news
Breaking Cyber News From Cyberint
Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.
- All Items
- Global
- Business Services
- exclusive
- Technology
- Redline Stealer
- United States
- North America
- Spear Phishing
- Phishing
- Protocol Tunneling
- Fin7
- Automotive
- CVE-2023-1389
- Cve-2023-1389
- Exploits
- Archer Ax21
- Middle East
- Muddywater
- Israel
- Darkbeatc2
- Asia
- Handala
- 99 Digital
- Education
- Mercenary
- Apple
- arrest
- crypto
- rat
- Anonymous
- Israel Ministry Of Justice
- Starry Addax
- Flexstarling
- Cryptocurrency
- The Returnees
- Critical Infrastructures
- Manufacturing
- Energy Infrastructures Ltd
- Ramat-Hovav Pharmaceutical Industries
- Media
- Snapchat
- Vmware
- Sexi Ransomware
- Apt38
- Crypto Exchange Upbit
- Pikabot
- exploit
- vulnerability
- wordpress
- global
- Unapimon
- Dll Side-Loading
- Apt41
- Amos
- Cve-2024-3094
- CVE-2024-3094
- supplychain
- Southern Asia
- Energy, Utilities & Waste
- Energy
- India
- targetcompany
- breach
- China
- Islamic Republic Of Iran
- Firebase
- marketplace
- Cve-2024-23334
- Shadowsyndicate
- CVE-2024-23334
- campaign
- malware
- Rotec Water
- Akira
- Philippines
- Acer
- Ph1Ns
- insider
- Russia
- Nebula
- Eastern Europe
- Europe
- Government
- CVE-2023-41265
- Commerce And Magento Open Source
- Cve-2022-24086
- CVE-2023-41266
- CVE-2023-46805
- Cve-2024-2188
- Cve-2023-46805
- CVE-2022-24086
- CVE-2024-21887
- Cve-2023-41266
- Cve-2023-41265
- CVE-2024-2188
- Cve-2024-21887
- Algosec
- Ddarknotevil
- Retail
- Petsmart
- Fbi
- Alphv
- ransomware
- Apt43
- Toddleshark
- leak
- Pentagon
- Discord
- Ukraine
- Telecommunications
- Finance
- Cryptochameleon
- Binance
- Coinbase
- Germany
- Crimemarket
- Microsoft
- Cve-2024-21338
- Lazarus
- CVE-2024-21338
- The Hebrew University Of Jerusalem
- Anonymous Sudan
- Bar Ilan University
- Weizmann Institute Of Science
- Ben-Gurion University
- Technion Israel Institute Of Technology
-
Apr 21, 2024
Travel Operator full access is offered for sale
On April 17, Cyberint Argos identified a threat actor named ‘Mexicnon’ on the Forum Exploit, offering initial access to a global booking agency specializing in flights and hotels. Mexicnon claims that this access includes reservations with nearly all major airlines and hotels, sourced from various travel agencies. Additionally, the database reportedly contains over 50,000 encrypted credit card records. The price for this access is considerably higher than the average price observed in IAB's (Initial Access Broker) statistics, standing at $75,000.
-
Apr 21, 2024
Fake cheat lures gamers into spreading infostealer malware
A new information-stealing malware, masquerading as a game cheat called 'Cheat Lab,' is associated with the Redline malware family. It tricks users into installing by promising a free copy if they convince friends to do the same. This malware is capable of stealing sensitive data like passwords and cryptocurrency details. McAfee researchers identified it using Lua bytecode to evade detection and inject into legitimate processes for stealth. Despite using a command server linked to Redline, tests by BleepingComputer show different behavior, such as not stealing browser data. The malware spreads through URLs related to Microsoft's 'vcpkg' GitHub repository, appearing as cheat tool demos. Victims receive ZIP files containing an MSI installer that deploys malicious components when executed. Once installed, the malware compiles and executes Lua bytecode, establishes persistence, and communicates with a command server to send system data and screenshots. The exact infection method is unclear but likely involves malvertising, P2P downloads, or deceptive software sites. This incident underscores the risk of downloading from reputable sources like Microsoft's GitHub and highlights the importance of avoiding unsigned executables and suspicious websites. BleepingComputer contacted Microsoft for comment but did not receive a response.
-
Apr 18, 2024
FIN7 targets American automaker’s IT staff in phishing attacks
FIN7, a financially motivated threat actor, targeted a major U.S. car manufacturer through spear-phishing emails directed at IT department employees, aiming to infect systems with the Anunak backdoor. BlackBerry researchers detailed this attack from late last year, noting the use of living-off-the-land binaries, scripts, and libraries (LoLBins). The attack involved enticing targets with malicious links posing as the legitimate Advanced IP Scanner tool. The malicious URL redirected to a fake site offering a disguised executable ('WsTaskLoad.exe'), which, when executed, initiated a complex process involving DLLs, WAV files, and shellcode execution to deploy the Anunak backdoor payload. FIN7's tactics included OpenSSH installation for persistent access but did not progress to lateral movement in this campaign. BlackBerry emphasizes defense strategies like phishing awareness training, multi-factor authentication (MFA), strong passwords, software updates, network monitoring, and advanced email filtering to protect against such threats.
-
Apr 17, 2024
Multiple botnets exploiting one-year-old TP-Link flaw to hack routers
Multiple botnet malware operations are actively targeting TP-Link Archer AX21 (AX1800) routers vulnerable to CVE-2023-1389, a command injection flaw discovered in January 2023 and addressed by TP-Link through firmware updates in March 2023. This vulnerability allows unauthenticated command injection via the locale API accessible through the router's web management interface. Despite security advisories and patches, several botnets, including variants of Mirai (1, 2, 3), "Condi," Moobot, Miori, AGoent, and a Gafgyt variant, are exploiting this flaw to compromise devices. These botnets use different methods to exploit the vulnerability, ranging from downloading and executing scripts to initiating DDoS attacks and maintaining persistence on compromised devices. Fortinet's telemetry data shows a surge in infection attempts exceeding 40,000 daily since March 2024. Users are strongly advised to update their router firmware following vendor instructions, change default passwords, and disable unnecessary web access to the admin panel to mitigate risks associated with this vulnerability.
-
Apr 15, 2024
Iranian MuddyWater APT Adopt New C2 Tool 'DarkBeatC2' in Latest Campaign
The Iranian threat group MuddyWater has been linked to a new command-and-control (C2) infrastructure named DarkBeatC2, adding to their previous tools like SimpleHarm, MuddyC3, PhonyC2, and MuddyC2Go. According to Deep Instinct's Simon Kenin, while MuddyWater occasionally adopts new remote administration tools or modifies their C2 framework, their methods generally remain consistent. Microsoft's previous research has also connected MuddyWater with another Iranian threat group known as Storm-1084 (or DarkBit), which has been involved in destructive wiper attacks targeting Israeli organizations. The latest attack campaign, detailed by Proofpoint, starts with spear-phishing emails sent from compromised accounts containing links or attachments hosted on platforms like Egnyte to distribute the Atera Agent software. One of the URLs in question is "kinneretacil.egnyte[.]com," where the subdomain "kinneretacil" refers to "kinneret.ac.il," an educational institution in Israel and a customer of Rashim. Rashim was breached by Lord Nemesis (also known as Nemesis Kitten or TunnelVision) as part of a supply chain attack targeting the academic sector in the country. Lord Nemesis is suspected of being a "faketivist" operation against Israel. Notably, Nemesis Kitten is associated with Najee Technology, a private contracting company within Mint Sandstorm backed by Iran's Islamic Revolutionary Guard Corps (IRGC), which was sanctioned by the U.S. Treasury in September 2022.
-
Apr 14, 2024
'Handala Hack' targets Israeli company '99 digital'
The hacker group "Handala Hack" has announced a breach of the Israeli company "99 digital," known for offering digital customer service solutions to businesses, as part of the OPIsrael campaign. The group claimed to have infiltrated the company's admin panel and sent direct messages to its clients. Additionally, they claim to have acquired 5.2 TB of internal company data, primarily consisting of chat conversations. The group has released videos purportedly demonstrating their access to the company's internal servers as samples.
-
Apr 14, 2024
USA University Initial Access offered for sale
Cyberint Argos ha detected a threat actor on Exploit Forum, which offers for sale initial access of domain admin rights, to a university in the United States. According to him, the constitution contains more than 1000 hosts, and his revenue per year stands for 370k$. The offered price is 2k$.
-
Apr 14, 2024
Apple: Mercenary spyware attacks target iPhone users in 92 countries
Apple is issuing warnings to iPhone users across 92 countries regarding a "mercenary spyware attack" aimed at remotely compromising their devices. The notifications emphasize Apple's high confidence in the threat and urge users to take it seriously, noting that the attack is likely targeting individuals based on their identities or activities. Apple recommends immediate actions such as enabling lockdown mode on devices, updating all Apple products to the latest software version, and seeking expert assistance from organizations like the Digital Security Helpline for journalists, activists, and human rights defenders. The company highlights the sophistication of such attacks, particularly mentioning the NSO Group's Pegasus kit, which is well-funded and targets specific individuals like journalists, activists, politicians, and diplomats. Despite the complexity of these attacks, Apple reassures users of its ongoing efforts to detect and notify them of potential threats. They advise affected users to stay vigilant and take preventive measures even if they have not received specific notifications from Apple.
-
Apr 14, 2024
Ex-Amazon engineer gets 3 years for hacking crypto exchanges
Former Amazon security engineer Shakeeb Ahmed has been sentenced to three years in prison for hacking two cryptocurrency exchanges in July 2022 and stealing over $12 million. Ahmed, who also received three years of supervised release, must forfeit $12.3 million and compensate the affected companies. The breaches targeted Nirvana Finance, a decentralized crypto exchange, and another unnamed Solana blockchain exchange, utilizing Ahmed's skills in smart contract reverse engineering. Ahmed pleaded guilty to computer fraud and faced a maximum of five years imprisonment. U.S. Attorney Damian Williams highlighted the significance of this case, emphasizing the commitment to pursuing hackers and recovering stolen assets. Ahmed's attacks involved manipulating smart contracts to falsify pricing data and exploit protocol loopholes, leading to substantial financial gains and attempts to conceal his tracks using cryptocurrency mixers and exploring strategies to avoid detection and extradition.
-
Apr 14, 2024
Firebird RAT creator and seller arrested in the U.S. and Australia
A joint operation by the Australian Federal Police (AFP) and the FBI resulted in the arrest and charging of two individuals linked to the development and distribution of the "Firebird" remote access trojan (RAT), later rebranded as "Hive." The RAT, though not widely recognized, potentially impacted users globally. The Firebird RAT was promoted on a dedicated website as a remote administration tool, highlighting features like stealthy access and password recovery, targeting prospective buyers. An Australian man, accused of developing and selling the RAT on a hacking forum, faces twelve charges related to computer offenses. Meanwhile, Edmond Chakhmakhchyan from California, known as "Corruption," allegedly marketed the Hive RAT, facilitated Bitcoin transactions, and provided support to purchasers. Chakhmakhchyan has pleaded not guilty to multiple charges, including conspiracy and unauthorized data access, with sentencing set for June 4, 2024. The Australian suspect is scheduled to appear in court on May 7, 2024, facing up to 36 years in prison if convicted.
-
Apr 11, 2024
Israeli Ministry of Justice Cyber-Attack By Anonymous: Second Batch of Data Released
Following last week's cyber attack on the Israeli Ministry of Justice carried out by Anonymous, during which the group claimed to have removed servers and stolen around 300GB of data, today the group has released the second batch of the stolen data. This compromised data reportedly includes internal and private documents containing details about employees, judges, personally identifiable information (PII), official letters, agreements, and more. The group has indicated that additional batches are anticipated to be disclosed in the coming days.
-
Apr 10, 2024
Threat actors targeting human rights activists in Morocco and western sahara
Human rights activists in Morocco and the Western Sahara region are facing a new threat actor named Starry Addax, identified by Cisco Talos, which employs phishing tactics to distribute malicious Android apps and credential harvesting pages for Windows users. This campaign primarily targets activists associated with the Sahrawi Arab Democratic Republic (SADR). Starry Addax's infrastructure includes domains designed to trick both Android and Windows users into installing malware or revealing credentials on fake social media login pages. Talos, actively investigating the campaign, refrains from disclosing specific targeted websites. The threat actor, operational since January 2024, sends spear-phishing emails prompting victims to install a decoy app or visit credential harvesting pages. The associated Android malware, FlexStarling, is advanced, capable of delivering additional malware components and stealing sensitive data while operating stealthily under Firebase-based command-and-control to avoid detection. Talos highlights the campaign's custom-made infrastructure and malware, signaling a focused effort to target human rights activists distinct from using off-the-shelf spyware or malware.
-
Apr 10, 2024
Crypto Leak 2023 offered for sale
Cyberint Argos found a threat actor on XSS forum, that offers for sale a full database of cryptocurrency users from Coinbase, Binance and blockchain. The amount of users per source: Coinbase: 280k, Binance: 130k, Blockchain: 31k. The threat actor also offers samples to validate his data, with a URL and a user name for login.
-
Apr 09, 2024
'The Returnees' group targeting several Israeli companies
The Muslim hacktivists group 'The Returnees' is targeting Israeli companies as part of the OP Israel campaign. The group claimed to have obtained internal information of the energy company "Energy Infrastructures Ltd" and the pharmaceutical company "Ramat-Hovav Pharmaceutical Industries". According to the group the data is slated for release on April 9th. At this point, the companies have not released an official statement and therefore it is not clear if the attacks occurred. "The Returnees" emerged in October 2023, following the conflict in Gaza, establishing their Telegram channel.
-
Apr 09, 2024
-
Apr 08, 2024
SNAPCHAT EMPLOYEE ACCESS - XSS
Hello, im selling access to a Snapchat employee access. From here you can request access to any users information (takes between 5-15 minutes to get approved) Change details whenever your request to access the information gets approved (changes instantly) Accept reports for specific accounts (you could report an account and approve the report and the account would get banned) Review spotlight posts (delete and modify descriptions) Price: 20K$ Contact me for more details and proof, i have 2 accesses available.
-
Apr 04, 2024
Hosting firm's VMware ESXi servers hit by new SEXi ransomware
IxMetro Powerhost, a Chilean data center and hosting provider, fell victim to a ransomware attack perpetrated by a new group named SEXi, resulting in the encryption of their VMware ESXi servers and backups. PowerHost, operating across the USA, South America, and Europe, notified customers of the attack, which occurred over the weekend, causing downtime for clients using the affected servers. Despite efforts to restore data from backups, the company encountered obstacles as the backups themselves were encrypted. Negotiations with the ransomware group ensued, with the attackers demanding two bitcoins per victim, amounting to a staggering $140 million, according to PowerHost's CEO.
-
Apr 04, 2024
-
Apr 04, 2024
Distinctive Campaign Evolution of Pikabot Malware
In February 2024, McAfee Labs noted a substantial shift in the distribution campaigns of Pikabot. Pikabot's dissemination involves employing various file types, a tactic influenced by the specific objectives and characteristics of the attack. Utilizing multiple file formats enables attackers to exploit a wide range of attack vectors, leveraging potential vulnerabilities inherent in different formats. This approach aims to increase the likelihood of success while evading detection by security software, as different file types may be detected or analyzed differently, thus circumventing specific security measures.
-
Apr 03, 2024
Critical Security Flaw Found in Popular LayerSlider WordPress Plugin
A critical security vulnerability in the LayerSlider plugin for WordPress (CVE-2024-2879) allowed attackers to conduct SQL injection attacks, potentially extracting sensitive data like password hashes. This flaw, rated 9.8 out of 10, affected versions 7.9.11 through 7.10.0 but was patched in version 7.10.1 released on March 27, 2024. LayerSlider, a popular visual web content editor used by millions globally, failed to adequately escape user parameters, enabling attackers to insert malicious SQL queries. Similarly, an XSS flaw (CVE-2024-1852, CVSS: 7.2) was found in the WP-Members Membership Plugin, allowing arbitrary JavaScript execution. These vulnerabilities underscore ongoing security challenges in WordPress plugins, with recent disclosures affecting Tutor LMS (CVE-2024-1751, CVSS: 8.8) and Contact Form Entries (CVE-2024-2030, CVSS: 6.4), posing risks of information disclosure and script injection, respectively.
-
Apr 03, 2024
APT41 new UNAPIMON tool hides malware from security software
The Chinese cyber espionage group Winnti, also known as APT41, has deployed a previously undisclosed malware called UNAPIMON to facilitate undetectable execution of malicious processes. Trend Micro uncovered this operation, linking it to a cluster named 'Earth Freybug.' UNAPIMON, delivered as a DLL file, utilizes Microsoft Detours to bypass security by unhooking critical API functions, allowing it to conceal its activities. The malware employs a unique method involving DLL side-loading to inject itself into legitimate processes, enabling evasion of security measures. Trend Micro emphasizes the simplicity and ingenuity of UNAPIMON, highlighting its use of common tools like Microsoft Detours for malicious purposes, ultimately underscoring the sophistication of the threat actor behind it.
-
Apr 02, 2024
Threat Actors Target macOS Users with Malicious Ads Spreading Stealer Malware
Malicious advertisements and counterfeit websites are facilitating the distribution of two distinct stealer malware, Atomic Stealer, and another unnamed malware targeting Apple macOS users. These infostealer attacks aim to pilfer sensitive data, with one attack vector involving fake ads for Arc Browser on search engines, redirecting users to malicious sites like "airci[.]net" to download the malware-laden "ArcSetup.dmg" disk image. Atomic Stealer, known for its deceptive password prompts, is delivered through this method. Another attack employs a fake website, meethub[.]gg, posing as a group meeting scheduler, to install a different stealer malware targeting keychain data and web browser credentials. Victims, often in the cryptocurrency industry, are lured under false pretenses, emphasizing the need for heightened vigilance among such individuals. Additionally, Moonlock Lab reported the use of malicious DMG files to deploy another stealer malware variant, leveraging obfuscated AppleScript and bash payloads to extract credentials, underscoring the evolving threat landscape for macOS users.
-
Apr 02, 2024
Secret Backdoor Found in XZ Utils Library, Impacts Major Linux Distros
Red Hat issued an "urgent security alert" regarding XZ Utils, a data compression library, revealing that versions 5.6.0 and 5.6.1 have been compromised with malicious code facilitating unauthorized remote access. Tracked as CVE-2024-3094, the backdoor, with a CVSS score of 10.0, manipulates the liblzma build process to modify specific functions, potentially allowing attackers to intercept and alter data interactions. Specifically targeting the sshd daemon process, the code aims to bypass authentication and execute arbitrary payloads through SSH, effectively seizing control of victim machines. Discovered by Microsoft engineer Andres Freund, the heavily obfuscated code was introduced over four commits by a GitHub user named Jia Tan. While GitHub has disabled the XZ Utils repository, no active exploitation has been reported, and the compromised packages are limited to Fedora 41 and Fedora Rawhide, sparing other Linux distributions like Debian, Ubuntu, and Red Hat Enterprise Linux from impact.
-
Apr 01, 2024
Threat Actors Hijack GitHub Accounts in Supply Chain Attack Affecting Top-gg and Others
A complex attack campaign targeted individual developers and the GitHub organization account of Top.gg, a Discord bot discovery site, employing various tactics such as account takeover via stolen browser cookies, contributing malicious code with verified commits, setting up a custom Python mirror, and publishing tainted packages to the PyPI registry. This supply chain attack resulted in the theft of sensitive data like passwords and credentials. The adversaries exploited a typosquat domain to host trojanized versions of popular packages like colorama, distributed through GitHub repositories. The campaign, which began in November 2022, aimed to compromise Python environments by injecting malware into dependencies. The rogue packages, including "yocolor," executed multi-stage infection sequences to establish persistence, steal data from browsers and crypto wallets, and transfer the captured data to the attackers. This incident underscores the need for thorough vetting of dependencies and robust security measures to prevent similar attacks in the future.
-
Apr 01, 2024
Threat Actors Hit Indian Defense, Energy Sectors with Malware Posing as Air Force Invite
Unknown threat actors have targeted Indian government entities and energy companies by distributing a modified version of the HackBrowserData malware via phishing emails disguised as Indian Air Force invitation letters. Utilizing Slack channels as command-and-control (C2) points, the attackers have exfiltrated sensitive information, including internal documents and cached web browser data. Dubbed Operation FlightNight, the campaign, detected by EclecticIQ on March 7, 2024, encompasses various Indian government sectors and private energy firms, resulting in the theft of financial documents, employee details, and information on oil and gas drilling activities. The malware, a variant of HackBrowserData, not only steals browser data but also captures documents and communicates via Slack, leveraging obfuscation techniques for evasion. The threat actor's tactics mirror those observed in a previous phishing campaign targeting the Indian Air Force, indicating a consistent modus operandi aimed at exploiting enterprise infrastructure like Slack to facilitate cyber espionage and data theft.
-
Apr 01, 2024
JAPAN software Company DB Offred for sale
Threat actor is offering for sale a compromised data base of Japanese software company which contains 131GB of: - Private Internal Emails - Communication Messages - SRC Codes - Customer's Data - Financial Data -&More The information still haven’t posted on the news. This intel item was discovered on the known Russian hacking forum XSS.
-
Mar 20, 2024
White House and EPA Address Rising Cyber Threats to National Water Infrastructure
The White House and EPA have issued a warning regarding cyberattacks on the nation's water systems, emphasizing the need for enhanced cybersecurity measures. U.S. National Security Advisor Jake Sullivan and EPA Administrator Michael Regan alerted governors about the escalating threats and called for collaborative efforts to defend and recover water systems from such attacks. This initiative includes the creation of a Water Sector Cybersecurity Task Force aimed at identifying strategies to mitigate cyber threats, following incidents involving Iranian and Chinese threat actors breaching U.S. water infrastructure.
-
Mar 20, 2024
19 Million Plaintext Passwords Exposed Due to Firebase Misconfigurations
A significant security lapse involving misconfigured Firebase instances was discovered, leading to the exposure of nearly 19 million plaintext passwords among over 125 million sensitive user records. The exposed data, found across 916 websites due to inadequate security settings, included emails, names, phone numbers, and billing details. Despite attempts to alert affected companies, the response was minimal, though some corrected the issue.
-
Mar 17, 2024
Admin of major stolen account "E-Root" marketplace gets 42 months in prison
Moldovan national Sandu Boris Diaconu, known by aliases 'utmsandu,' 'sandushell,' 'rootarhive,' and 'WinD3str0y,' has been sentenced to 42 months in prison followed by 3 years of supervised release for his involvement in operating E-Root, a significant online marketplace selling access to hacked computers globally. Diaconu pleaded guilty in December to charges including conspiracy to commit access device and computer fraud and possession of unauthorized access devices. He attempted to flee but was arrested in the U.K. in May 2021 after E-Root's domains were seized. Extradited to the U.S. in October 2023, Diaconu's involvement in the marketplace, which facilitated various illegal activities such as ransomware attacks and tax fraud schemes, was revealed. The marketplace provided buyers with compromised credentials for accessing systems, facilitated transactions using Perfect Money to obscure payment trails, and operated like a legitimate e-commerce platform, boasting quality customer service and warranty policies.
-
Mar 17, 2024
ShadowSyndicate exploit Aiohttp bug to find vulnerable networks
ShadowSyndicate, a ransomware actor, has been targeting servers vulnerable to CVE-2024-23334, a directory traversal vulnerability found in the aiohttp Python library widely used by tech firms, web developers, and data scientists for high-performance web applications. This vulnerability, affecting aiohttp versions 3.9.1 and older, was patched in aiohttp version 3.9.2 released on January 28, 2024. The flaw allows unauthorized access to files outside the server's static root directory due to inadequate validation settings. Exploitation attempts surged in February and March, with a researcher releasing a proof of concept exploit on GitHub and a corresponding instructional video on YouTube. Cyble's threat analysts noted scanning activities from five IP addresses, one previously linked to ShadowSyndicate by Group-IB in a September 2023 report.
-
Mar 14, 2024
Threat actors exploit Windows SmartScreen flaw to drop DarkGate malware
DarkGate malware operation has launched a new series of attacks exploiting a recently patched vulnerability in Windows Defender SmartScreen to circumvent security measures and install counterfeit software installers automatically. This flaw, identified as CVE-2024-21412, enables attackers to evade SmartScreen warnings by utilizing specially crafted downloaded files, such as Windows Internet shortcuts pointing to remote SMB shares. Microsoft addressed this issue in mid-February after it was exploited by the financially motivated Water Hydra hacking group to distribute DarkMe malware. However, Trend Micro analysts have revealed that DarkGate operators are now leveraging the same vulnerability, indicating a concerning trend in malware evolution. This development is notable as DarkGate, alongside Pikabot, has become increasingly prominent in the wake of QBot's disruption last summer, serving as a preferred tool for various cybercriminals in malware distribution endeavors.
-
Mar 13, 2024
"Handala” claimed to have hacked Israeli company “Rotec Water”
Cyberint Argos platform discovered that the Iran affiliated hacktivist group “Handala”, a recently emerged Pro-Palestinian hacktivist group, claimed to have hacked “Rotec Water”, Israeli company that develops technologies for the water treatment industry. According to the group, they have obtained more than 79GB of internal company data. The group has published samples from the stolen data such as blueprints, a screenshot of a confirmation of order, and photos that seemed to be taken from the company’s factories. Rotec Water has not yet confirmed the attack, therefore it remains unclear whether the information provided by the group is accurate.
-
Mar 13, 2024
Ransomware Attack at Stanford University Exposes Data of 27,000
Stanford University disclosed that the personal data of 27,000 individuals were stolen during a ransomware attack on its Department of Public Safety network. The breach, occurring between May and September 2023, led to the theft of sensitive personal information, potentially including dates of birth, Social Security numbers, and more. The Akira ransomware gang claimed responsibility for leaking the data on their dark website. This incident is part of a concerning trend of cyberattacks against educational institutions.
-
Mar 13, 2024
Acer's Employee Data in the Philippines Leaked
Acer confirmed that data of its employees in the Philippines was leaked online after an attack on a third-party vendor responsible for managing the company's employee attendance data. The data breach, publicized by a threat actor named 'ph1ns' on a hacking forum, involved no ransomware or encryption, purely constituting data theft. Acer assured that customer data was unaffected and their systems remained secure. The company has notified appropriate legal and cybersecurity authorities in the Philippines, and an investigation is ongoing.
-
Mar 11, 2024
Critical Fortinet flaw may impact 150,000 exposed devices
Approximately 150,000 Fortinet FortiOS and FortiProxy secure web gateway systems have been found vulnerable to CVE-2024-21762, a critical security flaw enabling code execution without authentication. The Cyber Defense Agency CISA has confirmed active exploitation of this vulnerability, listing it in its Known Exploited Vulnerabilities (KEV) catalog. Despite Fortinet's efforts to address the issue, nearly 150,000 vulnerable devices were identified globally by the Shadowserver Foundation. Piotr Kijewski from Shadowserver notes that while their scans detect vulnerable versions, the actual number of affected devices may be lower if administrators have applied mitigations. The vulnerability, with a severity score of 9.8 according to NIST, allows remote attackers to exploit it by sending specially crafted HTTP requests. The majority of vulnerable devices, over 24,000, are located in the United States, with significant numbers also found in India, Brazil, and Canada. Details regarding threat actors exploiting CVE-2024-21762 are limited, potentially indicating either discreet attacks by sophisticated adversaries or low visibility of such activities in public platforms. Additionally, organizations can assess their vulnerability using a Python script developed by BishopFox. FortiOS, Fortinet's operating system, provides security features like protection against DoS attacks, IPS, firewall, and VPN services across various security devices. On the other hand, FortiProxy offers secure web proxy functionalities with defense mechanisms against web and DNS-based threats, incorporating antivirus, intrusion prevention, and client browser isolation features.
-
Mar 11, 2024
Google Engineer Steals AI Trade Secrets for Chinese Companies
The former Google software engineer, Linwei Ding, also known as Leon Ding, has been charged by the US Justice Department for allegedly stealing trade secrets related to artificial intelligence from the company. The stolen information was purportedly intended for use at two AI-related firms in China with which Ding was associated. If found guilty, Ding could face a maximum sentence of 10 years in prison and a fine of $250,000 for each of the four counts of trade secrets theft he is indicted on. Among the pilfered data are chip architecture and software design specifications for new tensor processor versions, technical details of GPUs used in Google's supercomputing data centers, and software design specifications for the central cluster management system at these facilities.
-
Mar 11, 2024
Nebula Claims Attack on Moscow's Government
Cyberint Argos Platform detected Nebula, a hacktivist group, claiming to have encrypted several Russian government systems related to the upcoming election. According to Nebula, all internal systems have received ransom encryption including all of the databases, email servers and workstations.
-
Mar 10, 2024
Magnet Goblin hackers use 1-day flaws to drop custom Linux malware
The financially motivated hacking group Magnet Goblin is utilizing newly discovered vulnerabilities, known as 1-day flaws, to infiltrate public-facing servers and install custom malware on both Windows and Linux systems. These vulnerabilities, for which patches have been issued, are exploited swiftly by Magnet Goblin, sometimes within a day of their disclosure. The group targets a variety of devices and services, including Ivanti Connect Secure, Apache ActiveMQ, ConnectWise ScreenConnect, Qlik Sense, and Magento. Once breached, servers are infected with custom malware such as NerbianRAT, MiniNerbian, and a personalized version of the WARPWIRE JavaScript stealer.
-
Mar 07, 2024
Leaked database of an Israeli computer and network security company "AlgoSec" offered for sale
Cyberint Argos Platform detected that a threat actor group named "Ddarknotevil" offers for sale a 227GB database belonging to clients of the Israeli computer and network security company "AlgoSec". According to the threat actor, the data contains 7K .xlsx row contact records that were stolen from "AlgoSec". The requested price for the database is 2500$. The threat actor also added screenshots from the database as samples.
-
Mar 07, 2024
Credential Stuffing Alert: PetSmart Takes Action to Protect User Accounts
PetSmart, a leading retailer providing a wide range of pet-related products, services, and solutions, has proactively warned its customers about credential stuffing attacks targeting user accounts. These attacks leverage exposed or previously breached credentials, and in response, PetSmart reset passwords for accounts that logged in during the attack period.
-
Mar 07, 2024
BlackCat Ransomware Gang Claims FBI Seizure in Exit Scam
The BlackCat ransomware gang announced an exit scam, falsely claiming the FBI seized their infrastructure and decided to sell their malware source code for $5 million. Despite blaming law enforcement, investigations revealed no such intervention, with the gang's actions, including shutting down their Tor data leak blog and negotiation servers, pointing to a deliberate exit scam. Previously known for significant attacks and evolving extortion tactics, their abrupt closure and deceptive tactics mark a notable end to their operations, leaving questions about their future activities under a cloud of distrust.
-
Mar 05, 2024
New ToddleShark malware introduced through exploitation of ScreenConnect vulnerabilities
The North Korean APT hacking group Kimsuky, also known as Thallium and Velvet Chollima, is exploiting vulnerabilities in ScreenConnect, specifically CVE-2024-1708 and CVE-2024-1709, to distribute a new malware variant named ToddleShark. These hackers are notorious for cyber espionage campaigns targeting various organizations and governments globally. They are taking advantage of authentication bypass and remote code execution flaws disclosed by ConnectWise on February 20, 2024. Public exploits for these vulnerabilities emerged the following day, leading to swift adoption by threat actors, including ransomware groups. According to an upcoming report from Kroll's cyber-intelligence team shared with BleepingComputer, ToddleShark exhibits polymorphic traits and is designed for prolonged espionage activities. The malware utilizes legitimate Microsoft binaries to evade detection, modifies registry settings to weaken security defenses, and establishes persistent access through scheduled tasks, facilitating ongoing data theft and exfiltration.
-
Mar 05, 2024
Ukraine claims it hacked Russian Ministry of Defense servers
The Main Intelligence Directorate (GUR) of Ukraine's Ministry of Defense asserts that it successfully breached the servers of the Russian Ministry of Defense (Minoborony), extracting sensitive documents in a purported "special operation" conducted by its cyber-specialists. The obtained data includes software details, secret service documents, and information on the organizational structure and personnel of Minoborony, including documents belonging to Russian Deputy Minister of Defense, Timur Vadimovich Ivanov. Despite the release of screenshots as evidence, the authenticity remains unverified, with BleepingComputer awaiting comment from the Russian Ministry of Defense. The GUR previously claimed similar unconfirmed breaches into other Russian institutions, but unlike past incidents involving operational disruption, no such claims were made in this latest breach.
-
Mar 04, 2024
Guilty Plea Expected in High-Profile Pentagon Leak Case
Jack Teixeira, a Massachusetts Air National Guard member accused of leaking highly classified military documents on Discord, is expected to plead guilty in his federal case. This comes after Teixeira's initial not guilty plea to charges related to the willful retention and transmission of national defense information. His arrest in April highlighted serious security breaches, with leaked documents covering sensitive topics like Russia’s war in Ukraine.
-
Mar 03, 2024
8GB+ Subscriber Data of a Philippine Telco Allegedly Leaked and Sold on the Dark Web
On February 9, 2024, a threat actor advertised an alleged 8GB+ database leak containing subscriber data from a Philippine Telecommunications Company on a "Leak Forum." The ad was removed after another threat actor claimed to have purchased the database. A 10-second video shared by the buyer revealed personally identifiable information (PII) such as names, addresses, and MAP coordinates of subscribers.
-
Mar 03, 2024
Major Electric Utility Provider's SMS Service Used in Smishing Campaign
A widespread smishing campaign targeted a major local bank in the Philippines on February 27, 2024. Perpetrators are believed to have exploited the compromised SMS sender ID of a leading local electric distribution utility company to execute the phishing campaign. The mentioned electric company serves a substantial area, encompassing a significant portion of Metro Manila and surrounding provinces, estimating its customer base to be in the millions across its distribution area. As of writing, the utility company has blocked usage of their SMS sender ID and the two major telcos also blocked messages coming from the sender ID as an added precaution. Account takeover of SMS services has been a tactic used by several threat actors to bypass several added protections and laws implemented by telcos and the government. Furthermore, with legitimate sender IDs, threat actors may have higher chances of fooling unsuspecting victims.
-
Mar 03, 2024
Advanced Phishing Attacks Hit FCC and Crypto Firms
Threat actors have launched sophisticated phishing attacks targeting FCC and cryptocurrency platforms like Binance and Coinbase through a new phishing kit named CryptoChameleon. This campaign utilizes convincingly replicated Okta single sign-on pages and targets victims via email, SMS, and voice phishing to steal sensitive information, including login credentials and photo IDs. The operation, which mimics the 2022 Oktapus campaign, employs real-time interaction with victims for MFA bypass and uses domains closely mimicking those of legitimate entities to enhance its deceit.
-
Mar 03, 2024
Major German Dark Web Market Dismantled in Nationwide Raid
German authorities have successfully dismantled Crimemarket, a prominent German-speaking cybercrime marketplace, arresting six individuals and seizing over 180,000 user accounts. This operation was the culmination of extensive investigations, targeting the trading of illegal drugs, cybercrime services, and tutorials for committing various crimes. The crackdown involved executing 102 search warrants across Germany, leading to significant seizures of drugs, cash, and digital evidence. This marks a major blow to the cybercrime ecosystem within the country, highlighting the effectiveness of coordinated law enforcement efforts.
-
Feb 29, 2024
Lazarus Group's Exploitation of Windows Security Vulnerability CVE-2024-21338
The Lazarus thrat actor group exploited a vulnerability in the Windows AppLocker component (appid.sys) to achieve kernel-level access and disable security measures without relying on the noisy BYOVD (Bring Your Own Vulnerable Driver) techniques. This flaw, identified as CVE-2024-21338, was patched in the February 2024 updates by Microsoft, despite not being classified as a zero-day exploit at the time. Lazarus used this exploit to enhance its FudModule rootkit, initially spotted by ESET in 2022, with improved stealth and functionality, including evasion of detection and disabling of security tools like Microsoft Defender and CrowdStrike Falcon.
-
Feb 29, 2024
Anonymous Sudan continue with its broad campaign against all Israeli universities
Starting from 28.2.24, Anonymous Sudan has launched a broad DDOS campaign against all Israeli universities. Several of the universities that were mentioned by the group were: - Tel-Aviv University • The Hebrew University • The Technion University • Haifa University • Bar Ilan University • Ben-Gurion University • Weizmann Institute of Science According to the group, that campaign was conducted via the tool the group offers for sale, named ‘@Infrashutdown’. It was also reported that several universities indeed experienced disruptions in their online services and infrastructure.
