news

Breaking Cyber News From Cyberint

Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.

  • Feb 22, 2024

    • marketplace
    • Global
    • exclusive
    • Exodus

    The New “Exodus” Marketplace

    Cyberint Argos platform detected the "Exodus” marketplace, a recently emerged dark web marketplace, positioning itself to potentially become one of the key players in the info stealer logs marketplaces. Launched in January 2024, it quickly began to draw attention by mid-February on several dark web forums for its potential to become a significant player, alongside established names like Russian Market and 2easy Shop. Exodus's introduction follows the shutdown of Genesis Market by the FBI in April 2023, a once-prominent leading marketplace in the dark web ecosystem. The sale offering of Genesis's infrastructure on dark web forums, followed by its purchase, suggests a potential link to the rapid emergence of Exodus. Offering logs from information stealers and malware, Exodus poses a significant risk to the security of individuals and organizations alike.

  • Feb 22, 2024

    • Global
    • Ssh-Snake

    New SSH Worm Utilizes Open-Source Tool for Lateral Movement

    SSH-Snake, an open-source network mapping tool turned malicious "self-modifying worm," designed to stealthily search for and exploit private SSH keys within victim infrastructures, was discovered. Unlike traditional SSH worms, SSH-Snake evades detection by avoiding scripted attack patterns and rigorously searches for private keys across various files and directories, including shell history. Released on January 4, 2024, it autonomously navigates through breached systems to propagate itself using found SSH credentials. Its self-modifying capability allows it to become smaller and more efficient upon initial execution by stripping unnecessary components. SSH-Snake's versatility and adaptability in key discovery methods mark it as a significant evolutionary step in malware targeting secure corporate networks.

  • Feb 22, 2024

    • Finance
    • Latin America And The Caribbean
    • Google

    Threat Actors Leverage Google Cloud Run for Banking Trojan Distribution

    A sophisticated campaign was discovered in which threat actors are misusing Google Cloud Run to disseminate banking trojans such as Astaroth, Mekotio, and Ousaban. Starting from September 2023, threat actors have been deploying malware through phishing emails and MSI installer files hosted on the service, exploiting its cost-effectiveness and ability to evade standard security measures. The threat actors primarily target Latin American countries, employing deceptive emails that mimic legitimate financial or government correspondence. Once the victim engages with these emails, they are led to download malicious MSI files that eventually download and execute banking trojans capable of stealing sensitive financial data and credentials. These trojans have been observed to target a wide range of financial institutions and even cryptocurrency exchange services, employing techniques like keylogging and screen capture to fulfill their objectives.

  • Feb 22, 2024

    • Knight
    • Global
    • ransomware

    Knight Ransomware 3.0 Source Code Offered on Dark Web Forum

    The Knight ransomware operation, a rebrand of the Cyclops group known for targeting diverse operating systems, has put its version 3.0 source code on sale exclusively for a single buyer on the RAMP dark web forum. This iteration, launched in November 2023, features enhanced encryption speeds and improved support for newer ESXi versions, marking a significant update from its predecessors. The sale was advertised by a user named Cyclops, believed to be a representative of the ransomware group, who did not disclose a price but stressed the exclusivity of the sale to maintain the code's value.

  • Feb 22, 2024

    • Connectwise
    • Global
    • vulnerability

    Urgent Patch Required: ConnectWise ScreenConnect Vulnerabilities Exposed

    ConnectWise has issued an urgent warning to its customers to patch their ScreenConnect servers immediately due to a critical flaw that enables remote code execution (RCE) attacks through an authentication bypass weakness. This vulnerability, alongside a path traversal flaw that demands higher privileges for exploitation, affects all servers running ScreenConnect version 23.9.7 or earlier.

  • Feb 21, 2024

    • Defense
    • Lazarus Group
    • South Korea
    • Chainalysis
    • Kimsuky
    • Germany
    • United States

    North Korean State-Sponsored Threat Actors Target Defense Sector in Cyber Espionage Campaign

    The North Korean state-sponsored threat actors, including the infamous Lazarus Group, have been conducting a cyber espionage campaign targeting the defense sector globally. The attacks aim to steal advanced defense technologies for the enhancement of conventional and strategic weapon systems. The threat actors employ social engineering tactics through fake or compromised profiles on platforms like LinkedIn to infiltrate the defense sector and distribute malware-laden job offer documents to compromise targeted computers.

  • Feb 20, 2024

    • Europol
    • Fbi
    • Lockbit

    Global Crackdown Disrupts LockBit Ransomware Network

    In a significant international effort, law enforcement agencies from ten countries, under the banner of "Operation Cronos," have successfully disrupted the infamous LockBit ransomware operation. The collaborative action has led to the seizure of LockBit's data leak site by the UK's National Crime Agency, signaling a major setback for the cybercriminal group. Despite this, some of LockBit's dark web operations remain active. The agencies involved, including the FBI and Europol, have taken control of LockBit's infrastructure, capturing crucial data including source codes, victim information, and internal communications. This operation highlights the effectiveness of global cooperation in combating cyber threats, with further details expected to be announced in a joint press release.

  • Feb 19, 2024

    • Europe
    • Sweden
    • Northern Europe
    • exclusive
    • Turk Hack Team

    Turk Hack Team Escalates Cyber Operations Against Sweden Over Quran Desecration

    Cyberint Argos platform detected a declaration, in which the Turk Hack Team threat actor group has announced a significant escalation in cyber operations against Sweden and potentially other European countries, in response to the repeated burnings of the Holy Quran in Stockholm. According to the group, the Swedish government allows these actions, which they perceive as a deliberate allowance of desecration of the Quran, to go unheeded despite multiple warnings. The group states that they will no longer hold themselves responsible for any resulting outages or data theft affecting critical Swedish systems.

  • Feb 19, 2024

    • Asia
    • Government
    • Education
    • India
    • Garuda From Cyber
    • Southern Asia

    GARUDA FROM CYBER Target India: Government and Educational Data Leaked

    Cyberint Argos platform detected that GARUDA FROM CYBER threat actor group claimed responsibility for both taking down the official website of Berhampur, India, and leaking data from the Perpetual School Navelim. These recent breaches are part of a wider effort to challenge India's support for Israel.

  • Feb 19, 2024

    • Canada
    • United States
    • Google
    • North America

    Ukrainian Cyber Police Dismantle International Cybercrime Operation

    Ukrainian authorities have arrested a 31-year-old individual accused of orchestrating a sophisticated cybercrime operation that compromised bank accounts in the United States and Canada, subsequently selling the access on the dark web. Utilizing trojan software distributed through various websites he operated, and promoted via online advertising campaigns, the suspect managed to infect victims' devices to steal sensitive data. This data breach enabled the threat actor to access Google and online banking accounts, which were then sold for Bitcoin to other cybercriminals. Active since 2017 and shifting to phishing by 2021, the suspect's illicit activities have netted at least $92,000, although the actual figure is suspected to be much higher.

  • Feb 15, 2024

    • United States
    • Lockbit
    • Government
    • North America

    LockBit Ransomware Targets Fulton County, Threatens Data Leak

    The LockBit ransomware group has targeted Fulton County, Georgia, causing significant IT disruptions and threatening to release confidential documents unless a ransom is paid. Fulton County, encompassing Atlanta, faced IT outages affecting courts and tax systems. Despite the local government's efforts to restore services and assurance of sensitive data's safety, LockBit has claimed responsibility and hinted at possessing stolen data, pushing for public attention to their demands.

  • Feb 15, 2024

    • Finance
    • Android
    • Goldpickaxe
    • Global
    • Apple

    GoldPickaxe: A New Trojan Targets Biometrics for Bank Fraud

    In a sophisticated cyber campaign, the Chinese threat group GoldFactory launched 'GoldPickaxe,' a trojan targeting iOS and Android users through social engineering.In a sophisticated cyber campaign, the Chinese threat group GoldFactory launched 'GoldPickaxe,' a trojan targeting iOS and Android users through social engineering.GoldPickaxe deceives victims into submitting their facial scans and ID documents, potentially for creating deepfakes to access banking services unauthorizedly. Starting in October 2023, the malware spread via phishing, primarily in the Asia-Pacific region, leveraging fake government apps to execute its operations. While exploiting device functions to capture biometric data, it notably does not compromise the secure enclave where biometric data is stored, ensuring encrypted data remains secure despite the trojan's malicious activities.

  • Feb 14, 2024

    • Fbi
    • Warzonerat
    • Global

    Warzone RAT Crackdown

    The FBI has successfully dismantled the infrastructure of the Warzone RAT malware, leading to the arrest of two individuals linked to its operation. Daniel Meli from Malta and Prince Onyeoziri Odinakachi from Nigeria were apprehended for their roles in distributing and supporting Warzone RAT, a remote access trojan involved in various cybercrimes since 2018. Authorities seized domains and server infrastructure across multiple countries, highlighting the global effort to combat this threat.

  • Feb 14, 2024

    • Lockbit
    • Bank Of America
    • Finance
    • North America
    • United States

    Bank of America Customer Data Breach

    Bank of America disclosed a data breach affecting customers after Infosys McCamish Systems, a service provider, was hacked, exposing the personal and financial information of 57,028 people. This included names, addresses, Social Security numbers, dates of birth, accounts, and credit card numbers. The breach was attributed to a cyberattack by the LockBit ransomware gang, which claimed responsibility for encrypting over 2,000 systems. Bank of America and Infosys McCamish are addressing the breach, with no direct compromise to Bank of America's systems.

  • Feb 14, 2024

    • Healthcare
    • United States
    • North America
    • Integris Health

    Integris Health Data Breach

    Integris Health, Oklahoma's largest non-profit healthcare network, suffered a data breach affecting nearly 2.4 million people. The breach, which occurred last November but was reported in December, led to the exposure of sensitive personal information, including names, birth dates, contact details, demographic information, and Social Security Numbers. The breach came to light after patients received extortion emails threatening the sale of their data unless Integris Health met the attacker's demands. Despite the breach, no network interruptions occurred, and healthcare services continued.

  • Feb 14, 2024

    • North America
    • Conti
    • Trickbot
    • Bumblebee
    • United States

    Bumblebee Malware Resurgence

    The Bumblebee malware, developed by the Conti and Trickbot threat actor group, has resumed its attacks on thousands of U.S. organizations through phishing campaigns after a four-month hiatus. These emails, masquerading as voicemail notifications, distribute a Word document that employs macros to execute a PowerShell command to download and launch the Bumblebee DLL on the victim's system. This shift back to using VBA macros, despite Microsoft's default blocks on macros since 2022, suggests an attempt at evasion or targeting outdated systems.

  • Feb 14, 2024

    • Gambling
    • Global

    PlayDapp Crypto Heist

    Threat actors exploited a stolen private key to mint over $290 million in PLA tokens from the PlayDapp gaming platform. The attackers minted a staggering 1.59 billion PLA tokens, far exceeding the token's total circulation prior to the breach, causing a significant drop in the token's value. PlayDapp has responded by moving assets to secure wallets, offering a reward for the return of stolen assets, and coordinating with exchanges to freeze the threat actor's wallets, although the stolen funds are already being laundered.

  • Feb 12, 2024

    • Finance
    • Latin America And The Caribbean
    • Coyote
    • Brazil

    New Coyote Trojan Targets 61 Brazilian Banks

    A new banking trojan named Coyote is targeting 61 banks in Brazil, employing the Squirrel installer and leveraging Nim, a multi-platform programming language, for its infection process. This marks a departure from traditional Delphi-based malware, adding complexity to the trojan's design. Coyote can execute commands like taking screenshots and logging keystrokes, and it uses DLL side-loading for execution. The discovery comes amidst actions by Brazilian authorities against cybercrime operations.

  • Feb 12, 2024

    • Hive
    • Government
    • North America
    • United States

    U.S. Offers $10 Million Bounty for Hive Ransomware Leaders

    The U.S. Department of State is offering up to $10 million for information leading to the arrest of leaders of the Hive ransomware group, and an additional $5 million for information on anyone attempting to participate in Hive ransomware activities. This follows a coordinated law enforcement effort that dismantled Hive's infrastructure and led to an arrest in Paris. Hive has targeted over 1,500 victims worldwide, amassing around $100 million.

  • Feb 12, 2024

    • North America
    • Critical Infrastructures
    • Transportation
    • exclusive
    • Anonymous Sudan
    • United States
    • Transportation By Air

    Anonymous Sudan Hit San Francisco Airport

    Cyberint Argos platform detected an Anonymous Sudan announcement in which the group claims to have initiated a significant cyber attack on San Francisco Airport's critical infrastructure to protest U.S. funding of Israeli military actions and other global issues. They claim responsibility for any operational disruptions and collateral damage at the airport, hinting that while front-end websites may remain operational, the core systems could be compromised. The group warns of continued cyber attacks against U.S. targets.

  • Feb 11, 2024

    • Cisa
    • CVE-2024-21762
    • Fortinet
    • Global
    • Cve-2024-21762

    Fortinet RCE Vulnerability: Active Exploits Confirmed by CISA

    The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a new remote code execution (RCE) vulnerability in Fortinet's FortiOS, identified as CVE-2024-21762, is being actively exploited. This critical bug, which allows unauthenticated attackers to execute arbitrary code via malicious HTTP requests, was recently patched by Fortinet. The exploit poses a significant risk, prompting CISA to mandate federal agencies to patch or mitigate the vulnerability within a tight deadline to protect against potential cyberattacks and data breaches.

  • Feb 11, 2024

    • Global
    • Rustdoor
    • Alphv

    RustDoor Malware Campaign Hits macOS Users

    A sophisticated malware named RustDoor, designed to infiltrate macOS systems by pretending to be a Visual Studio update, was identified in November 2023. Crafted in Rust for compatibility with both Intel and ARM architectures, this backdoor is linked to the ALPHV/BlackCat ransomware group. Disguised as a development tool update, RustDoor grants attackers extensive control over compromised devices, including data exfiltration and system command execution capabilities.

  • Feb 08, 2024

    • Global
    • Meta Platforms
    • Ov3R_Stealer

    Facebook Ads Launch Ov3r_Stealer Malware Campaign

    A new malware, Ov3r_Stealer, is being disseminated through Facebook's platform, leveraging fake job advertisements to lure victims. This malware aims to steal sensitive information such as account credentials and cryptocurrency by directing potential victims to malicious links under the guise of employment opportunities. Once clicked, these links initiate a series of downloads that ultimately infect the user's system with the malware, which then proceeds to harvest a wide range of personal and financial data. The campaign has been noted for its innovative use of social media to reach a broad audience, raising significant security concerns.

  • Feb 07, 2024

    • Europe
    • Finance
    • exclusive
    • Turk Hack Team
    • France
    • Western Europe

    Turk Hack Team Claims Responsibility for Disrupting Crédit Agricole's Online Services

    Cyberint Argos platform discovered an announcement by the Turk Hack Team threat actor group that they claim to have disrupted the online services of Crédit Agricole, a major French bank. According to the statement, they have caused the bank's mobile applications and online banking systems, including its website, to crash. The group also threatens to escalate their attacks against French entities.

  • Feb 07, 2024

    • Government
    • Europe
    • China
    • Netherlands
    • Western Europe

    Breach at Dutch Ministry of Defence Reveals Chinese Cyber-Espionage

    A Chinese cyber-espionage group breached the Dutch Ministry of Defence, deploying malware on compromised devices, yet the damage was contained due to network segmentation. Coathanger, a persistent remote access trojan (RAT), infected FortiGate network security appliances, surviving firmware upgrades and operating stealthily. While not directly attributed to a specific group, the attack was linked with high confidence to Chinese state-sponsored hacking. The hackers exploited CVE-2022-42475 in FortiOS SSL-VPN to compromise FortiGate firewalls, echoing a broader pattern of Chinese political espionage targeting the Netherlands and allies.

  • Feb 06, 2024

    • Healthcare
    • France
    • Europe
    • Western Europe

    Viamedis Data Breach

    A data breach at Viamedis, a company managing third-party payments for 84 top-up insurance providers, has exposed sensitive information of over 20 million individuals. The breach, announced on February 2, includes names, social security numbers, and insurance provider details. While bank information was unaffected, the breach may impact third-party payments with certain specialists. Viamedis has filed a police complaint and notified the French data protection authority. The compromised data could lead to targeted phishing attempts, urging affected individuals to be cautious and verify communication directly with organizations.

  • Feb 06, 2024

    • Government
    • United States
    • North America

    U.S. Implements Visa Restrictions on Individuals Tied to Commercial Spyware

    Secretary of State Antony J. Blinken announced a new visa restriction policy targeting individuals linked to the misuse of commercial spyware, citing concerns over human rights abuses and threats to national security. The policy follows the Biden Administration's Executive Order prohibiting the use of mercenary surveillance tools and joint efforts with 36 other governments to prevent surveillance tech misuse. Additionally, the Commerce Department sanctioned European and other companies for trafficking cyber exploits. Blinken reaffirmed the U.S.' commitment to human rights and vowed to hold individuals involved in spyware misuse accountable.

  • Feb 06, 2024

    • Asia
    • Resumelooters

    Massive Data Breach Hits APAC Job Seekers

    A threat group known as 'ResumeLooters' has recently stolen personal data from over two million job seekers by compromising 65 legitimate job listing and retail websites across the Asia-Pacific (APAC) region. Using SQL injection and cross-site scripting (XSS) attacks, the group targeted sites in countries such as Australia, Taiwan, China, Thailand, India, and Vietnam, obtaining sensitive information including names, email addresses, phone numbers, employment history, and education. ResumeLooters attempted to sell the stolen data through Telegram channels in November 2023. The threat actors employed various open-source tools during their pen-testing phase, including SQLmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL (Asset Reconnaissance Lighthouse), and Dirsearch. By injecting malicious scripts into targeted websites' HTML, ResumeLooters aimed to execute phishing forms to extract visitors' information. Additionally, they utilized custom attack techniques such as creating fake employer profiles and posting fake CV documents to contain XSS scripts.

  • Feb 05, 2024

    • Asia
    • Phishing
    • Cryptocurrency
    • Singapore
    • Southern Asia

    Singapore Authorities Raise Concerns Around Crypto Draining Kits targeting digital wallet owners.

    In a joint statement of the Singaporean authorities, they raised concerns of a new possible attack method becoming increasingly popular amongst cybercriminals. The new methos includes the use of a malware type called "crypto drainer". The malware works by exploiting any vulnerability and is usually deployed via a phishing scam. The Singaporean authorities also stated that such cases have not been reported in the country as of now, but urge citizens to be alert and aware of such attacks happening globally.

  • Feb 05, 2024

    • Global
    • Anydesk

    AnyDesk Confirms Source Code Theft in Cyberattack

    AnyDesk, a remote access solution, has confirmed a recent cyberattack resulting in the theft of source code and code signing keys. While the company assures users of safety and has replaced compromised certificates, they recommend updating to the latest software version. Despite no indication of stolen authentication tokens, AnyDesk is revoking web portal passwords as a precaution. The incident, causing a four-day outage starting January 29th, is linked to ongoing maintenance. Users are advised to switch to the new version and exercise caution with password changes.

  • Feb 05, 2024

    • United States
    • Clorox
    • North America
    • Scattered Spider

    Clorox Discloses $49 Million Expenses from Scattered Spider Attack

    Clorox has confirmed a cyberattack in September 2023, resulting in $49 million in expenses for response efforts. The American cleaning product manufacturer faced disruption in operations, leading to reduced production and product availability.Clorox, with 8,700 employees and $7.5 billion in 2023 revenue, is actively recovering and anticipates diminishing costs from the attack in the future. The attack is believed to be orchestrated by the Scattered Spider threat actor group, known for social engineering attacks and affiliated with the BlackCat/ALPHV ransomware gang.

  • Feb 05, 2024

    • North America
    • exclusive
    • Mr Phantom
    • Lulzsec Indonesia
    • United States

    Lulzsec Indonesia Claim to Leak a CIA Website Database

    Cyberint Argos platform has identified the Mr. Phantom threat actor, affiliated with the Lulzsec Indonesia threat actor group, claims to expose a database from the CIA website as part of their continuous targeting of the United States. The threat actor has released screenshots of the alleged leak and provided a link for downloading the disclosed information.

  • Feb 02, 2024

    • Finance
    • Philippines
    • exclusive

    Top E-Wallet App in PH Disappears from Google Play Store

    A prominent E-Wallet App in the Philippines disappeared from the Play Store for nearly 18 hours without any official explanation from the company. During this period, users seeking to install the app resorted to downloading it from third-party websites, heightening the potential risks of installing counterfeit or malware-infected versions. The app has since been restored on the Play Store. Given the Philippines' substantial Android user base and its history of high malware infection rates, an extended outage could have posed an increased risk of infections, potentially attracting threat actors looking to exploit the situation.

  • Jan 31, 2024

    • Asia
    • Lockbit
    • Retail
    • China
    • exclusive
    • Eastern Asia

    Lockbit Offers 14.5 Billion Shopping Records of Pinduoduo for Sale

    Cyberint Argos platform detected that Lockbit ransomware group claims to possess 14.5 billion shopping orders data from Pinduoduo, including details like name, phone, address, order ID, goods name, price, and time. They are advertising the data for sale, asserting that it covers the entirety of 2023 and encompasses a staggering 1,454,672,835 orders involving approximately 0.69 billion individuals. Pinduoduo is one of the biggest Chinese e-commerce platform that specializes in group buying, where users can access discounts by forming groups to make collective purchases.

  • Jan 31, 2024

    • Global
    • Mercedes-Benz

    Mercedes-Benz Source Code Exposed Due to GitHub Token Mishandling

    A mishandled GitHub token granted unrestricted access to Mercedes-Benz's internal GitHub Enterprise Service, exposing sensitive source code and critical information. The incident revealed databases, blueprints, design documents, API keys, and more. The exposure posed severe risks, including potential reverse engineering of proprietary technology by competitors and exploitation of vulnerabilities in vehicle systems. Mercedes-Benz confirmed the token's accidental publication, clarified it didn't compromise the entire source code, and stated that customer data remained unaffected.

  • Jan 31, 2024

    • Linux
    • Exploitation For Privilege Escalation

    Critical Linux Vulnerability (CVE-2023-6246) Enables Unprivileged Root Access

    A recently revealed local privilege escalation (LPE) vulnerability in the GNU C Library (glibc) can grant root access to unprivileged attackers on various major Linux distributions operating under default configurations. Identified as CVE-2023-6246, the flaw resides in the __vsyslog_internal() function of glibc, utilized by syslog and vsyslog functions for system message logging. This vulnerability, stemming from a heap-based buffer overflow error introduced in glibc 2.37 in August 2022 and subsequently backported to glibc 2.36, poses a serious threat. Over the past years, Qualys has uncovered various Linux security vulnerabilities, including those in glibc's ld.so dynamic loader, Polkit's pkexec component, the Kernel's filesystem layer (Sequoia), and the Sudo Unix program (Baron Samedit), underscoring the need for robust security measures in software development.

  • Jan 30, 2024

    • South-Eastern Asia
    • Philippines
    • Asia
    • Finance
    • Telecommunications
    • exclusive

    Philippine Sim Cards being sold by the Bulk

    Cyberint is seeing several threat actors selling SIM cards by bulk on social media platforms like Facebook. These cards are sold for as low as 10 pesos up to 30 pesos each. The advertisement text says that these cards were already used to register to several apps and hence we can assume that the cards were already pre-registered following the SIM registration law passed by the Philippines. SIM card selling is a scam where fraudsters sell large quantities of sim cards, often at discounted prices, to other threat actors who want to use them for various purposes, such as creating accounts on gambling sites, Telegram, WhatsApp, and online shopping apps. Bulk sim card selling is usually done through social media platforms, such as Facebook, where fraudsters can advertise their products, reach a wider audience, and interact with potential buyers.

  • Jan 30, 2024

    • Finance
    • United States
    • Insurance Carriers
    • North America

    Keenan & Associates Reveals Breach Exposing Personal Data of 1.5 Million Customers

    Keenan & Associates, a California-based insurance brokerage and consulting firm affiliated with AssuredPartners NL, has disclosed a data breach affecting 1.5 million customers. The breach, discovered on August 27, 2023, exposed personal information, including full names, dates of birth, Social Security numbers, passport and driver's license numbers, and health insurance details. The exposed data poses risks such as identity theft, financial fraud, phishing attacks, and health insurance fraud. Keenan bolsters its security measures and advises affected individuals to monitor accounts and avail themselves of a two-year identity theft protection service through Experian.

  • Jan 30, 2024

    • Global
    • Cactus
    • Energy

    Schneider Electric Hit by Cactus Ransomware Attack

    Schneider Electric, a prominent energy management and automation company, recently fell victim to a Cactus ransomware attack, leading to corporate data theft, particularly affecting its Sustainability Business division. The attack on January 17th disrupted Schneider Electric's Resource Advisor cloud platform, which is still experiencing outages. The ransomware group responsible reportedly stole terabytes of corporate data and is threatening to leak it unless a ransom is paid. Schneider Electric's Sustainability Business division provides consulting services to enterprise organizations, and this is not the first time it has been targeted, as it was previously attacked in the MOVEit data theft incidents by the Clop ransomware gang.

  • Jan 29, 2024

    • Healthcare
    • 23Andme
    • United States
    • North America

    23andMe Data Breach Exposes Health Reports and Genetic Information of Millions

    Genetic testing provider 23andMe has confirmed a significant data breach, revealing that threat actors stole health reports and raw genotype data of customers during a five-month-long credential stuffing attack from April 29 to September 27. The attackers used credentials stolen from other breaches or compromised online platforms to access accounts. The stolen data, including that of 1 million Ashkenazi Jews and 4.1 million people in the UK, was posted on dark web forums. 23andMe disclosed that the threat actor downloaded uninterrupted raw genotype data and may have accessed other sensitive information, such as health reports and self-reported health conditions.

  • Jan 29, 2024

    • Europe
    • Eastern Europe
    • Russia
    • Ukraine
    • Bo Team

    Ukrainian 'BO Team' Strikes Russian Space Hydrometeorology Center

    Ukrainian hacktivists, purportedly part of the "BO Team," have reportedly breached the Russian Center for Space Hydrometeorology, wiping out a staggering 2 petabytes of data. The targeted research center, known as "Planeta," is affiliated with Roscosmos, Russia's space agency, and provides crucial information on weather, climate, and natural disasters. While the Ukrainian government has not claimed direct involvement, it states that the hackers destroyed 280 servers, estimating the damage at $10 million. The impact extends beyond financial losses, affecting supercomputer clusters, years of research, and even paralyzing HVAC and power supply systems.

  • Jan 29, 2024

    • Transportation
    • United States
    • North America
    • Medusa

    Kansas City Transportation Authority Hit by Ransomware

    The Kansas City Area Transportation Authority (KCATA) fell victim to a ransomware attack on January 23, impacting all communication systems, including call centers for regional RideKC services. While transit operations continue without disruption, KCATA is working with cyber professionals to restore systems swiftly. The attack raises concerns about potential data theft, with Medusa ransomware claiming responsibility and setting a $2 million ransom. Data samples allegedly belonging to KCATA were posted on the dark web, with the threat actors providing a 10-day negotiation window and offering a $100,000/day extension option to delay public data exposure.

  • Jan 29, 2024

    • Jenkins
    • Global

    Exploits Released for Critical Vulnerabilities in Jenkins

    Multiple proof-of-concept (PoC) exploits have surfaced for a critical Jenkins vulnerability, allowing unauthenticated threat actors to read arbitrary files, with reports indicating active exploitation in the wild. Jenkins, a widely-used open-source automation server in software development, was recently found to have two vulnerabilities. The first flaw (CVE-2024-23897) permits attackers with 'overall/read' permission to access data from arbitrary files on the server, potentially leading to admin privilege escalation and remote code execution. The second flaw (CVE-2024-23898) involves a cross-site WebSocket hijacking issue, enabling attackers to execute arbitrary CLI commands by tricking users into clicking malicious links. Jenkins released fixes on January 24, 2024, with an advisory detailing attack scenarios, exploitation pathways, and workarounds.

  • Jan 29, 2024

    • Government
    • North America
    • Trickbot
    • U.S. Department Of Defense
    • United States

    TrickBot Malware Developer Sentenced to Prison

    Russian national Vladimir Dunaev, also known as FFX, has been sentenced to five years and four months in prison for his pivotal role in creating and distributing the notorious TrickBot malware. Dunaev oversaw the development of the malware's browser injection component, enabling threat actors to target hospitals, companies, and individuals worldwide. Arrested in September 2021 while attempting to leave South Korea, Dunaev pleaded guilty to charges related to computer fraud, identity theft, and wire and bank fraud. He is the second TrickBot developer prosecuted by the U.S. Department of Justice, following the arrest of Latvian national Alla Witte in February 2021.

  • Jan 29, 2024

    • Government
    • North America
    • exclusive
    • Mr Phantom
    • Lulzsec Indonesia
    • United States

    US Department of Veterans Affairs Database Leak

    Cyberint Argos platform detected that Mr Phantom threat actor, part of the Lulzsec Indonesia threat actor group, has published a leak of the US Department of Veterans Affairs data base.

  • Jan 25, 2024

    • Compromise Accounts
    • Global
    • Gitlab

    GitLab's Zero-Click Account Takeover Vulnerability

    GitLab recently alerted users to a critical zero-click account takeover vulnerability, CVE-2023-7028, affecting over 5,300 internet-exposed GitLab instances. This severe flaw rated 10.0 on the CVSS scale, enables threat actors to redirect password reset emails to their own email addresses, consequently gaining control over targeted accounts. While two-factor authentication (2FA) offers some protection, accounts without 2FA are especially at risk. The vulnerability affects multiple versions of GitLab Community and Enterprise Editions. GitLab has already issued fixes and backported patches to address this issue. These servers are susceptible to supply chain attacks, code leaks, and other malicious activities. GitLab advises users to follow their incident response guide, check for signs of compromise, and implement security measures like rotating credentials, enabling 2FA, and applying the update.

  • Jan 25, 2024

    • Cl0P
    • Global

    Critical Authentication Flaw in Fortra's GoAnywhere MFT

    Fortra's GoAnywhere Managed File Transfer (MFT) software, a tool for secure file transfer and auditing, is currently at risk due to a critical authentication bypass vulnerability (CVE-2024-0204). This flaw enables threat actors to create new admin users through the administration portal on unpatched systems. Although Fortra discreetly released a patch on December 7 with GoAnywhere MFT 7.4.1 and alerted customers privately, a full disclosure was only made recently. In the interim, Fortra advised customers to either delete or replace the InitialAccountSetup.xhtml file to mitigate the risk. Recently, security researchers at Horizon3's Attack Team published a technical analysis and proof-of-concept exploit, increasing the urgency for unpatched instances to be secured. This vulnerability follows a pattern of attacks on MFT platforms, including a significant breach by the Clop ransomware gang exploiting another flaw in the same software, impacting numerous organizations. Admins are advised to urgently upgrade or apply Fortra's mitigations and monitor for signs of compromise, especially with the PoC exploit now public.

  • Jan 24, 2024

    • Atlassian
    • Emo

    Exposure of Private Emails in Trello API Security Breach

    Trello, an online project management tool owned by Atlassian, experienced a data exposure due to an exploitable API. A threat actor, using the alias 'emo', managed to link private email addresses with Trello user accounts, creating a potential data breach involving over 15 million users. This breach was initially believed to be a result of scraping public data; however, further investigation revealed that a publicly accessible API was abused to confirm email addresses linked to user accounts. The threat actor compiled a list of 500 million email addresses, leveraging proxy servers to circumvent API rate limits. Trello has since tightened API access to prevent such misuse. This incident underscores the vulnerabilities inherent in public APIs and the risks of combining publicly available data with private information.

  • Jan 23, 2024

    • Asia
    • Business Services
    • Intuview
    • Middle East
    • exclusive
    • Israel
    • Prana Network

    PRANA Network's Announcement on Israel's Surveillance System Leak

    Cyberint Argos platform detected that PRANA Network threat actor group revealed a significant leak which they claim to be concerning Israel's surveillance system. The system, developed by IntuView, employs artificial intelligence for a range of purposes including document exploitation, social media and new media monitoring, legal support, and name analysis. They also claim that the system is linked to Mer Group, boasting advisory members like the former head of Mossad and a former director of the CIA. The group highlights the system's capabilities for mass-scale analysis and monitoring of personal data, communications, and activities, raising their critics about the infringement of privacy rights and the suppression of freedom of expression.

  • Jan 22, 2024

    • Europe
    • LockBit
    • fbi
    • Subway
    • Global
    • Israel

    Lockbit targeted Israeli subway

    Some News item

Ready to
experience hyper-relevance?

See Argos Edge in action!

Schedule a demo

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start