Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Microsoft Alerts More Users in Update to Midnight Blizzard Hack

Source: GBHackers

Microsoft has issued a new alert to its users, updating them on the continued threat posed by Midnight Blizzard, a Russian state-sponsored hacking group also known as NOBELIUM. Read more.

Remote access giant TeamViewer says Russian spies hacked its corporate network

Source: TechCrunch

In a statement Friday, the company attributed the compromise to government-backed hackers working for Russian intelligence, known as APT29 (and Midnight Blizzard). Read more.

New InnoSetup Malware Created Upon Each Download Attempt

Source: ASEC

Unlike past malware which performed malicious behaviors immediately upon being executed, this malware displays an installer UI and malicious behaviors are executed upon clicking buttons during the installation process. Read more.

Polyfill Supply Chain Attack Hits Over 100k Websites

Source: SECURITY WEEK

On Tuesday, security researchers at Sansec and C/side confirmed that the cdn.polyfill.io domain is injecting malicious code into more than 100,000 websites that are using it. Read more.

Medusa Reborn: A New Compact Variant Discovered

Source: Cleafy

Analysing the evolution of Medusa samples over the past few months, it is clear that TAs aim to enhance the efficiency of the available features while simultaneously strengthening the botnet by refactoring the permissions required during the installation phase. Read more.

UAC-0184 Abuses Python in DLL Sideloading for XWORM Distribution

Source: CYBLE

CRIL recently observed a malware campaign targeting Ukraine using the Remote Access Trojan (RAT) known as XWorm. Upon investigation, it was found that this campaign is associated with the Threat Actor (TA) group UAC-0184. Read more.

New security loophole allows spying on internet users visiting websites and watching videos

Source: Tech Xplore

No malicious code is required to exploit this vulnerability, known as “SnailLoad,” and the data traffic does not need to be intercepted. All types of end devices and internet connections are affected. Read more.

Cyber attack compromised Indonesia data centre, ransom sought

Source: Reuters

A cyber attacker compromised Indonesia’s national data centre, disrupting immigration checks at airports, and asked for an $8 million ransom, the country’s communications minister told Reuters on Monday. Read more.

CDK Global outage caused by BlackSuit ransomware attack

Source: BLEEPING COMPUTER

The negotiations come after the BlackSuit ransomware attack forced CDK to shut down its IT systems and data centers to prevent the attack’s spread, including its car dealership platform. The company tried restoring services on Wednesday but suffered a second cybersecurity incident, causing it to shut down all IT systems again. Read more.

Fickle Stealer Distributed via Multiple Attack Chain

Source: FORTINET

In May 2024, FortiGuard Labs observed a Rust-based stealer. In addition to its intricate code, the stealer is distributed using a variety of strategies and has a flexible way of choosing its target. Because of this ambiguity, we decided to call it Fickle Stealer. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

Source: Krebs on Security

A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years. Read more.

New ARM ‘TIKTAG’ attack impacts Google Chrome, Linux systems

Source: BLEEPING COMPUTER

A new speculative execution attack named “TIKTAG” targets ARM’s Memory Tagging Extension (MTE) to leak data with over a 95% chance of success, allowing hackers to bypass the security feature. Read more.

Dipping into Danger: The WARMCOOKIE backdoor

Source: Elastic Security Labs

WARMCOOKIE appears to be an initial backdoor tool used to scout out victim networks and deploy additional payloads. Each sample is compiled with a hard-coded C2 IP address and RC4 key. Read more.

Operation Celestial Force employs mobile and desktop malware to target Indian entities

Source: CISCO TALOS

Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.” Read more.

Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day

Source: Symantec

The Cardinal cybercrime group (aka Storm-1811, UNC4393), which operates the Black Basta ransomware, may have been exploiting a recently patched Windows privilege escalation vulnerability as a zero-day. Read more.

QR code SQL injection and other vulnerabilities in a popular biometric terminal

Source: SECURELIST

Biometric terminals are quite an intriguing target for a pentester. Vulnerabilities in these devices, positioned at the nexus of the physical and network perimeters, pose risks that can be considered when analyzing the security of both these perimeters. Read more.

SSLoad Malware Employs MSI Installer To Kick-Start Delivery Chain

Source: GBHackers

Malware distributors use MSI installers as Windows OS already trusts them to run with administrative rights by bypassing security controls. For this reason, MSI files are a convenient means of spreading ransomware, spyware, and other malware that can be passed off as genuine software installations. Read more.

Vietnamese Entities Targeted by China-Linked Mustang Panda in Cyber Espionage

Source: CYBLE

Cyble Research and Intelligence Labs (CRIL) recently came across a campaign employing Windows shortcut (LNK) files associated with the Mustang Panda APT group. Read more.

New Agent Tesla Campaign Targeting Spanish-Speaking People

Source: FORTINET

In-depth research on this campaign shows that it also leverages multiple techniques to deliver the Agent Tesla core module, such as using known MS Office vulnerabilities, JavaScript code, PowerShell code, fileless modules, and more, to protect itself from being analyzed by security researchers. Read more.

Hundreds of Websites Targeted by Fake Google Chrome Update Pop-Ups

Source: SUCURI Blog

The infection process for this new fake browser update campaign begins with the injection of malicious code into vulnerable websites. Once the website is compromised, visitors are presented with the following misleading popup message a few seconds after the webpage loads. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

FlyingYeti Targets Ukraine Using WinRAR Exploit to Deliver COOKBOX Malware

Source: Security Affairs

The FlyingYeti campaign exploited this anxiety by using debt-themed lures to trick targets into opening malicious links embedded in the messages. Upon opening the files, the PowerShell malware COOKBOX infects the target system, allowing the attackers to deploy additional payloads and gain control over the victim’s system. Read more.

DDoS-as-a-Service: The Rebirth Botnet

Source: Sysdig

Upon investigation, we discovered that the domain pertains to a mature and increasingly popular DDoS-as-a-Service botnet. The service is based on the Mirai malware family, and the operators advertise its services through Telegram and an online store (rebirthltd.mysellix[.]io). Read more.

CISA Alerts Federal Agencies to Patch Actively Exploited Linux Kernel Flaw

Source: The Hacker News

Tracked as CVE-2024-1086 (CVSS score: 7.8), the high-severity issue relates to a use-after-free bug in the netfilter component that permits a local attacker to elevate privileges from a regular user to root and possibly execute arbitrary code. Read more.

LilacSquid: The stealthy trilogy of PurpleInk, InkBox and InkLoader

Source: CISCO TALOS

This campaign leverages vulnerabilities in public-facing application servers and compromised remote desktop protocol (RDP) credentials to orchestrate the deployment of a variety of open-source tools, such as MeshAgent and SSF, alongside customized malware, such as “PurpleInk,” and two malware loaders we are calling “InkBox” and “InkLoader.” Read more.

PyPI crypto-stealer targets Windows users, revives malware campaign

Source: Sonatype

Sonatype has discovered ‘pytoileur’, a malicious PyPI package hiding code that downloads and installs trojanized Windows binaries capable of surveillance, achieving persistence, and crypto-theft. Our discovery of the malware led us to probe into similar packages that are part of a wider, months-long “Cool package” campaign. Read more.

Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks

Source: Microsoft Security

Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a fully functional malicious game, and deliver a new custom ransomware. Read more.

2.8 Million Impacted by Data Breach at Prescription Services Firm Sav-Rx

Source: SECURITY WEEK

The compromised information includes names, addresses, dates of birth, email addresses, phone numbers, Social Security numbers, eligibility data, and insurance identification numbers. No clinical or financial information was compromised in the attack. Read more.

Static Unpacking for the Widespread NSIS-based Malicious Packer Family

Source: CHECK POINT RESEARCH

The advantage for cybercriminals in using NSIS is that it allows them to create samples that, at first glance, are indistinguishable from legitimate installers. As NSIS performs compression on its own, malware developers do not need to implement compression and decompression algorithms. Read more.

Hackers Exploiting Arc Browser Popularity with Malicious Google Search Ads

Source: Cyber Security News

A search for “arc installer” or “arc browser windows” resulted in the following two ads being shown: Fake Arc Browser Ad Using Google’s Ad Transparency Center I connected them to the following advertiser from Ukraine. Read more.

Beware of HTML Masquerading as PDF Viewer Login Pages

Source: Forcepoint

One such method that has gained prominence involves phishing emails that masquerade as PDF viewer login pages. These deceptive emails lure unsuspecting users into entering their email addresses and passwords, compromising their online security. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

AWS Route 53 DNS Resolver Firewall

Source: Malware Patrol

Amazon Route 53 is a Domain Name System (DNS) service that connects user requests to Internet applications running on AWS or on-premises. Among the features this service offers is protection via the Route 53 Resolver DNS Firewall. It allows the use of AWS Managed Domain Lists, as well as custom Domain Lists (outside sources or your own). Read more.

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

Source: Security Intelligence

Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. Read more.

New Threat Insights Reveal That Cybercriminals Increasingly Target the Pharmacy Sector

Source: Proofpoint

At a taxonomy department level, “pharmacy” job roles advanced from the number 35 rank in the per-user attack index average in 2023 to the top spot in the per-user attack index average in Q1 2024. VIP job roles rank second, while finance services roles rank fourth. Read more.

New Antidot Android Banking Trojan Masquerading as Fake Google Play Updates

Source: CYBLE

Antidot incorporates a range of malicious features, including overlay attacks and keylogging, allowing it to compromise devices and harvest sensitive information. Read more.

Payload Trends in Malicious OneNote Samples

Source: UNIT42

Our analysis of roughly 6,000 malicious OneNote samples from WildFire reveals that these samples have a phishing-like theme where attackers use one or more images to lure people into clicking or interacting with OneNote files. The interaction then executes an embedded malicious payload. Read more.

Threat actors misusing Quick Assist in social engineering attacks leading to ransomware

Source: Microsoft Security

The observed activity begins with impersonation through voice phishing (vishing), followed by delivery of malicious tools, including remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, malware like Qakbot, Cobalt Strike, and ultimately Black Basta ransomware. Read more.

FBI seize BreachForums hacking forum used to leak stolen data

Source: BLEEPING COMPUTER

The website is now displaying a message stating that the FBI has taken control over it and the backend data, indicating that law enforcement seized both the site’s servers and domains. Read more.

Foxit PDF “Flawed Design” Exploitation

Source: CHECK POINT

Check Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands. Check Point Research has observed variants of this exploit being actively utilized in the wild. Read more.

Hackers Use DNS Tunneling to Scan and Track Victims

Source: Infosecurity Magazine

“In this application of DNS tunneling, an attacker’s malware embeds information on a specific user and that user’s actions into a unique subdomain of a DNS query. This subdomain is the tunneling payload, and the DNS query for the fully qualified domain name (FQDN) uses an attacker-controlled domain,” the blog explained. Read more.

Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gain

Source: welivesecurity

Among the victims are many hosting providers. The gang leverages its access to the hosting provider’s infrastructure to install Ebury on all the servers that are being rented by that provider. As an experiment, we rented a virtual server from one of the compromised hosting providers: Ebury was installed on our server within seven days. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Tunnel Vision: Looking Out for Malicious Tunneling Use

Source: Malware Patrol

Offering a cloak of anonymity and encrypted pathways, these services have emerged as an option that allows attackers to obfuscate their activities and bypass conventional security measures. In this blog, we will explain how they work, explore the types of cyber threats they enable, and provide some mitigation strategies to fortify your defenses against them. Read more.

Dirty Stream Attack Poses Billions of Android Installs at Risk

Source: Security Affairs

The IT giant describes Dirty Stream as an attack pattern, linked to path traversal, that affects various popular Android apps. The technique allows a malicious app to overwrite files in the vulnerable app’s home directory, potentially leading to arbitrary code execution and the theft of tokens. Read more.

Android bug leaks DNS queries even when VPN kill switch is enabled

Source: BLEEPING COMPUTER

A Mullvad VPN user has discovered that Android devices leak DNS queries when switching VPN servers even though the “Always-on VPN” feature was enabled with the “Block connections without VPN” option. Read more.

Hackers Target New NATO Member Sweden with Surge of DDoS Attacks

Source: Infosecurity Magazine

Sweden has faced a wave of distributed denial of service (DDoS) attacks since it started the process of joining NATO, according to network performance management provider Netscout. Read more.

Pakistani APTs Escalate Attacks on Indian Gov.

Source: SEQRITE

India is one of the most targeted countries in the cyber threat landscape where not only Pakistan-linked APT groups like SideCopy and APT36 (Transparent Tribe) have targeted India but also new spear-phishing campaigns such as Operation RusticWeb and FlightNight have emerged. Read more.

New Cuttlefish malware infects routers to monitor traffic for credentials

Source: BLEEPING COMPUTER

Lumen Technologies’ Black Lotus Labs examined the new malware and reports that Cuttlefish creates a proxy or VPN tunnel on the compromised router to exfiltrate data discreetly while bypassing security measures that detect unusual sign-ins. Read more.

Ex-NSA Employee Sentenced to 22 Years for Trying to Sell U.S. Secrets to Russia

Source: The Hacker News

Despite his short tenure at the intelligence agency, Dalke is said to have made contact with a person he thought was a Russian agent sometime between August and September of that year. In reality, the person was an undercover agent working for the Federal Bureau of Investigation (FBI). Read more.

JFrog Security research discovers coordinated attacks on Docker Hub that planted millions of malicious repositories

Source: JFrog

In this blog post, we reveal three large-scale malware campaigns we’ve recently discovered, targeting Docker Hub, that planted millions of “imageless” repositories with malicious metadata. These are repositories that do not contain container images (and as such cannot be run in a Docker engine or Kubernetes cluster) but instead contain metadata that is malicious. Read more.

A Cunning Operator: Muddling Meerkat and China’s Great Firewall

Source: Infoblox

This paper introduces a perplexing actor, Muddling Meerkat, who appears to be a People’s Republic of China (PRC) nation state actor. Muddling Meerkat conducts active operations through DNS by creating large volumes of widely distributed queries that are subsequently propagated through the internet using open DNS resolvers. Read more.

From IcedID to Dagon Locker Ransomware in 29 Days

Source: The DFIR Report

This intrusion started in August 2023 with a phishing campaign that distributed IcedID malware. This phishing operation utilized the Prometheus Traffic Direction System (TDS) to deliver the malware. Victims were directed to a fraudulent website, mimicking an Azure download portal. Read more.

Want more articles? Check out the previous edition of Security Signals. Want to learn more about Threat Actors? Visit Malware Patrols Threat Actor Profile Page.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Justice Department Seizes Four Web Domains Used to Create Over 40,000 Spoofed Websites and Store the Personal Information of More Than a Million Victims

Source: Office of Public Affairs

According to court records, the United States obtained authorization to seize the domains as part of an investigation of the spoofing service operated through the Lab-host.ru domain (LabHost), which resolves to a Russian internet infrastructure company. Read more.

Akira takes in $42 million in ransom payments, now targets Linux servers

Source: SC Media

CISA said the advisory’s main goal was to help organizations mitigate these attacks by disseminating known Akira ransomware tactics, techniques and procedures, as well as indicators of compromise identified through FBI investigations as recent as February 2024. Read more.

Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials

Source: CISCO TALOS

Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise. Read more.

United Nations agency investigates ransomware attack, data theft

Source: BLEEPING COMPUTER

While the UN agency has yet to link the attack to a specific threat group, the 8Base ransomware gang added a new UNDP entry to its dark web data leak website on March 27. The attackers say that the documents their operators managed to exfiltrate during the breach contain large amounts of sensitive information. Read more.

Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack

Source: The Hacker News

The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as “intricate” and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software. Read more.

Malvertising campaign targeting IT teams with MadMxShell

Source: Zscaler

The newly discovered backdoor uses several techniques such as multiple stages of DLL sideloading, abusing the DNS protocol for communicating with the command-and-control (C2) server, and evading memory forensics security solutions. We named this backdoor “MadMxShell” for its use of DNS MX queries for C2 communication and its very short interval between C2 requests. Read more.

OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal

Source: CISCO TALOS

Eventually, we discovered over 100 uploaded documents with potentially confidential information about government and police activities in Ukraine. The analysis of the code showed unexpected results – instead of lures used by advanced actors, the uploaded documents were infected with a multi-component VBA macro virus OfflRouter, created in 2015. Read more.

SoumniBot: the new Android banker’s unique techniques

Source: SECURE LIST

That said, we recently discovered a new banker, SoumniBot, which targets Korean users and is notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest. Read more.

Widely-Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack

Source: The Hacker News

The maintainers of the PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys. Read more.

Cisco Duo warns third-party data breach exposed SMS MFA logs

Source: BLEEPING COMPUTER

Cisco Duo’s security team warns that hackers stole some customers’ VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony provider. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Oxycorat Android RAT Spotted On Dark Web Stealing Wi-Fi Passwords

Source: GBHackers

According to the details, the RAT includes a file manager, an SMS manager, and a wallet stealer, which could give attackers access to sensitive financial information. Read more.

Over 92,000 Internet-Facing D-Link NAS Devices Can Be Easily Hacked

Source: Security Affairs

A researcher who goes online with the moniker ‘Netsecfish’ disclosed a new arbitrary command injection and hardcoded backdoor flaw, tracked as CVE-2024-3273, that impacts multiple end-of-life D-Link Network Attached Storage (NAS) device models. Read more.

The Illusion of Privacy: Geolocation Risks In Modern Dating

Source: CHECKPOINT RESEARCH

Despite safety measures, the Hornet dating app (a popular gay dating app with over 10 million downloads) had vulnerabilities, allowing precise location determination, even if users disabled the display of their distances. In reproducible experiments, we achieved location accuracy within 10 meters. Read more.

New Red Ransomware Group (Red CryptoApp) Exposes Victims on Wall of Shame

Source: HACK READ

A new ransomware group, Red CryptoApp (Red Ransomware Group), is shaking things up. Unlike others, they humiliate victims by publishing their names on a “wall of shame.” Learn how Red CryptoApp targets victims, what industries are at risk, and how to protect yourself. Read more.

Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack

Source: BLEEPING COMPUTER

The U.S. Department of Homeland Security’s Cyber Safety Review Board (CSRB) has released a scathing report on how Microsoft handled its 2023 Exchange Online attack, warning that the company needs to do better at securing data and be more truthful about how threat actors stole an Azure signing key. Read more.

Threat Actors Deliver Malware via YouTube Video Game Cracks

Source: Proofpoint

Proofpoint Emerging Threats has observed information stealer malware including Vidar, StealC, and Lumma Stealer being delivered via YouTube in the guise of pirated software and video game cracks. Read more.

Unpatched Vulnerabilities: The Most Brutal Ransomware Attack Vector

Source: SOPHOS

This report highlights how ransomware outcomes differ depending on the root cause of the attack. It compares the severity, financial cost, and operational impact of attacks that start with an exploited vulnerability with those where adversaries use compromised credentials to penetrate the organization. Read more.

Attackers Almost Backdoored Most Linux OSes Worldwide with Supply Chain Attack that Took Years to Set Up

Source: Bitdefender

This leads us to February 2024, when Jia Tan submitted patches for XZ Utils two versions, 5.6.0 and 5.6.1, which actually introduced a backdoor. The attackers could connect via the SSH protocol into a machine and skip the authentication process, giving them full access. Read more.

Mind the Patch Gap: Exploiting an io_uring Vulnerability in Ubuntu

Source: EXODUS INTELLIGENCE

This post discusses a use-after-free vulnerability, CVE-2024-0582, in io_uring in the Linux kernel. Despite the vulnerability being patched in the stable kernel in December 2023, it wasn’t ported to Ubuntu kernels for over two months, making it an easy 0day vector in Ubuntu during that time. Read more.

New Darcula phishing service targets iPhone users via iMessage

Source: BLEEPING COMPUTER

One thing that makes the service stand out is that it approaches the targets using the Rich Communication Services (RCS) protocol for Google Messages and iMessage instead of SMS for sending phishing messages. Read more.

Want more articles? Check out the previous edition of Security Signals.

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Microsoft Warns of New Tax Returns Phishing Scams Targeting You

Source: HACK READ

New and sophisticated tax phishing scams are targeting taxpayers, warns Microsoft. These scams impersonate trusted sources and use urgency tactics to steal personal and financial data. Read more.

Bringing Access Back — Initial Access Brokers Exploit F5 BIG-IP (CVE-2023-46747) and ScreenConnect

Source: MANDIANT

This mix of custom tooling and the SUPERSHELL framework leveraged in these incidents is assessed with moderate confidence to be unique to a People’s Republic of China (PRC) threat actor, UNC5174. Read more.

New details on TinyTurla’s post-compromise activity reveal full kill chain

Source: CISCO TALOS

The attackers compromised the first system, established persistence and added exclusions to anti-virus products running on these endpoints as part of their preliminary post-compromise actions. Read more.

TeamCity Vulnerability Exploits Lead to Jasmin Ransomware, Other Malware Types

Source: TREND MICRO

Customers of TeamCity with servers affected by these vulnerabilities are advised to update their software as soon as possible. The US Cybersecurity and Infrastructure Security Agency (CISA) has also added CVE-2024-27198 to its Known Exploited Vulnerabilities catalog. Read more.

Mounting AceCryptor malware attacks target Europe

Source: SC Media

Organizations across Europe have been subjected to a deluge of attacks involving AceCryptor malware as part of campaigns that sought to exfiltrate email and browser credentials during the second half of 2023, reports The Record, a news site by cybersecurity firm Recorded Future. Read more.

Cybercriminals Beta Test New Attack to Bypass AI Security

Source: HACK READ

Hackers develop a new attack (Conversation Overflow) to bypass AI security. Learn how this technique fools Machine Learning and what businesses can do to stay protected. Read more.

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

Source: Security Intelligence

As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. Read more.

The Aviation And Aerospace Sectors Face Skyrocketing Cyber Threats

Source: Resecurity

The aerospace sector has become a rising target for cyberattacks due to its reliance on vastly interconnected digital infrastructures, global supply chains, and the torrential volume of sensitive data it handles. Read more.

Telecoms Manager Admits to Taking Bribes to Help Carry Out SIM Swapping Attacks

Source: Bitdefender

Court documents say Katz helped his co-conspirators victimize five customers of the telecoms company, receiving $5,000 ($1,000 per SIM swap) plus an unspecified percentage of the profits earned from the account takeovers. Read more.

Esports league postponed after players hacked midgame

Source: NATIONAL CYBER SECURITY

In the video, it’s clear that at one point — abruptly — Genburten starts seeing other players highlighted on the map, even those behind walls. This is what is called “wallhack,” essentially a cheat that allows hackers to see opponents through in-game obstacles. Read more.

Want more articles? Check out the previous edition of Security Signals.