Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Dark Web Profile: FunkSec
Source: SOCRadar
A new ransomware group, FunkSec, has gained attention after taking responsibility for attacks on numerous victims in December 2024. By January 2025, the group continued to target new victims, with the total number surpassing 100. FunkSec seems to be engaged in both hacktivism and ransomware/extortion. Read more.
GamaCopy targets Russia mimicking Russia-linked Gamaredon APT
Source: Security Affairs
The Knownsec 404 Advanced Threat Intelligence team recently analyzed attacks on Russian-speaking targets using military-themed bait, 7z SFX for payloads, and UltraVNC, mimicking Gamaredon’s TTPs. The researchers linked the activity to the APT Core Werewolf (aka Awaken Likho, PseudoGamaredon), it mimics Gamaredon and for this reason, researchers called it GamaCopy. Read more.
Cybersecurity Stop of the Month: E-Signature Phishing Nearly Sparks Disaster for an Electric Company
Source: Proofpoint
In an e-signature phishing attack, bad actors will spoof a trusted brand and send malicious content through legitimate digital channels. Often, they use advanced methods like AitM to bypass MFA in an effort to further extend their access. And when bad actors use combined tactics, such as Adversary-in-the-Middle plus geofencing, they can be extremely successful in evading detection. Read more.
HellCat and Morpheus | Two Brands, One Payload as Ransomware Affiliates Drop Identical Code
Source: Sentinel One
Within this period of accelerated activity, the Ransomware-as-a-Service offerings HellCat and Morpheus have gained additional momentum and notoriety. Operators behind HellCat, in particular, have been vocal in their efforts to establish the RaaS as a ‘reputable’ brand and service within the crimeware economy. Read more.
Change Healthcare Breach Almost Doubles in Size to 190 Million Victims
Source: Infosecurity Magazine
The largest healthcare data breach on record just got even bigger, after UnitedHealth Group (UHG) confirmed that 90 million additional customers were impacted by a ransomware attack on Change Healthcare last year. Read more.
Invisible Prompt Injection: A Threat to AI Security
Source: TREND MICRO
LLMs can interpret hidden texts that are not visible on the UI; thus, these hidden texts may be used for prompt injection. To protect your AI application, verify if the LLM can respond to invisible text. If it can, do not allow such invisible text to be input. Read more.
RANsacked: Over 100 Security Flaws Found in LTE and 5G Network Implementations
Source: The Hacker News
A group of academics has disclosed details of over 100 security vulnerabilities impacting LTE and 5G implementations that could be exploited by an attacker to disrupt access to service and even gain a foothold into the cellular core network. Read more.
Threat Spotlight: Tycoon 2FA phishing kit updated to evade inspection
Source: Barracuda
Tycoon became Tycoon 2FA when it evolved to bypass multifactor authentication — in this case 2FA — by collecting and using Microsoft 365 session cookies. The latest version of Tycoon 2FA was first seen in November 2024, and it features advanced tactics designed to obstruct, derail, and otherwise thwart attempts by security tools to confirm its malicious intent and inspect its web pages. Read more.
7-Zip bug could allow a bypass of a Windows security feature. Update now
Source: Malwarebytes LABS
A patch is available for a vulnerability in 7-Zip that could have allowed attackers to bypass the Mark-of-the-Web (MotW) security feature in Windows. The MotW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a restricted zone. Read more.
Sophos MDR tracks two ransomware campaigns using “email bombing,” Microsoft Teams “vishing”
Source: SOPHOS
Sophos is tracking these threats as STAC5143 and STAC5777. Both threat actors operated their own Microsoft Office 365 service tenants as part of their attacks and took advantage of a default Microsoft Teams configuration that permits users on external domains to initiate chats or meetings with internal users. Read more.