Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns
Source: EclecticIQ
Multiple pieces of evidence strongly link this campaign to Sandworm, also tracked by CERT-UA as UAC-0145 [4], based on recurring use of ProtonMail accounts in WHOIS records, overlapping infrastructure, and consistent Tactics, Techniques and Procedures (TTPs). Read more.
Crooks use Google Tag Manager skimmer to steal credit card data from a Magento-based e-stores
Source: Security Affairs
Google Tag Manager (GTM) is a free tool that lets website owners manage marketing tags without modifying site code, simplifying analytics and ad tracking. Sucuri inspected the website and discovered the malicious code hidden in a website’s database (cms_block.content), disguised as a Google Tag Manager and Google Analytics script to evade detection. Read more.
Operation Phobos Aetor: Police dismantled 8Base ransomware gang
Source: Security Affairs
An international law enforcement operation, codenamed Operation Phobos Aetor, dismantled the 8Base ransomware gang. The police took down the dark web data leak and negotiation sites. The police has yet to disclose the names of the suspects. Read more.
SparkCat trojan stealer infiltrates App Store and Google Play, steals data from photos
Source: Kaspersky
This malware is currently configured to steal crypto wallet data, but it could easily be repurposed to steal any other valuable information. The worst part is that this malware has made its way into official app stores, with almost 250,000 downloads of infected apps from Google Play alone. Read more.
Scalable Vector Graphics files pose a novel phishing threat
Source: Sophos
But because SVG images can load and render natively inside a browser, they can also contain anchor tags, scripting, and other kinds of active web content. In this way, threat actors have been abusing the file format. The SVG files used in the attacks include some instructions to draw very simple shapes, such as rectangles, but also contain an anchor tag that links to a web page hosted elsewhere. Read more.
Google Cloud Platform Data Destruction via Cloud Build
Source: Cisco Talos
Google Cloud Platform (GCP) Cloud Build is a Continuous Integration/Continuous Deployment (CI/CD) service offered by Google that is utilized to automate the building, testing and deployment of applications. Orca Security published an article describing certain aspects of the threat surface posed by this service, including a supply chain attack vector they have termed “Bad.Build”. Read more.
Not-so-SimpleHelp exploits enabling deployment of Sliver backdoor
Source: Field Effect
The attack involved the quick and deliberate execution of several post-compromise tactics, techniques and procedures (TTPs) including network and system discovery, administrator account creation, and the establishment of persistence mechanisms, which could have led to the deployment of ransomware had Field Effect MDR not prevented the attack. Read more.
macOS FlexibleFerret | Further Variants of DPRK Malware Family Unearthed
Source: SentinelOne
In this post, we briefly recap previous research for context, including Apple’s contribution through its malware signatures, before describing newly discovered samples that we have labelled ‘FlexibleFerret’ and which remain undetected by XProtect at the time of writing. Read more.
Threat Actors Still Leveraging Legit RMM Tool ScreenConnect for Persistence in Cyberattacks
Source: Silent Push
Our discovery of a suspicious domain, filessauploaderchecker[.]com, in the Silent Push Web Scanner, led us to further explore for malicious intent. As we continue investigating, we believe potential attackers have been using social engineering to lure victims into installing legitimate software copies configured to operate under the threat actor’s control. Read more.
Flesh Stealer: Unmasking the Blue Masked Thief
Source: CYFIRMA
This report examines Flesh Stealer, a .NET executable written in C#. The malware does not target CIS countries and is capable of bypassing app-bound encryption employed by Chrome. Developed by a Russian-speaking individual, Flesh Stealer includes various features such as anti-debugging and anti-VM capabilities. Read more.