developers, researchers, and power users. Read more.
5 ways threat actors are taking advantage of the CrowdStrike outage
Source: SC Media
The CrowdStrike outage incident exposed both widespread security shortcomings across organizations and the ruthless, opportunistic nature of cybercriminals in the wake of a worldwide disaster. Read more.
Six-day, 14.7 Million RPS Web DDoS Attack Campaign Attributed to SN_BLACKMETA
Source: Radware
This year has been marked by a record-breaking six-day attack campaign consisting of multiple four to 20-hour Web DDoS waves, amounting to a total of 100 hours of attack time and sustaining an average of 4.5 million RPS with a peak of 14.7 million RPS. Read more.
APT45: North Korea’s Digital Military Machine
Source: Google Cloud
APT45 has gradually expanded into financially-motivated operations, and the group’s suspected development and deployment of ransomware sets it apart from other North Korean operators. Read more.
Stargazers Ghost Network
Source: Check Point Research
Check Point Research identified a network of GitHub accounts (Stargazers Ghost Network) that distribute malware or malicious links via phishing repositories. The network consists of multiple accounts that distribute malicious links and malware and perform other actions such as starring, forking, and subscribing to malicious repositories to make them appear legitimate. Read more.
Daggerfly: Espionage Group Makes Major Update to Toolset
Source: Symantec
Among the new additions to Daggerfly’s arsenal are a new malware family based on the group’s MgBot modular malware framework and a new version of the Macma macOS backdoor. Read more.
Novel ICS Malware Sabotaged Water-Heating Services in Ukraine
Source: DARK READING
The malware, dubbed FrostyGoop by researchers at Dragos who discovered it, is the first known malware that lets threat actors interact directly with operational technology (OT) systems via Modbus, a widely used communication protocol in ICS environments. Read more.