news

Breaking Cyber News From Cyberint

Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.

  • Apr 28, 2024

    • Kapeka
    • Eastern Europe
    • Sandworm Team
    • Ukraine
    • Europe

    Ukraine Targeted in Cyberattack Exploiting 7-Year-Old Microsoft Office Flaw

    Cybersecurity researchers have uncovered a targeted cyberattack against Ukraine, utilizing an old Microsoft Office flaw dating back almost seven years to deliver Cobalt Strike on compromised systems. The attack involved a PowerPoint slideshow file named "signal-2023-12-20-160512.ppsx" that appeared to be related to a U.S. Army manual for mine clearing blades, containing a remote relationship to an external OLE object. Exploiting CVE-2017-8570, a patched remote code execution vulnerability in Office, the attackers loaded a remote script from weavesilk[.]space, ultimately injecting a Cobalt Strike Beacon into system memory from a command-and-control server ("petapixel[.]fun"). The payload included features to evade detection and check for virtual machine execution. The attack's precise objectives remain unclear, though the lure's military-related content suggests targeting military personnel. This incident coincides with other cyber threats against Ukraine, including sabotage attempts by a Russian state-sponsored group, Sandworm (APT44), targeting critical infrastructure with destructive malware like Kapeka and BIASBOAT. Sandworm, linked to Russian military intelligence, has a history of extensive espionage, attack, and influence operations globally.

  • Apr 28, 2024

    • global
    • crypto

    DOJ Arrests Founders of Crypto Mixer Samourai for $2 Billion in Illegal Transactions

    The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of the cryptocurrency mixer Samourai, Keonne Rodriguez and William Lonergan Hill, and seized the service for allegedly facilitating illegal transactions exceeding $2 billion and laundering over $100 million in criminal proceeds. Rodriguez and Hill are charged with conspiracy to commit money laundering and operate an unlicensed money transmitting business from 2015 to February 2024, facing a maximum of 25 years in prison each. According to the DoJ, Samourai, marketed as a privacy-focused service, was intentionally designed by Rodriguez and Hill to aid criminals in money laundering and sanctions evasion. The operation involved laundering funds from dark web marketplaces like Silk Road and Hydra, as well as spear-phishing and scam schemes targeting decentralized finance protocols. Samourai's cryptocurrency mixing service, Whirlpool, allowed users to conceal transaction trails, with features like Ricochet Send, designed to obfuscate the origin of cryptocurrency to avoid detection by law enforcement and exchanges. The arrests follow international cooperation with law enforcement agencies from Iceland, Portugal, and Europol, resulting in the confiscation of Samourai's digital infrastructure and removal of its Android app from the Google Play Store in the U.S.

  • Apr 28, 2024

    • Cve-2024-21338
    • CVE-2023-42793
    • Karolin Rat
    • Cve-2023-42793
    • CVE-2024-21338

    North Korea's Lazarus Group Deploys New Kaolin RAT via Fake Job Lures

    The Lazarus Group, a North Korea-linked threat actor, used fabricated job offers to distribute a new remote access trojan (RAT) named Kaolin RAT during targeted attacks in summer 2023 across Asia. According to Avast researcher Luigino Camastra, Kaolin RAT was capable of altering file timestamps and loading DLL binaries from a command-and-control server. This RAT facilitated the deployment of the FudModule rootkit, leveraging a patched admin-to-kernel exploit (CVE-2024-21338) to gain kernel-level access and disable security mechanisms. Lazarus Group's operation, known as Operation Dream Job, involves using social media and messaging platforms to distribute malware via job offer lures. The infection chain begins with victims launching a malicious ISO file containing disguised executables like "AmazonVNC.exe," which sideloads additional components to retrieve and launch further malware stages. This sophisticated attack chain involves multiple loaders and C2 communications to ultimately deploy the Kaolin RAT and subsequent payloads with extensive capabilities, including file operations, process enumeration, command execution, and connection to arbitrary hosts. Avast suggests the complexity of this sequence borders on overkill, highlighting the advanced tactics employed by Lazarus Group in their cyber operations.

  • Apr 28, 2024

    • CVE-2024-20353
    • CVE-2024-20359
    • Line Runner
    • Cisco
    • Storm-1849
    • Cve-2024-20353
    • Cve-2024-20359
    • Line Dancer

    ArcaneDoor APT exploit Cisco zero-days to breach govt networks

    Cisco has issued a warning about a state-backed hacking group exploiting two zero-day vulnerabilities in its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) firewalls since November 2023 to infiltrate government networks globally in a campaign known as ArcaneDoor. The Threat actors, referred to as UAT4356 by Cisco Talos and STORM-1849 by Microsoft, targeted vulnerable edge devices with the aim of cyber-espionage. Although the initial attack vector remains unidentified, Cisco has identified and patched the two security flaws—CVE-2024-20353 (denial of service) and CVE-2024-20359 (persistent local code execution)—used by the threat actors. The vulnerabilities enabled the deployment of new malware, including Line Dancer and Line Runner, allowing remote access, disabling logging, and network traffic capture/exfiltration. Cisco urges customers to upgrade their devices with security updates to mitigate potential attacks and advises monitoring for suspicious activity like unscheduled reboots or unauthorized configuration changes.

  • Apr 28, 2024

    • Global
    • Brokewell

    New Brokewell malware takes over Android devices, steals data

    Security researchers have uncovered a new Android banking trojan named Brokewell, capable of logging all device activity, including touches, displayed information, text input, and launched applications. The trojan is distributed through a fake Google Chrome update displayed while browsing. Brokewell, still in active development, combines extensive device control and remote access features. Previously used to target financial services like Klarna and disguised as an Austrian authentication app, Brokewell excels in data theft and remote control. It mimics login screens to steal credentials, intercepts cookies, records device interactions, accesses call logs, determines location, captures audio, and can remotely view and control the device screen and settings. Developed by an entity called Baron Samedit, Brokewell is associated with a tool, "Brokewell Android Loader," enabling bypass of Android 13's accessibility restrictions. This type of trojan is in high demand among cybercriminals due to its ability to carry out fraudulent activities undetected from the victim's device. Researchers anticipate further development and widespread distribution of Brokewell through malware-as-a-service operations.

  • Apr 28, 2024

    • L.A. County Health Services
    • North America
    • United States
    • Healthcare

    LA County Health Services: Patients' data exposed in phishing attack

    The Los Angeles County Department of Health Services reported a data breach affecting thousands of patients' personal and health information due to a phishing attack targeting 23 employees' email accounts in February 2024. As a result of compromised credentials, the attackers accessed patients' data stored in these employees' mailboxes, including names, dates of birth, addresses, phone numbers, medical record details, diagnoses, treatments, and health plan information. Although no Social Security Numbers or financial data were compromised, approximately 6,085 individuals' information may have been impacted. Following the breach, the health system took immediate action by disabling affected email accounts, resetting devices, quarantining suspicious emails, and raising awareness among employees about email security. While no evidence suggests misuse of the exposed data, affected patients are advised to verify their medical records for accuracy with healthcare providers. The health system will notify relevant authorities, including the U.S. Department of Health & Human Services, regarding the breach.

  • Apr 21, 2024

    • Global
    • Business Services
    • exclusive

    Travel Operator full access is offered for sale

    On April 17, Cyberint Argos identified a threat actor named ‘Mexicnon’ on the Forum Exploit, offering initial access to a global booking agency specializing in flights and hotels. Mexicnon claims that this access includes reservations with nearly all major airlines and hotels, sourced from various travel agencies. Additionally, the database reportedly contains over 50,000 encrypted credit card records. The price for this access is considerably higher than the average price observed in IAB's (Initial Access Broker) statistics, standing at $75,000.

  • Apr 21, 2024

    • Technology
    • Redline Stealer

    Fake cheat lures gamers into spreading infostealer malware

    A new information-stealing malware, masquerading as a game cheat called 'Cheat Lab,' is associated with the Redline malware family. It tricks users into installing by promising a free copy if they convince friends to do the same. This malware is capable of stealing sensitive data like passwords and cryptocurrency details. McAfee researchers identified it using Lua bytecode to evade detection and inject into legitimate processes for stealth. Despite using a command server linked to Redline, tests by BleepingComputer show different behavior, such as not stealing browser data. The malware spreads through URLs related to Microsoft's 'vcpkg' GitHub repository, appearing as cheat tool demos. Victims receive ZIP files containing an MSI installer that deploys malicious components when executed. Once installed, the malware compiles and executes Lua bytecode, establishes persistence, and communicates with a command server to send system data and screenshots. The exact infection method is unclear but likely involves malvertising, P2P downloads, or deceptive software sites. This incident underscores the risk of downloading from reputable sources like Microsoft's GitHub and highlights the importance of avoiding unsigned executables and suspicious websites. BleepingComputer contacted Microsoft for comment but did not receive a response.

  • Apr 18, 2024

    • United States
    • North America
    • Spear Phishing
    • Phishing
    • Protocol Tunneling
    • Fin7
    • Automotive

    FIN7 targets American automaker’s IT staff in phishing attacks

    FIN7, a financially motivated threat actor, targeted a major U.S. car manufacturer through spear-phishing emails directed at IT department employees, aiming to infect systems with the Anunak backdoor. BlackBerry researchers detailed this attack from late last year, noting the use of living-off-the-land binaries, scripts, and libraries (LoLBins). The attack involved enticing targets with malicious links posing as the legitimate Advanced IP Scanner tool. The malicious URL redirected to a fake site offering a disguised executable ('WsTaskLoad.exe'), which, when executed, initiated a complex process involving DLLs, WAV files, and shellcode execution to deploy the Anunak backdoor payload. FIN7's tactics included OpenSSH installation for persistent access but did not progress to lateral movement in this campaign. BlackBerry emphasizes defense strategies like phishing awareness training, multi-factor authentication (MFA), strong passwords, software updates, network monitoring, and advanced email filtering to protect against such threats.

  • Apr 17, 2024

    • CVE-2023-1389
    • Cve-2023-1389
    • Exploits
    • Archer Ax21

    Multiple botnets exploiting one-year-old TP-Link flaw to hack routers

    Multiple botnet malware operations are actively targeting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389, a command injection flaw discovered in January 2023 and addressed by TP-Link through firmware updates in March 2023. This vulnerability allows unauthenticated command injection via the locale API accessible through the router's web management interface. Despite security advisories and patches, several botnets, including variants of Mirai (1, 2, 3), "Condi," Moobot, Miori, AGoent, and a Gafgyt variant, are exploiting this flaw to compromise devices. These botnets use different methods to exploit the vulnerability, ranging from downloading and executing scripts to initiating DDoS attacks and maintaining persistence on compromised devices. Fortinet's telemetry data shows a surge in infection attempts exceeding 40,000 daily since March 2024. Users are strongly advised to update their router firmware following vendor instructions, change default passwords, and disable unnecessary web access to the admin panel to mitigate risks associated with this vulnerability.

  • Apr 15, 2024

    • Middle East
    • Muddywater
    • Israel
    • Darkbeatc2
    • Asia

    Iranian MuddyWater APT Adopt New C2 Tool 'DarkBeatC2' in Latest Campaign

    The Iranian threat group MuddyWater has been linked to a new command-and-control (C2) infrastructure named DarkBeatC2, adding to their previous tools like SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. According to Deep Instinct's Simon Kenin, while MuddyWater occasionally adopts new remote administration tools or modifies their C2 framework, their methods generally remain consistent. Microsoft's previous research has also connected MuddyWater with another Iranian threat group known as Storm-1084 (or DarkBit), which has been involved in destructive wiper attacks targeting Israeli organizations. The latest attack campaign, detailed by Proofpoint, starts with spear-phishing emails sent from compromised accounts containing links or attachments hosted on platforms like Egnyte to distribute the Atera Agent software. One of the URLs in question is "kinneretacil.egnyte[.]com," where the subdomain "kinneretacil" refers to "kinneret.ac.il," an educational institution in Israel and a customer of Rashim. Rashim was breached by Lord Nemesis (also known as Nemesis Kitten or TunnelVision) as part of a supply chain attack targeting the academic sector in the country. Lord Nemesis is suspected of being a "faketivist" operation against Israel. Notably, Nemesis Kitten is associated with Najee Technology, a private contracting company within Mint Sandstorm backed by Iran's Islamic Revolutionary Guard Corps (IRGC), which was sanctioned by the U.S. Treasury in September 2022.

  • Apr 14, 2024

    • Middle East
    • Handala
    • Israel
    • Asia
    • 99 Digital

    'Handala Hack' targets Israeli company '99 digital'

    The hacker group "Handala Hack" has announced a breach of the Israeli company "99 digital," known for offering digital customer service solutions to businesses, as part of the OPIsrael campaign. The group claimed to have infiltrated the company's admin panel and sent direct messages to its clients. Additionally, they claim to have acquired 5.2 TB of internal company data, primarily consisting of chat conversations. The group has released videos purportedly demonstrating their access to the company's internal servers as samples.

  • Apr 14, 2024

    • exclusive
    • Education
    • North America
    • United States

    USA University Initial Access offered for sale

    Cyberint Argos ha detected a threat actor on Exploit Forum, which offers for sale initial access of domain admin rights, to a university in the United States. According to him, the constitution contains more than 1000 hosts, and his revenue per year stands for 370k$. The offered price is 2k$.

  • Apr 14, 2024

    • Global
    • Mercenary
    • Apple

    Apple: Mercenary spyware attacks target iPhone users in 92 countries

    Apple is issuing warnings to iPhone users across 92 countries regarding a "mercenary spyware attack" aimed at remotely compromising their devices. The notifications emphasize Apple's high confidence in the threat and urge users to take it seriously, noting that the attack is likely targeting individuals based on their identities or activities. Apple recommends immediate actions such as enabling lockdown mode on devices, updating all Apple products to the latest software version, and seeking expert assistance from organizations like the Digital Security Helpline for journalists, activists, and human rights defenders. The company highlights the sophistication of such attacks, particularly mentioning the NSO Group's Pegasus kit, which is well-funded and targets specific individuals like journalists, activists, politicians, and diplomats. Despite the complexity of these attacks, Apple reassures users of its ongoing efforts to detect and notify them of potential threats. They advise affected users to stay vigilant and take preventive measures even if they have not received specific notifications from Apple.

  • Apr 14, 2024

    • arrest
    • crypto

    Ex-Amazon engineer gets 3 years for hacking crypto exchanges

    Former Amazon security engineer Shakeeb Ahmed has been sentenced to three years in prison for hacking two cryptocurrency exchanges in July 2022 and stealing over $12 million. Ahmed, who also received three years of supervised release, must forfeit $12.3 million and compensate the affected companies. The breaches targeted Nirvana Finance, a decentralized crypto exchange, and another unnamed Solana blockchain exchange, utilizing Ahmed's skills in smart contract reverse engineering. Ahmed pleaded guilty to computer fraud and faced a maximum of five years imprisonment. U.S. Attorney Damian Williams highlighted the significance of this case, emphasizing the commitment to pursuing hackers and recovering stolen assets. Ahmed's attacks involved manipulating smart contracts to falsify pricing data and exploit protocol loopholes, leading to substantial financial gains and attempts to conceal his tracks using cryptocurrency mixers and exploring strategies to avoid detection and extradition.

  • Apr 14, 2024

    • arrest
    • rat

    Firebird RAT creator and seller arrested in the U.S. and Australia

    A joint operation by the Australian Federal Police (AFP) and the FBI resulted in the arrest and charging of two individuals linked to the development and distribution of the "Firebird" remote access trojan (RAT), later rebranded as "Hive." The RAT, though not widely recognized, potentially impacted users globally. The Firebird RAT was promoted on a dedicated website as a remote administration tool, highlighting features like stealthy access and password recovery, targeting prospective buyers. An Australian man, accused of developing and selling the RAT on a hacking forum, faces twelve charges related to computer offenses. Meanwhile, Edmond Chakhmakhchyan from California, known as "Corruption," allegedly marketed the Hive RAT, facilitated Bitcoin transactions, and provided support to purchasers. Chakhmakhchyan has pleaded not guilty to multiple charges, including conspiracy and unauthorized data access, with sentencing set for June 4, 2024. The Australian suspect is scheduled to appear in court on May 7, 2024, facing up to 36 years in prison if convicted.

  • Apr 11, 2024

    • Middle East
    • Israel
    • Anonymous
    • Israel Ministry Of Justice
    • Asia

    Israeli Ministry of Justice Cyber-Attack By Anonymous: Second Batch of Data Released

    Following last week's cyber attack on the Israeli Ministry of Justice carried out by Anonymous, during which the group claimed to have removed servers and stolen around 300GB of data, today the group has released the second batch of the stolen data. This compromised data reportedly includes internal and private documents containing details about employees, judges, personally identifiable information (PII), official letters, agreements, and more. The group has indicated that additional batches are anticipated to be disclosed in the coming days.

  • Apr 10, 2024

    • Starry Addax
    • Flexstarling

    Threat actors targeting human rights activists in Morocco and western sahara

    Human rights activists in Morocco and the Western Sahara region are facing a new threat actor named Starry Addax, identified by Cisco Talos, which employs phishing tactics to distribute malicious Android apps and credential harvesting pages for Windows users. This campaign primarily targets activists associated with the Sahrawi Arab Democratic Republic (SADR). Starry Addax's infrastructure includes domains designed to trick both Android and Windows users into installing malware or revealing credentials on fake social media login pages. Talos, actively investigating the campaign, refrains from disclosing specific targeted websites. The threat actor, operational since January 2024, sends spear-phishing emails prompting victims to install a decoy app or visit credential harvesting pages. The associated Android malware, FlexStarling, is advanced, capable of delivering additional malware components and stealing sensitive data while operating stealthily under Firebase-based command-and-control to avoid detection. Talos highlights the campaign's custom-made infrastructure and malware, signaling a focused effort to target human rights activists distinct from using off-the-shelf spyware or malware.

  • Apr 10, 2024

    • exclusive
    • Cryptocurrency

    Crypto Leak 2023 offered for sale

    Cyberint Argos found a threat actor on XSS forum, that offers for sale a full database of cryptocurrency users from Coinbase, Binance and blockchain. The amount of users per source: Coinbase: 280k, Binance: 130k, Blockchain: 31k. The threat actor also offers samples to validate his data, with a URL and a user name for login.

  • Apr 09, 2024

    • The Returnees
    • Middle East
    • Israel
    • Critical Infrastructures
    • Manufacturing
    • Asia
    • Energy Infrastructures Ltd
    • Ramat-Hovav Pharmaceutical Industries

    'The Returnees' group targeting several Israeli companies

    The Muslim hacktivists group 'The Returnees' is targeting Israeli companies as part of the OP Israel campaign. The group claimed to have obtained internal information of the energy company "Energy Infrastructures Ltd" and the pharmaceutical company "Ramat-Hovav Pharmaceutical Industries". According to the group the data is slated for release on April 9th. At this point, the companies have not released an official statement and therefore it is not clear if the attacks occurred. "The Returnees" emerged in October 2023, following the conflict in Gaza, establishing their Telegram channel.

  • Apr 09, 2024

    • Media
    • North America
    • United States
    • exclusive
    • Snapchat

    SNAPCHAT EMPLOYEE ACCESS - XSS

    Cyberint Argos platform detected a threat actor in the the underground forum, XSS, selling acces s to Snapchat’ s employee account which they approve can be leveraged to acces s any other user within Snapchat for the price of $20k

  • Apr 08, 2024

    • Media
    • North America
    • United States
    • exclusive
    • Snapchat

    SNAPCHAT EMPLOYEE ACCESS - XSS

    Hello, im selling access to a Snapchat employee access. From here you can request access to any users information (takes between 5-15 minutes to get approved) Change details whenever your request to access the information gets approved (changes instantly) Accept reports for specific accounts (you could report an account and approve the report and the account would get banned) Review spotlight posts (delete and modify descriptions) Price: 20K$ Contact me for more details and proof, i have 2 accesses available.

  • Apr 04, 2024

    • North America
    • United States
    • Technology
    • Vmware
    • Sexi Ransomware

    Hosting firm's VMware ESXi servers hit by new SEXi ransomware

    IxMetro Powerhost, a Chilean data center and hosting provider, fell victim to a ransomware attack perpetrated by a new group named SEXi, resulting in the encryption of their VMware ESXi servers and backups. PowerHost, operating across the USA, South America, and Europe, notified customers of the attack, which occurred over the weekend, causing downtime for clients using the affected servers. Despite efforts to restore data from backups, the company encountered obstacles as the backups themselves were encrypted. Negotiations with the ransomware group ensued, with the attackers demanding two bitcoins per victim, amounting to a staggering $140 million, according to PowerHost's CEO.

  • Apr 04, 2024

    • Apt38
    • Crypto Exchange Upbit

    Crypto exchange Upbit confirms theft of 342,000 ETH - APT38

    Lazarus has been responsible for numerous cryptocurrency exchange attacks, such as the 2019 UpBit hack, which netted them more than $49 million worth of cryptocurrency.

  • Apr 04, 2024

    • Pikabot
    • Global

    Distinctive Campaign Evolution of Pikabot Malware

    In February 2024, McAfee Labs noted a substantial shift in the distribution campaigns of Pikabot. Pikabot's dissemination involves employing various file types, a tactic influenced by the specific objectives and characteristics of the attack. Utilizing multiple file formats enables attackers to exploit a wide range of attack vectors, leveraging potential vulnerabilities inherent in different formats. This approach aims to increase the likelihood of success while evading detection by security software, as different file types may be detected or analyzed differently, thus circumventing specific security measures.

  • Apr 03, 2024

    • exploit
    • vulnerability
    • wordpress
    • global

    Critical Security Flaw Found in Popular LayerSlider WordPress Plugin

    A critical security vulnerability in the LayerSlider plugin for WordPress (CVE-2024-2879) allowed attackers to conduct SQL injection attacks, potentially extracting sensitive data like password hashes. This flaw, rated 9.8 out of 10, affected versions 7.9.11 through 7.10.0 but was patched in version 7.10.1 released on March 27, 2024. LayerSlider, a popular visual web content editor used by millions globally, failed to adequately escape user parameters, enabling attackers to insert malicious SQL queries. Similarly, an XSS flaw (CVE-2024-1852, CVSS: 7.2) was found in the WP-Members Membership Plugin, allowing arbitrary JavaScript execution. These vulnerabilities underscore ongoing security challenges in WordPress plugins, with recent disclosures affecting Tutor LMS (CVE-2024-1751, CVSS: 8.8) and Contact Form Entries (CVE-2024-2030, CVSS: 6.4), posing risks of information disclosure and script injection, respectively.

  • Apr 03, 2024

    • Unapimon
    • Global
    • Dll Side-Loading
    • Apt41

    APT41 new UNAPIMON tool hides malware from security software

    The Chinese cyber espionage group Winnti, also known as APT41, has deployed a previously undisclosed malware called UNAPIMON to facilitate undetectable execution of malicious processes. Trend Micro uncovered this operation, linking it to a cluster named 'Earth Freybug.' UNAPIMON, delivered as a DLL file, utilizes Microsoft Detours to bypass security by unhooking critical API functions, allowing it to conceal its activities. The malware employs a unique method involving DLL side-loading to inject itself into legitimate processes, enabling evasion of security measures. Trend Micro emphasizes the simplicity and ingenuity of UNAPIMON, highlighting its use of common tools like Microsoft Detours for malicious purposes, ultimately underscoring the sophistication of the threat actor behind it.

  • Apr 02, 2024

    • Amos
    • Cryptocurrency

    Threat Actors Target macOS Users with Malicious Ads Spreading Stealer Malware

    Malicious advertisements and counterfeit websites are facilitating the distribution of two distinct stealer malware, Atomic Stealer, and another unnamed malware targeting Apple macOS users. These infostealer attacks aim to pilfer sensitive data, with one attack vector involving fake ads for Arc Browser on search engines, redirecting users to malicious sites like "airci[.]net" to download the malware-laden "ArcSetup.dmg" disk image. Atomic Stealer, known for its deceptive password prompts, is delivered through this method. Another attack employs a fake website, meethub[.]gg, posing as a group meeting scheduler, to install a different stealer malware targeting keychain data and web browser credentials. Victims, often in the cryptocurrency industry, are lured under false pretenses, emphasizing the need for heightened vigilance among such individuals. Additionally, Moonlock Lab reported the use of malicious DMG files to deploy another stealer malware variant, leveraging obfuscated AppleScript and bash payloads to extract credentials, underscoring the evolving threat landscape for macOS users.

  • Apr 02, 2024

    • Cve-2024-3094
    • CVE-2024-3094

    Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros

    Red Hat issued an "urgent security alert" regarding XZ Utils, a data compression library, revealing that versions 5.6.0 and 5.6.1 have been compromised with malicious code facilitating unauthorized remote access. Tracked as CVE-2024-3094, the backdoor, with a CVSS score of 10.0, manipulates the liblzma build process to modify specific functions, potentially allowing attackers to intercept and alter data interactions. Specifically targeting the sshd daemon process, the code aims to bypass authentication and execute arbitrary payloads through SSH, effectively seizing control of victim machines. Discovered by Microsoft engineer Andres Freund, the heavily obfuscated code was introduced over four commits by a GitHub user named Jia Tan. While GitHub has disabled the XZ Utils repository, no active exploitation has been reported, and the compromised packages are limited to Fedora 41 and Fedora Rawhide, sparing other Linux distributions like Debian, Ubuntu, and Red Hat Enterprise Linux from impact.

  • Apr 01, 2024

    • global
    • supplychain

    Threat Actors Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others

    A complex attack campaign targeted individual developers and the GitHub organization account of Top.gg, a Discord bot discovery site, employing various tactics such as account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing tainted packages to the PyPI registry. This supply chain attack resulted in the theft of sensitive data like passwords and credentials. The adversaries exploited a typosquat domain to host trojanized versions of popular packages like colorama, distributed through GitHub repositories. The campaign, which began in November 2022, aimed to compromise Python environments by injecting malware into dependencies. The rogue packages, including "yocolor," executed multi-stage infection sequences to establish persistence, steal data from browsers and crypto wallets, and transfer the captured data to the attackers. This incident underscores the need for thorough vetting of dependencies and robust security measures to prevent similar attacks in the future.

  • Apr 01, 2024

    • Southern Asia
    • Energy, Utilities & Waste
    • Energy
    • Asia
    • India

    Threat Actors Hit Indian Defense, Energy Sectors with Malware Posing as Air Force Invite

    Unknown threat actors have targeted Indian government entities and energy companies by distributing a modified version of the HackBrowserData malware via phishing emails disguised as Indian Air Force invitation letters. Utilizing Slack channels as command-and-control (C2) points, the attackers have exfiltrated sensitive information, including internal documents and cached web browser data. Dubbed Operation FlightNight, the campaign, detected by EclecticIQ on March 7, 2024, encompasses various Indian government sectors and private energy firms, resulting in the theft of financial documents, employee details, and information on oil and gas drilling activities. The malware, a variant of HackBrowserData, not only steals browser data but also captures documents and communicates via Slack, leveraging obfuscation techniques for evasion. The threat actor's tactics mirror those observed in a previous phishing campaign targeting the Indian Air Force, indicating a consistent modus operandi aimed at exploiting enterprise infrastructure like Slack to facilitate cyber espionage and data theft.

  • Apr 01, 2024

    • targetcompany
    • breach
    • exclusive

    JAPAN software Company DB Offred for sale

    Threat actor is offering for sale a compromised data base of Japanese software company which contains 131GB of: - Private Internal Emails - Communication Messages - SRC Codes - Customer's Data - Financial Data -&More The information still haven’t posted on the news. This intel item was discovered on the known Russian hacking forum XSS.

  • Mar 20, 2024

    • China
    • United States
    • Islamic Republic Of Iran
    • Critical Infrastructures

    White House and EPA Address Rising Cyber Threats to National Water Infrastructure

    The White House and EPA have issued a warning regarding cyberattacks on the nation's water systems, emphasizing the need for enhanced cybersecurity measures. U.S. National Security Advisor Jake Sullivan and EPA Administrator Michael Regan alerted governors about the escalating threats and called for collaborative efforts to defend and recover water systems from such attacks. This initiative includes the creation of a Water Sector Cybersecurity Task Force aimed at identifying strategies to mitigate cyber threats, following incidents involving Iranian and Chinese threat actors breaching U.S. water infrastructure.

  • Mar 20, 2024

    • Global
    • Firebase
    • vulnerability

    19 Million Plaintext Passwords Exposed Due to Firebase Misconfigurations

    A significant security lapse involving misconfigured Firebase instances was discovered, leading to the exposure of nearly 19 million plaintext passwords among over 125 million sensitive user records. The exposed data, found across 916 websites due to inadequate security settings, included emails, names, phone numbers, and billing details. Despite attempts to alert affected companies, the response was minimal, though some corrected the issue.

  • Mar 17, 2024

    • arrest
    • marketplace

    Admin of major stolen account "E-Root" marketplace gets 42 months in prison

    Moldovan national Sandu Boris Diaconu, known by aliases 'utmsandu,' 'sandushell,' 'rootarhive,' and 'WinD3str0y,' has been sentenced to 42 months in prison followed by 3 years of supervised release for his involvement in operating E-Root, a significant online marketplace selling access to hacked computers globally. Diaconu pleaded guilty in December to charges including conspiracy to commit access device and computer fraud and possession of unauthorized access devices. He attempted to flee but was arrested in the U.K. in May 2021 after E-Root's domains were seized. Extradited to the U.S. in October 2023, Diaconu's involvement in the marketplace, which facilitated various illegal activities such as ransomware attacks and tax fraud schemes, was revealed. The marketplace provided buyers with compromised credentials for accessing systems, facilitated transactions using Perfect Money to obscure payment trails, and operated like a legitimate e-commerce platform, boasting quality customer service and warranty policies.

  • Mar 17, 2024

    • Global
    • Cve-2024-23334
    • Shadowsyndicate
    • CVE-2024-23334

    ShadowSyndicate exploit Aiohttp bug to find vulnerable networks

    ShadowSyndicate, a ransomware actor, has been targeting servers vulnerable to CVE-2024-23334, a directory traversal vulnerability found in the aiohttp Python library widely used by tech firms, web developers, and data scientists for high-performance web applications. This vulnerability, affecting aiohttp versions 3.9.1 and older, was patched in aiohttp version 3.9.2 released on January 28, 2024. The flaw allows unauthorized access to files outside the server's static root directory due to inadequate validation settings. Exploitation attempts surged in February and March, with a researcher releasing a proof of concept exploit on GitHub and a corresponding instructional video on YouTube. Cyble's threat analysts noted scanning activities from five IP addresses, one previously linked to ShadowSyndicate by Group-IB in a September 2023 report.

  • Mar 14, 2024

    • exploit
    • vulnerability
    • campaign
    • malware

    Threat actors exploit Windows SmartScreen flaw to drop DarkGate malware

    DarkGate malware operation has launched a new series of attacks exploiting a recently patched vulnerability in Windows Defender SmartScreen to circumvent security measures and install counterfeit software installers automatically. This flaw, identified as CVE-2024-21412, enables attackers to evade SmartScreen warnings by utilizing specially crafted downloaded files, such as Windows Internet shortcuts pointing to remote SMB shares. Microsoft addressed this issue in mid-February after it was exploited by the financially motivated Water Hydra hacking group to distribute DarkMe malware. However, Trend Micro analysts have revealed that DarkGate operators are now leveraging the same vulnerability, indicating a concerning trend in malware evolution. This development is notable as DarkGate, alongside Pikabot, has become increasingly prominent in the wake of QBot's disruption last summer, serving as a preferred tool for various cybercriminals in malware distribution endeavors.

  • Mar 13, 2024

    • Middle East
    • Handala
    • Israel
    • Rotec Water
    • exclusive
    • Asia

    "Handala” claimed to have hacked Israeli company “Rotec Water”

    Cyberint Argos platform discovered that the Iran affiliated hacktivist group “Handala”, a recently emerged Pro-Palestinian hacktivist group, claimed to have hacked “Rotec Water”, Israeli company that develops technologies for the water treatment industry. According to the group, they have obtained more than 79GB of internal company data. The group has published samples from the stolen data such as blueprints, a screenshot of a confirmation of order, and photos that seemed to be taken from the company’s factories. Rotec Water has not yet confirmed the attack, therefore it remains unclear whether the information provided by the group is accurate.

  • Mar 13, 2024

    • United States
    • Education
    • Akira

    Ransomware Attack at Stanford University Exposes Data of 27,000

    Stanford University disclosed that the personal data of 27,000 individuals were stolen during a ransomware attack on its Department of Public Safety network. The breach, occurring between May and September 2023, led to the theft of sensitive personal information, potentially including dates of birth, Social Security numbers, and more. The Akira ransomware gang claimed responsibility for leaking the data on their dark website. This incident is part of a concerning trend of cyberattacks against educational institutions.

  • Mar 13, 2024

    • Philippines
    • Technology
    • Acer
    • Ph1Ns

    Acer's Employee Data in the Philippines Leaked

    Acer confirmed that data of its employees in the Philippines was leaked online after an attack on a third-party vendor responsible for managing the company's employee attendance data. The data breach, publicized by a threat actor named 'ph1ns' on a hacking forum, involved no ransomware or encryption, purely constituting data theft. Acer assured that customer data was unaffected and their systems remained secure. The company has notified appropriate legal and cybersecurity authorities in the Philippines, and an investigation is ongoing.

  • Mar 11, 2024

    • vulnerability
    • global

    Critical Fortinet flaw may impact 150,000 exposed devices

    Approximately 150,000 Fortinet FortiOS and FortiProxy secure web gateway systems have been found vulnerable to CVE-2024-21762, a critical security flaw enabling code execution without authentication. The Cyber Defense Agency CISA has confirmed active exploitation of this vulnerability, listing it in its Known Exploited Vulnerabilities (KEV) catalog. Despite Fortinet's efforts to address the issue, nearly 150,000 vulnerable devices were identified globally by the Shadowserver Foundation. Piotr Kijewski from Shadowserver notes that while their scans detect vulnerable versions, the actual number of affected devices may be lower if administrators have applied mitigations. The vulnerability, with a severity score of 9.8 according to NIST, allows remote attackers to exploit it by sending specially crafted HTTP requests. The majority of vulnerable devices, over 24,000, are located in the United States, with significant numbers also found in India, Brazil, and Canada. Details regarding threat actors exploiting CVE-2024-21762 are limited, potentially indicating either discreet attacks by sophisticated adversaries or low visibility of such activities in public platforms. Additionally, organizations can assess their vulnerability using a Python script developed by BishopFox. FortiOS, Fortinet's operating system, provides security features like protection against DoS attacks, IPS, firewall, and VPN services across various security devices. On the other hand, FortiProxy offers secure web proxy functionalities with defense mechanisms against web and DNS-based threats, incorporating antivirus, intrusion prevention, and client browser isolation features.

  • Mar 11, 2024

    • insider
    • google

    Google Engineer Steals AI Trade Secrets for Chinese Companies

    The former Google software engineer, Linwei Ding, also known as Leon Ding, has been charged by the US Justice Department for allegedly stealing trade secrets related to artificial intelligence from the company. The stolen information was purportedly intended for use at two AI-related firms in China with which Ding was associated. If found guilty, Ding could face a maximum sentence of 10 years in prison and a fine of $250,000 for each of the four counts of trade secrets theft he is indicted on. Among the pilfered data are chip architecture and software design specifications for new tensor processor versions, technical details of GPUs used in Google's supercomputing data centers, and software design specifications for the central cluster management system at these facilities.

  • Mar 11, 2024

    • Russia
    • Nebula
    • exclusive
    • Eastern Europe
    • Europe
    • Government

    Nebula Claims Attack on Moscow's Government

    Cyberint Argos Platform detected Nebula, a hacktivist group, claiming to have encrypted several Russian government systems related to the upcoming election. According to Nebula, all internal systems have received ransom encryption including all of the databases, email servers and workstations.

  • Mar 10, 2024

    • CVE-2023-41265
    • Commerce And Magento Open Source
    • Cve-2022-24086
    • CVE-2023-41266
    • CVE-2023-46805
    • Cve-2024-2188
    • Cve-2023-46805
    • CVE-2022-24086
    • CVE-2024-21887
    • Cve-2023-41266
    • Cve-2023-41265
    • CVE-2024-2188
    • Cve-2024-21887

    Magnet Goblin hackers use 1-day flaws to drop custom Linux malware

    The financially motivated hacking group Magnet Goblin is utilizing newly discovered vulnerabilities, known as 1-day flaws, to infiltrate public-facing servers and install custom malware on both Windows and Linux systems. These vulnerabilities, for which patches have been issued, are exploited swiftly by Magnet Goblin, sometimes within a day of their disclosure. The group targets a variety of devices and services, including Ivanti Connect Secure, Apache ActiveMQ, ConnectWise ScreenConnect, Qlik Sense, and Magento. Once breached, servers are infected with custom malware such as NerbianRAT, MiniNerbian, and a personalized version of the WARPWIRE JavaScript stealer.

  • Mar 07, 2024

    • Middle East
    • Israel
    • Algosec
    • Ddarknotevil
    • exclusive
    • Asia

    Leaked database of an Israeli computer and network security company "AlgoSec" offered for sale

    Cyberint Argos Platform detected that a threat actor group named "Ddarknotevil" offers for sale a 227GB database belonging to clients of the Israeli computer and network security company "AlgoSec". According to the threat actor, the data contains 7K .xlsx row contact records that were stolen from "AlgoSec". The requested price for the database is 2500$. The threat actor also added screenshots from the database as samples.

  • Mar 07, 2024

    • Retail
    • Petsmart
    • United States

    Credential Stuffing Alert: PetSmart Takes Action to Protect User Accounts

    PetSmart, a leading retailer providing a wide range of pet-related products, services, and solutions, has proactively warned its customers about credential stuffing attacks targeting user accounts. These attacks leverage exposed or previously breached credentials, and in response, PetSmart reset passwords for accounts that logged in during the attack period.

  • Mar 07, 2024

    • Fbi
    • Alphv
    • United States
    • ransomware

    BlackCat Ransomware Gang Claims FBI Seizure in Exit Scam

    The BlackCat ransomware gang announced an exit scam, falsely claiming the FBI seized their infrastructure and decided to sell their malware source code for $5 million. Despite blaming law enforcement, investigations revealed no such intervention, with the gang's actions, including shutting down their Tor data leak blog and negotiation servers, pointing to a deliberate exit scam. Previously known for significant attacks and evolving extortion tactics, their abrupt closure and deceptive tactics mark a notable end to their operations, leaving questions about their future activities under a cloud of distrust.

  • Mar 05, 2024

    • Apt43
    • Global
    • Toddleshark

    New ToddleShark malware introduced through exploitation of ScreenConnect vulnerabilities

    The North Korean APT hacking group Kimsuky, also known as Thallium and Velvet Chollima, is exploiting vulnerabilities in ScreenConnect, specifically CVE-2024-1708 and CVE-2024-1709, to distribute a new malware variant named ToddleShark. These hackers are notorious for cyber espionage campaigns targeting various organizations and governments globally. They are taking advantage of authentication bypass and remote code execution flaws disclosed by ConnectWise on February 20, 2024. Public exploits for these vulnerabilities emerged the following day, leading to swift adoption by threat actors, including ransomware groups. According to an upcoming report from Kroll's cyber-intelligence team shared with BleepingComputer, ToddleShark exhibits polymorphic traits and is designed for prolonged espionage activities. The malware utilizes legitimate Microsoft binaries to evade detection, modifies registry settings to weaken security defenses, and establishes persistent access through scheduled tasks, facilitating ongoing data theft and exfiltration.

  • Mar 05, 2024

    • Eastern Europe
    • Europe
    • Russia
    • Government

    Ukraine claims it hacked Russian Ministry of Defense servers

    The Main Intelligence Directorate (GUR) of Ukraine's Ministry of Defense asserts that it successfully breached the servers of the Russian Ministry of Defense (Minoborony), extracting sensitive documents in a purported "special operation" conducted by its cyber-specialists. The obtained data includes software details, secret service documents, and information on the organizational structure and personnel of Minoborony, including documents belonging to Russian Deputy Minister of Defense, Timur Vadimovich Ivanov. Despite the release of screenshots as evidence, the authenticity remains unverified, with BleepingComputer awaiting comment from the Russian Ministry of Defense. The GUR previously claimed similar unconfirmed breaches into other Russian institutions, but unlike past incidents involving operational disruption, no such claims were made in this latest breach.

  • Mar 04, 2024

    • United States
    • Russia
    • leak
    • Pentagon
    • Discord
    • Ukraine

    Guilty Plea Expected in High-Profile Pentagon Leak Case

    Jack Teixeira, a Massachusetts Air National Guard member accused of leaking highly classified military documents on Discord, is expected to plead guilty in his federal case. This comes after Teixeira's initial not guilty plea to charges related to the willful retention and transmission of national defense information. His arrest in April highlighted serious security breaches, with leaked documents covering sensitive topics like Russia’s war in Ukraine.

Ready to
experience hyper-relevance?

See Argos Edge in action!

Schedule a demo

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start