Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

AWS Route 53 DNS Resolver Firewall

Source: Malware Patrol

Amazon Route 53 is a Domain Name System (DNS) service that connects user requests to Internet applications running on AWS or on-premises. Among the features this service offers is protection via the Route 53 Resolver DNS Firewall. It allows the use of AWS Managed Domain Lists, as well as custom Domain Lists (outside sources or your own). Read more.

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

Source: Security Intelligence

Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. Read more.

New Threat Insights Reveal That Cybercriminals Increasingly Target the Pharmacy Sector

Source: Proofpoint

At a taxonomy department level, “pharmacy” job roles advanced from the number 35 rank in the per-user attack index average in 2023 to the top spot in the per-user attack index average in Q1 2024. VIP job roles rank second, while finance services roles rank fourth. Read more.

New Antidot Android Banking Trojan Masquerading as Fake Google Play Updates

Source: CYBLE

Antidot incorporates a range of malicious features, including overlay attacks and keylogging, allowing it to compromise devices and harvest sensitive information. Read more.

Payload Trends in Malicious OneNote Samples

Source: UNIT42

Our analysis of roughly 6,000 malicious OneNote samples from WildFire reveals that these samples have a phishing-like theme where attackers use one or more images to lure people into clicking or interacting with OneNote files. The interaction then executes an embedded malicious payload. Read more.

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

Source: Microsoft Security

The observed activity begins with impersonation through voice phishing (vishing), followed by delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and ultimately Black Basta ransomware. Read more.

FBI seize BreachForums hacking forum used to leak stolen data

Source: BLEEPING COMPUTER

The website is now displaying a message stating that the FBI has taken control over it and the backend data, indicating that law enforcement seized both the site’s servers and domains. Read more.

Foxit PDF “Flawed Design” Exploitation

Source: CHECK POINT

Check Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands. Check Point Research has observed variants of this exploit being actively utilized in the wild. Read more.

Hackers Use DNS Tunneling to Scan and Track Victims

Source: Infosecurity Magazine

“In this application of DNS tunneling, an attacker’s malware embeds information on a specific user and that user’s actions into a unique subdomain of a DNS query. This subdomain is the tunneling payload, and the DNS query for the fully qualified domain name (FQDN) uses an attacker-controlled domain,” the blog explained. Read more.

Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain

Source: welivesecurity

Among the victims are many hosting providers. The gang leverages its access to the hosting provider’s infrastructure to install Ebury on all the servers that are being rented by that provider. As an experiment, we rented a virtual server from one of the compromised hosting providers: Ebury was installed on our server within seven days. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Tunnel Vision: Looking Out for Malicious Tunneling Use

Source: Malware Patrol

Offering a cloak of anonymity and encrypted pathways, these services have emerged as an option that allows attackers to obfuscate their activities and bypass conventional security measures. In this blog, we will explain how they work, explore the types of cyber threats they enable, and provide some mitigation strategies to fortify your defenses against them. Read more.

Dirty Stream Attack Poses Billions of Android Installs at Risk

Source: Security Affairs

The IT giant describes Dirty Stream as an attack pattern, linked to path traversal, that affects various popular Android apps. The technique allows a malicious app to overwrite files in the vulnerable app’s home directory, potentially leading to arbitrary code execution and the theft of tokens. Read more.

Android bug leaks DNS queries even when VPN kill switch is enabled

Source: BLEEPING COMPUTER

A Mullvad VPN user has discovered that Android devices leak DNS queries when switching VPN servers even though the “Always-on VPN” feature was enabled with the “Block connections without VPN” option. Read more.

Hackers Target New NATO Member Sweden with Surge of DDoS Attacks

Source: Infosecurity Magazine

Sweden has faced a wave of distributed denial of service (DDoS) attacks since it started the process of joining NATO, according to network performance management provider Netscout. Read more.

Pakistani APTs Escalate Attacks on Indian Gov.

Source: SEQRITE

India is one of the most targeted countries in the cyber threat landscape where not only Pakistan-linked APT groups like SideCopy and APT36 (Transparent Tribe) have targeted India but also new spear-phishing campaigns such as Operation RusticWeb and FlightNight have emerged. Read more.

New Cuttlefish malware infects routers to monitor traffic for credentials

Source: BLEEPING COMPUTER

Lumen Technologies’ Black Lotus Labs examined the new malware and reports that Cuttlefish creates a proxy or VPN tunnel on the compromised router to exfiltrate data discreetly while bypassing security measures that detect unusual sign-ins. Read more.

Ex-NSA Employee Sentenced to 22 Years for Trying to Sell U.S. Secrets to Russia

Source: The Hacker News

Despite his short tenure at the intelligence agency, Dalke is said to have made contact with a person he thought was a Russian agent sometime between August and September of that year. In reality, the person was an undercover agent working for the Federal Bureau of Investigation (FBI). Read more.

JFrog Security research discovers coordinated attacks on Docker Hub that planted millions of malicious repositories

Source: JFrog

In this blog post, we reveal three large-scale malware campaigns we’ve recently discovered, targeting Docker Hub, that planted millions of “imageless” repositories with malicious metadata. These are repositories that do not contain container images (and as such cannot be run in a Docker engine or Kubernetes cluster) but instead contain metadata that is malicious. Read more.

A Cunning Operator: Muddling Meerkat and China’s Great Firewall

Source: Infoblox

This paper introduces a perplexing actor, Muddling Meerkat, who appears to be a People’s Republic of China (PRC) nation state actor. Muddling Meerkat conducts active operations through DNS by creating large volumes of widely distributed queries that are subsequently propagated through the internet using open DNS resolvers. Read more.

From IcedID to Dagon Locker Ransomware in 29 Days

Source: The DFIR Report

This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. This phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware. Victims were directed to a fraudulent website, mimicking an Azure download portal. Read more.

Want more articles? Check out the previous edition of Security Signals. Want to learn more about Threat Actors? Visit Malware Patrols Threat Actor Profile Page.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Justice Department Seizes Four Web Domains Used to Create Over 40,000 Spoofed Websites and Store the Personal Information of More Than a Million Victims

Source: Office of Public Affairs

According to court records, the United States obtained authorization to seize the domains as part of an investigation of the spoofing service operated through the Lab-host.ru domain (LabHost), which resolves to a Russian internet infrastructure company. Read more.

Akira takes in $42 million in ransom payments, now targets Linux servers

Source: SC Media

CISA said the advisory’s main goal was to help organizations mitigate these attacks by disseminating known Akira ransomware tactics, techniques and procedures, as well as indicators of compromise identified through FBI investigations as recent as February 2024. Read more.

Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials

Source: CISCO TALOS

Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise. Read more.

United Nations agency investigates ransomware attack, data theft

Source: BLEEPING COMPUTER

While the UN agency has yet to link the attack to a specific threat group, the 8Base ransomware gang added a new UNDP entry to its dark web data leak website on March 27. The attackers say that the documents their operators managed to exfiltrate during the breach contain large amounts of sensitive information. Read more.

Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack

Source: The Hacker News

The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as “intricate” and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software. Read more.

Malvertising campaign targeting IT teams with MadMxShell

Source: Zscaler

The newly discovered backdoor uses several techniques such as multiple stages of DLL sideloading, abusing the DNS protocol for communicating with the command-and-control (C2) server, and evading memory forensics security solutions. We named this backdoor “MadMxShell” for its use of DNS MX queries for C2 communication and its very short interval between C2 requests. Read more.

OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal

Source: CISCO TALOS

Eventually, we discovered over 100 uploaded documents with potentially confidential information about government and police activities in Ukraine. The analysis of the code showed unexpected results – instead of lures used by advanced actors, the uploaded documents were infected with a multi-component VBA macro virus OfflRouter, created in 2015. Read more.

SoumniBot: the new Android banker’s unique techniques

Source: SECURE LIST

That said, we recently discovered a new banker, SoumniBot, which targets Korean users and is notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest. Read more.

Widely-Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack

Source: The Hacker News

The maintainers of the PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys. Read more.

Cisco Duo warns third-party data breach exposed SMS MFA logs

Source: BLEEPING COMPUTER

Cisco Duo’s security team warns that hackers stole some customers’ VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony provider. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Oxycorat Android RAT Spotted On Dark Web Stealing Wi-Fi Passwords

Source: GBHackers

According to the details, the RAT includes a file manager, an SMS manager, and a wallet stealer, which could give attackers access to sensitive financial information. Read more.

Over 92,000 Internet-Facing D-Link NAS Devices Can Be Easily Hacked

Source: Security Affairs

A researcher who goes online with the moniker ‘Netsecfish’ disclosed a new arbitrary command injection and hardcoded backdoor flaw, tracked as CVE-2024-3273, that impacts multiple end-of-life D-Link Network Attached Storage (NAS) device models. Read more.

The Illusion of Privacy: Geolocation Risks In Modern Dating

Source: CHECKPOINT RESEARCH

Despite safety measures, the Hornet dating app (a popular gay dating app with over 10 million downloads) had vulnerabilities, allowing precise location determination, even if users disabled the display of their distances. In reproducible experiments, we achieved location accuracy within 10 meters. Read more.

New Red Ransomware Group (Red CryptoApp) Exposes Victims on Wall of Shame

Source: HACK READ

A new ransomware group, Red CryptoApp (Red Ransomware Group), is shaking things up. Unlike others, they humiliate victims by publishing their names on a “wall of shame.” Learn how Red CryptoApp targets victims, what industries are at risk, and how to protect yourself. Read more.

Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack

Source: BLEEPING COMPUTER

The U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) has released a scathing report on how Microsoft handled its 2023 Exchange Online attack, warning that the company needs to do better at securing data and be more truthful about how threat actors stole an Azure signing key. Read more.

Threat Actors Deliver Malware via YouTube Video Game Cracks

Source: Proofpoint

Proofpoint Emerging Threats has observed information stealer malware including Vidar, StealC, and Lumma Stealer being delivered via YouTube in the guise of pirated software and video game cracks. Read more.

Unpatched Vulnerabilities: The Most Brutal Ransomware Attack Vector

Source: SOPHOS

This report highlights how ransomware outcomes differ depending on the root cause of the attack. It compares the severity, financial cost, and operational impact of attacks that start with an exploited vulnerability with those where adversaries use compromised credentials to penetrate the organization. Read more.

Attackers Almost Backdoored Most Linux OSes Worldwide with Supply Chain Attack that Took Years to Set Up

Source: Bitdefender

This leads us to February 2024, when Jia Tan submitted patches for XZ Utils two versions, 5.6.0 and 5.6.1, which actually introduced a backdoor. The attackers could connect via the SSH protocol into a machine and skip the authentication process, giving them full access. Read more.

Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu

Source: EXODUS INTELLIGENCE

This post discusses a use-after-free vulnerability, CVE-2024-0582, in io_uring in the Linux kernel. Despite the vulnerability being patched in the stable kernel in December 2023, it wasn’t ported to Ubuntu kernels for over two months, making it an easy 0day vector in Ubuntu during that time. Read more.

New Darcula phishing service targets iPhone users via iMessage

Source: BLEEPING COMPUTER

One thing that makes the service stand out is that it approaches the targets using the Rich Communication Services (RCS) protocol for Google Messages and iMessage instead of SMS for sending phishing messages. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Microsoft Warns of New Tax Returns Phishing Scams Targeting You

Source: HACK READ

New and sophisticated tax phishing scams are targeting taxpayers, warns Microsoft. These scams impersonate trusted sources and use urgency tactics to steal personal and financial data. Read more.

Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect

Source: MANDIANT

This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People’s Republic of China (PRC) threat actor, UNC5174. Read more.

New details on TinyTurla’s post-compromise activity reveal full kill chain

Source: CISCO TALOS

The attackers compromised the first system, established persistence and added exclusions to anti-virus products running on these endpoints as part of their preliminary post-compromise actions. Read more.

TeamCity Vulnerability Exploits Lead to Jasmin Ransomware, Other Malware Types

Source: TREND MICRO

Customers of TeamCity with servers affected by these vulnerabilities are advised to update their software as soon as possible. The US Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2024-27198 to its Known Exploited Vulnerabilities catalog. Read more.

Mounting AceCryptor malware attacks target Europe

Source: SC Media

Organizations across Europe have been subjected to a deluge of attacks involving AceCryptor malware as part of campaigns that sought to exfiltrate email and browser credentials during the second half of 2023, reports The Record, a news site by cybersecurity firm Recorded Future. Read more.

Cybercriminals Beta Test New Attack to Bypass AI Security

Source: HACK READ

Hackers develop a new attack (Conversation Overflow) to bypass AI security. Learn how this technique fools Machine Learning and what businesses can do to stay protected. Read more.

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

Source: Security Intelligence

As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. Read more.

The Aviation And Aerospace Sectors Face Skyrocketing Cyber Threats

Source: Resecurity

The aerospace sector has become a rising target for cyberattacks due to its reliance on vastly interconnected digital infrastructures, global supply chains, and the torrential volume of sensitive data it handles. Read more.

Telecoms Manager Admits to Taking Bribes to Help Carry Out SIM Swapping Attacks

Source: Bitdefender

Court documents say Katz helped his co-conspirators victimize five customers of the telecoms company, receiving $5,000 ($1,000 per SIM swap) plus an unspecified percentage of the profits earned from the account takeovers. Read more.

Esports league postponed after players hacked midgame

Source: NATIONAL CYBER SECURITY

In the video, it’s clear that at one point — abruptly — Genburten starts seeing other players highlighted on the map, even those behind walls. This is what is called “wallhack,” essentially a cheat that allows hackers to see opponents through in-game obstacles. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

The Anatomy of a BlackCat (ALPHV) Attack

Source: SYGNIA

In 2023, Sygnia’s IR team was engaged by a client to investigate suspicious activities in the client’s network. The activities were ultimately identified as a financial extortion attack executed by the BlackCat (ALPHV) ransomware group or one of its affiliates, and included a massive data exfiltration. Read more.

Delving into Dalvik: A Look Into DEX Files

Source: MANDIANT

Through a case study of the banking trojan sample, this blog post aims to give an insight into the Dalvik Executable file format, how it is constructed, and how it can be altered to make analysis easier. Additionally, we are releasing a tool called dexmod that exemplifies Dalvik bytecode patching and helps modify DEX files. Read more.

Server Killers Alliances: Here Is The List Of Hacker Groups

Source: GBHackers

A new tweet from Daily Dark Web reports that a group called The Server Killers has formed an alliance and is planning to launch cyber attacks on Moldova. Read more.

TODDLERSHARK: ScreenConnect Vulnerability Exploited to Deploy BABYSHARK Variant

Source: KROLL

The Kroll Cyber Threat Intelligence (CTI) team discovered new malware resembling the VBScript based BABYSHARK malware that we’ve called TODDLERSHARK. Read more.

Cyber Dragon Attacks And Disables Linkedin

Source: PRIVACY Affairs

The lesser-known but dangerous hacking group Cyber Dragon took Linkedin offline recently as a result of a massive breach. As users reported, both the website and the app were down for more than 24 hours intermittently. Read more.

New Fakext malware targets Latin American banks

Source: Security Intelligence

In November 2023, security researchers at IBM Security Trusteer found new widespread malware dubbed Fakext that uses a malicious Edge extension to perform man-in-the-browser and web-injection attacks. Read more.

Check Point Research Alerts: Financially Motivated Magnet Goblin Group Exploits 1-Day Vulnerabilities to target Publicly Facing Servers

Source: CHECK POINT

Rapid Exploitation of 1-Day Vulnerabilities: Threat actor group Magnet Goblin’s hallmark is its ability to swiftly leverage newly disclosed vulnerabilities, particularly targeting public-facing servers and edge devices. In some cases, the deployment of the exploits is within 1 day after a POC is published, significantly increasing the threat level posed by this actor. Read more.

TA4903: Actor Spoofs U.S. Government, Small Businesses in Phishing, BEC Bids

Source: Proofpoint

TA4903 is a financially motivated cybercriminal threat actor that spoofs both U.S. government entities and private businesses across many industries. The actor mostly targets organizations located in the United States, but occasionally those located globally, with high-volume email campaigns. Proofpoint assesses with high confidence the objectives of the campaigns are to steal corporate credentials, infiltrate mailboxes, and conduct follow-on business email compromise (BEC) activity. Read more.

Watch Out for Spoofed Zoom, Skype, Google Meet Sites Delivering Malware

Source: The Hacker News

Threat actors have been leveraging fake websites advertising popular video conferencing software such as Google Meet, Skype, and Zoom to deliver a variety of malware targeting both Android and Windows users since December 2023. “The threat actor is distributing Remote Access Trojans (RATs) including SpyNote RAT for Android platforms, and NjRAT and DCRat for Windows systems,” Zscaler ThreatLabz researchers said. Read more.

Ukraine’s GUR Hacked The Russians Ministry of Defense

Source: Security Affairs

The documents revealed the leadership of the Russian Ministry, including other high-ranking officials within the divisions of Russian Ministry of Defense. This encompasses deputies, assistants, and specialists, individuals who used the electronic document management systems known as ‘bureaucrat’. Read more.

Want more articles? Check out the previous edition of Security Signals. Want to learn more about Threat Actors? Visit Malware Patrols Threat Actor Profile Page.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

LockBit ransomware returns, restores servers after police disruption

Source: BLEEPING COMPUTER

On Saturday, LockBit announced it was resuming the ransomware business and released damage control communication admitting that “personal negligence and irresponsibility” led to law enforcement disrupting its activity in Operation Cronos. Read more.

A Cyber Attack Hit The Royal Canadian Mounted Police

Source: Security Affairs

The Canadian government declared that two of its contractors, Brookfield Global Relocation Services (BGRS) and SIRVA Worldwide Relocation & Moving Services, have been hacked, resulting in the exposure of sensitive information belonging to an undisclosed number of government employees. Read more.

Russian hackers shift to cloud attacks, US and allies warn

Source: BLEEPING COMPUTER

APT29’s initial cloud breach vectors also include the use of stolen access tokens that enable them to hijack accounts without using credentials, compromised residential routers to proxy their malicious activity, MFA fatigue to bypass multi-factor authentication (MFA), and registering their own devices as new devices on the victims’ cloud tenants. Read more.

Attackers exploiting ConnectWise ScreenConnect flaws, fixes available for all users (CVE-2024-1709, CVE-2024-1708)

Source: HELP NET SECURITY

ConnectWise shared the existence of the two flaws on Monday (February 19), when it said that they’ve been reported through their vulnerability disclosure channel via the ConnectWise Trust Center, and urged customers that are self-hosted or on-premise to update their servers to version 23.9.8 as soon as possible. Read more.

Feds remove Ubiquiti router botnet used by Russian intelligence

Source: SC Media

The botnet was built by cybercriminals outside the GRU who initially installed Moobot malware on Ubiquiti Edge OS routers that could be compromised because they used publicly known default administrator passwords. Read more.

Earth Preta Campaign Uses DOPLUGS to Target Asia

Source: TREND MICRO

In this blog entry, we focus on the Earth Preta campaign, providing an analysis of the DOPLUGS malware variant that the group used, including backdoor command behavior, integration with the KillSomeOne module, and its evolution. Read more.

Migo – a Redis Miner with Novel System Weakening Techniques

Source: CADO

The malware, named Migo by the developers, aims to compromise Redis servers for the purpose of mining cryptocurrency on the underlying Linux host. Read more.

Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

Source: CISCO TALOS

We have observed evidence that the distribution campaigns for these malware families are related, with Astaroth and Mekotio being distributed under the same Google Cloud Project and Google Cloud storage bucket. Ousaban is also being dropped as part of the Astaroth infection process. Read more.

How BRICS Got “Rug Pulled” – Crypto Counterfeiting Is On The Rise

Source: Resecurity

A notable example of this deceptive practice is the emergence of a counterfeit token named ‘BRICS’ recently detected by Resecurity, which exploited the focus on the investment interest and potential expansion of the BRICS intergovernmental organization, comprising countries like Brazil, Russia, India, China, South Africa, Egypt, Ethiopia, Iran, and the United Arab Emirates. Read more.

Meta Warns of 8 Spyware Firms Targeting iOS, Android, and Windows Devices

Source: The Hacker News

These firms, per Meta, also engaged in scraping, social engineering, and phishing activity that targeted a wide range of platforms such as Facebook, Instagram, X (formerly Twitter), YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, SnapChat, Gettr, Viber, Twitch, and Telegram. Read more.

Want more articles? Check out the previous edition of Security Signals. Want to learn more about Threat Actors? Visit Malware Patrols Threat Actor Profile Page.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Maldocs of Word and Excel: Vigor of the Ages

Source: CHECK POINT RESEARCH

In our research, we show the statistics on attacked industries and countries and highlight the payloads – many of them are in the top prevalent malware lists – delivered by maldocs. We investigate lures used in different attack campaigns and describe several tricks that can help maldocs fool automated sandboxes, even though the CVEs used are well-known and well-aged. Read more.

I Know What Your Password Was Last Summer…

Source: LARES

An interesting aspect we regularly encounter when compromising organisations is the psychology behind how people choose their passwords. This insight reveals patterns and tendencies in password creation within windows environments, shedding light on common vulnerabilities and the human factors influencing password security. Read more.

Coyote: A multi-stage banking Trojan abusing the Squirrel installer

Source: SECURELIST

This malware utilizes the Squirrel installer for distribution, leveraging NodeJS and a relatively new multiplatform programming language called Nim as a loader to complete its infection. We have named this newly discovered Trojan “Coyote” due to the role of coyotes as natural predators of squirrels. Read more.

Raspberry Robin Keeps Riding the Wave of Endless 1-Days

Source: CHECK POINT RESEARCH

Most importantly, Raspberry Robin continues to use different exploits for vulnerabilities either before or only a short time after they were publicly disclosed. Those 1-day exploits were not publicly disclosed at the time of their use. An exploit for one of the vulnerabilities, CVE-2023-36802, was also used in the wild as a 0-day and was sold on the Dark Web. Read more.

Chinese hackers fail to rebuild botnet after FBI takedown

Source: BLEEPING COMPUTER

Before KV-botnet’s takedown, it allowed the Volt Typhoon threat group (aka Bronze Silhouette) to proxy malicious activity through hundreds of compromised small office/home offices (SOHO) across the U.S. to evade detection. Read more.

2023 Cybersecurity Lingo for Stronger Digital Defense

Source: THE CYBER EXPRESS

The language of cybersecurity can be compared with a digital sword when it comes to ever-changing environments in cyberspace, where shadows keep both danger and safety. Ending 2023 leads us into a lexical exploration of the complex fabric of cyberslang, where cyber sentinels use secret cybersecurity jargon to secure the virtual world. Read more.

Nearly 4-year-old Cisco vuln linked to recent Akira ransomware attacks

Source: The Register

The vulnerability lies in the web services interface of Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software, allowing attackers to extract secrets stored in memory in clear text such as usernames and passwords – à la CitrixBleed. Read more.

Want more articles? Check out the previous edition of Security Signals. Want to learn more about Threat Actors? Visit Malware Patrols Threat Actor Profile Page.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

The Endless Struggle Against APT10: Insights from LODEINFO v0.6.6 – v0.7.3 Analysis

Source: ITOCHU Cyber Intelligence Inc.

According to information released by security vendors, APT campaigns using LODEINFO target Japanese media, diplomacy, public institutions, defense industries, and think tanks. It is also suggested that the infamous APT group called APT10 is involved given the similarities in their methods and malwares. Read more.

Spoofing 802.11 Wireless Beacon Management Frames with Manipulated Power Values Resulting in Denial of Service for Wireless Clients

Source: Trustwave

So, the story starts in Ubuntu, in dmesg to be exact. Dmesg (diagnostic messages) prints kernel-related messages for those of you not familiar. So, there I was, minding my own business, not at all looking into wireless, actually looking into some Bluetooth research (watch this space!). I had to install some required packages and suddenly Ubuntu crashed on me. I look into dmesg to see what the fuss is all about, no real answer… but I noticed this line that had to do with the wireless interface. Read more.

Exploits released for critical Jenkins RCE flaw, patch now

Source: BLEEPING COMPUTER

Multiple proof-of-concept (PoC) exploits for a critical Jenkins vulnerability allowing unauthenticated attackers to read arbitrary files have been made publicly available, with some researchers reporting attackers actively exploiting the flaws in attacks. Read more.

Nigerian ‘Yahoo Boys’ Behind Social Media Sextortion Surge in the US

Source: Infosecurity Magazine

Their typical approach is to “bomb” high schools, youth sports teams and universities with fake accounts, using advanced social engineering tactics to coerce their victims into a compromising situation. Read more.

The Intricacies of Atomic Stealer (AMOS) and the Emergence of Xehook Stealer on Dark Web

Source: The Cyber Express

A new information stealer has arrived on the dark web. Known as the Atomic Stealer (AMOS), this information stealer, this information-stealing malware is designed for a phishing campaign associated with the rise of dead cookie restoration and Xehook Stealer. Read more.

Russia-Linked APT Group Midnight Blizzard Hacked Hewlett Packard Enterprise (HPE)

Source: The Hacker News

Hewlett Packard Enterprise (HPE) revealed that alleged Russia-linked cyberespionage group Midnight Blizzard gained access to its Microsoft Office 365 cloud-based email environment. The attackers were collecting information on the cybersecurity division of the company and other functions. Read more.

NSPX30: A sophisticated AitM-enabled implant evolving since 2005

Source: welivesecurity

ESET researchers provide an analysis of an attack carried out by a previously undisclosed China-aligned threat actor we have named Blackwood, and that we believe has been operating since at least 2018. The attackers deliver a sophisticated implant, which we named NSPX30, through adversary-in-the-middle (AitM) attacks hijacking update requests from legitimate software. Read more.

Want more articles? Check out the previous edition of Security Signals. Want to learn more about Threat Actors? Visit Malware Patrols Threat Actor Profile Page.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign

Source: TREND MICRO

CVE-2023-36025 affects Microsoft Windows Defender SmartScreen and stems from the lack of checks and associated prompts on Internet Shortcut (.url) files. Threat actors can leverage this vulnerability by crafting .url files that download and execute malicious scripts that bypass the Windows Defender SmartScreen warning and checks. Read more.

Atomic Stealer rings in the new year with updated version

Source: Malwarebytes LABS

It looks like Atomic Stealer was updated around mid to late December 2023, where its developers introduced payload encryption in an effort to bypass detection rules. Some samples from crack websites made their way to VirusTotal around that time frame, followed by a malvertising campaign we observed in January 2024. Read more.

Financial Fraud APK Campaign

Source: Unit 42 PaloAlto Networks

The threat actors used this Android application to impersonate law enforcement authorities. They claimed that the victim’s bank account was suspected of being involved in money laundering or other financial-related crimes. They then sent the victim a download link to this application package, urging the victim to input their sensitive personal information into the malicious application. Read more.

Unprecedented Growth in Malicious Botnets Observed

Source: NETSCOUT

Analysis of the activity has uncovered a rise in the use of cheap or free cloud and hosting servers that attackers are using to create botnet launch pads. These servers are used via trials, free accounts, or low-cost accounts, which provide anonymity and minimal overhead to maintain. Read more.

You Had Me at Hi — Mirai-Based NoaBot Makes an Appearance

Source: Akamai

The NoaBot botnet has most of the capabilities of the original Mirai botnet (such as a scanner module and an attacker module, hiding its process name, etc.), but we can also see many differences from Mirai’s original source code. First and foremost, the malware’s spreader is based in SSH, not based in Telnet like Mirai. Read more.

Unseen Threats in Software Development | The Perils of Trojanized NPM Packages

Source: SentinelOne

Because npm and npm packages can extend deep into the organization’s development environment, security is a crucial issue that must be addressed. Let’s look at some examples of how easily, and severely, npm can be leveraged by threat actors. Read more.

Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign

Source: TREND MICRO

In general, Water Curupira conducts campaigns for the purpose of dropping backdoors such as Cobalt Strike, leading to Black Basta ransomware attacks (coincidentally, Black Basta also returned to operations in September 2023). The threat actor conducted several DarkGate spam campaigns and a small number of IcedID campaigns in the early weeks of the third quarter of 2023, but has since pivoted exclusively to Pikabot. Read more.

Want more articles? Check out the previous edition of Security Signals. Want to learn more about Comparing Protection Mechanisms? Visit Malware Patrols Blog Post: Comparing Protection Mechanisms.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Threat Actors Exploit CVE-2017-11882 To Deliver Agent Tesla

Source: Zscaler

Threat actors strategically utilize words like “orders” and “invoices” in spam emails to encourage users to download malicious attachments containing CVE-2017-11882. Threat actors include a VBS file in their infection chain to add a layer of complexity to analysis and deobfuscation attempts. Threat actors use the RegAsm.exe file to carry out malicious activities under the guise of a genuine operation. Read more.

Malware leveraging public infrastructure like GitHub on the rise

Source: ReversingLabs

Here are two novel techniques deployed on GitHub that were discovered by ReversingLabs. The first abuses GitHub Gists, and the second issues commands through git commit messages. Read more.

BlackCat Rises: Infamous Ransomware Gang Defies Law Enforcement

Source: Infosecurity Magazine

Despite law enforcement efforts to take down the notorious ALPHV/BlackCat ransomware gang, the cybercriminals are not going down without a fight. Latest developments have shown that the site that was supposedly ‘taken down’ by the FBI has now been ‘unseized.’ Read more.

Behind the Scenes of Matveev’s Ransomware Empire: Tactics and Team

Source: The Hacker News

Matveev is said to lead a team of six penetration testers – 777, bobr.kurwa, krbtgt, shokoladniy_zayac, WhyNot, and dushnila – to execute the attacks. The group has a flat hierarchy, fostering better collaboration between the members. Read more.

Seedworm: Iranian Hackers Target Telecoms Orgs in North and East Africa

Source: Symantec

The attackers used a variety of tools in this activity, which occurred in November 2023, including leveraging the MuddyC2Go infrastructure, which was recently discovered and documented by Deep Instinct. Researchers on Symantec’s Threat Hunter Team, part of Broadcom, found a MuddyC2Go PowerShell launcher in the activity we investigated. Read more.

Millions of Xfinity customers’ info, hashed passwords feared stolen in cyberattack

Source: The Register

Millions of Comcast Xfinity subscribers’ personal data – including potentially their usernames, hashed passwords, contact details, and secret security question-answers – was likely stolen by one or more miscreants exploiting Citrix Bleed in October. Read more.

Cybercrooks Leveraging Anti Automation Toolkit for Phishing Campaigns

Source: Trellix

Trellix Advanced Research Center has tracked abuse of one more such tool used for quite some time now. Predator, a tool designed to combat bots and web crawlers, can distinguish web requests originating from automated systems, bots, or web crawlers. Read more.

Want more articles? Check out the previous edition of Security Signals. Want to learn more about cyber security defense, check out the Malware Patrol blog post: Threat Intelligence: Essential For Your Cyber Defenses.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

QakBot Malware Resurfaces with New Tactics, Targeting the Hospitality Industry

Source: The Hacker News

A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its command-and-control (C2) network. Read more.

PikaBot distributed via malicious search ads

Source: Malwarebytes LABS

In the past few days, researchers including ourselves have observed PikaBot, a new malware family that appeared in early 2023, distributed via malvertising. PikaBot was previously only distributed via malspam campaigns similarly to QakBot and emerged as one of the preferred payloads for a threat actor known as TA577. Read more.

Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol

Source: SECURE LIST

The malware utilizes NKN technology for data exchange between peers, functioning as a potent implant, and equipped with both flooder and backdoor capabilities. Read more.

Rhadamanthys v0.5.0 – A Deep Dive into the Stealer’s Components

Source: CHECKPOINT RESEARCH

In this article we do a deep dive into the functionality and cooperation between the modules. The first part of the article describes the loading chain that is used to retrieve the package with the stealer components. In the second part, we take a closer look at those components, their structure, abilities, and implementation. Read more.

Chinese APT Volt Typhoon Linked to Unkillable SOHO Router Botnet

Source: SECURITY WEEK

Malware hunters in the United States have set eyes on an impossible to kill botnet packed with end-of-life SOHO routers serving as a covert data transfer network for Volt Typhoon, a Chinese government-backed hacking group previously caught targeting US critical infrastructure. Read more.

Gaza Cybergang | Unified Front Targeting Hamas Opposition

Source: SentinelLABS

SentinelLabs’ analysis reinforces the suspected ties between Gaza Cybergang and WIRTE, historically considered a distinct cluster with loose relations to the Gaza Cybergang. Read more.

Rhysida Ransomware

Source: ShadowStackRE

On December 12th 2023 Rhysida claimed to have penetrated and encrypted Insomniac Games from Burbank, California. The studio founded in 1994 and currently owned by Sony Interactive Entertainment, has been responsible for such hits as the recently released ‘Marvel’s Spider-man’ series and the ‘Ratchet & Clank’ series. Read more.

Want more articles? Check out the previous edition of Security Signals. Want to learn more about Threat Actors? Visit Malware Patrols Threat Actor Profile Page.