Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.
For more articles, check out our #onpatrol4malware blog.
CISA Warns of Second BeyondTrust Vulnerability Exploited in Attacks
Source: SECURITY WEEK
Tracked as CVE-2024-12686, the flaw is a medium-severity command injection issue that was discovered during BeyondTrust’s investigation into the compromise of a limited number of customer RS SaaS instances, including one associated with the US Department of Treasury. Read more.
Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations
Source: Sekoia
Later, in July 2024, CERT-UA published another report exposing UAC-0063 activities targeting Ukrainian scientific research institutions with new malware (dubbed HATVIBE and CHERRYSPY). The report associates the intrusion set UAC-0063 with APT28 with medium confidence. Read more.
HexaLocker V2: Skuld Stealer Paving the Way prior to Encryption
Source: CYBLE
HexaLocker V2 includes a persistence mechanism that modifies registry keys to ensure continued execution after the affected system reboots. The updated version downloads Skuld Stealer, which extracts sensitive information from the victim’s system before encryption. Read more.
Banshee: The Stealer That “Stole Code” From MacOS XProtect
Source: CHECK POINT RESEARCH
One notable difference between the leaked source code and the version discovered by Check Point Research is the use of a string encryption algorithm. This algorithm is the same as Apple uses in its Xprotect antivirus engine for MacOS. Read more.
Phish-free PayPal Phishing
Source: FORTINET
The scammer appears to have simply registered an MS365 test domain, which is free for three months, and then created a Distribution List (Billingdepartments1[@]gkjyryfjy876.onmicrosoft.com) containing victim emails. On the PayPal web portal, they simply request the money and add the distribution list as the address. Read more.
APT32 Poisoning GitHub, Targeting Chinese Cybersecurity Professionals and Specific Large Enterprises
Source: ThreatBook CTI
In this attack, the attackers used a novel and concealed method for the first time by embedding a malicious .suo file into a Visual Studio project. When the victim compiles the Visual Studio project, the Trojan will execute automatically. Read more.
Gayfemboy: A botnet that spreads using Four-Faith Industrial Routers 0DAY
Source: Qianxin X Lab
Gayfemboy used more than 20 vulnerabilities and Telnet weak passwords to spread samples, including the 0day vulnerability of Four-Faith Industrial Routers, and some unknown vulnerabilities involving Neterbit and vimar devices. Read more.
Cybersecurity firm’s Chrome extension hijacked to steal users’ data
Source: BLEEPING COMPUTER
At least five Chrome extensions were compromised in a coordinated attack where a threat actor injected code that steals sensitive information from users. One attack was disclosed by Cyberhaven, a data loss prevention company that alerted its customers of a breach on December 24 after a successful phishing attack on an administrator account for the Google Chrome store. Read more.
Threat actors breached the Argentina’s airport security police (PSA) payroll
Source: Security Affairs
Threat actors have breached Argentina’s airport security police (PSA) and compromised the personal and financial data of its officers and civilian personnel. Threat actors deducted from 2,000 to 5,000 pesos under false charges like “DD mayor” and “DD seguros.” Read more.
Researchers Expose NonEuclid RAT Using UAC Bypass and AMSI Evasion Techniques
Source: The Hacker News
“The NonEuclid remote access trojan (RAT), developed in C#, is a highly sophisticated malware offering unauthorised remote access with advanced evasion techniques,” Cyfirma said in a technical analysis published. Read more.