news

Breaking Cyber News From Cyberint

Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.

  • Jun 13, 2024

    • Blackbasta
    • Darkgate
    • Cve-2024-26169
    • CVE-2024-26169

    Black Basta ransomware gang linked to Windows zero-day attacks

    The Black Basta ransomware operation is suspected of exploiting a Windows privilege escalation vulnerability (CVE-2024-26169) as a zero-day before a fix was made available. This high-severity flaw (CVSS v3.1: 7.8) in the Windows Error Reporting Service allows attackers to elevate their privileges to SYSTEM. Microsoft addressed the issue in its March 12, 2024 Patch Tuesday updates, although the vendor's page shows no evidence of active exploitation. However, Symantec's report indicates that the Cardinal cybercrime group (Storm-1811, UNC4394), operators of the Black Basta gang, likely leveraged this vulnerability as a zero-day. Symantec's investigation revealed that an exploit tool for CVE-2024-26169 was used in an attempted ransomware attack following an initial infection by the DarkGate loader, which Black Basta has utilized since the QakBot takedown. The attackers, linked to Black Basta, used batch scripts disguised as software updates to run malicious commands and maintain persistence. The exploit tool takes advantage of the Windows file werkernel.sys using a null security descriptor when creating registry keys, allowing the creation of a registry key that launches a shell with SYSTEM privileges. Notably, one variant of the exploit tool has a compilation timestamp from February 27, 2024, and another from December 18, 2023, suggesting Black Basta had a working exploit well before Microsoft fixed the flaw. Despite the possibility of modified timestamps, the attackers likely did not falsify these dates. Black Basta, linked to the defunct Conti syndicate, has a record of expertise in exploiting Windows tools.

  • Jun 13, 2024

    • Mustang Panda
    • Angryrebel
    • Exfiltration Over C2 Channel
    • Calypso
    • Local Account
    • Compromise Accounts
    • Rocke

    New Malware 'Noodle RAT' Targets Windows and Linux Systems

    A newly identified cross-platform malware, named Noodle RAT, has been actively used by Chinese-speaking threat actors for espionage or cybercrime over the years. Originally categorized as a variant of Gh0st RAT and Rekoobe, Trend Micro security researcher Hara Hiroaki clarifies that Noodle RAT is a distinct new type of malware. Known by other names such as ANGRYREBEL and Nood RAT, it has versions for both Windows and Linux and has been in use since at least July 2016. The Windows variant of Noodle RAT, used by hacking groups like Iron Tiger and Calypso, functions as an in-memory modular backdoor capable of downloading/uploading files, executing additional malware, serving as a TCP proxy, and self-deleting. The Linux version has been employed by cybercrime and espionage clusters such as Rocke and Cloud Snooper, launching reverse shells, scheduling executions, and utilizing SOCKS tunneling through compromised Linux servers. Despite the differences in the backdoor commands for Windows and Linux, both versions of Noodle RAT share identical code for command-and-control (C2) communications and similar configuration formats. The malware, developed and maintained with frequent updates, appears to be commercially sold within a complex supply chain that serves both private sector firms and Chinese state-sponsored entities. Trend Micro’s analysis revealed access to a control panel and builder for the Linux variant, written in Simplified Chinese, suggesting organized distribution and use among Chinese-speaking groups. This finding aligns with earlier leaks highlighting China's extensive corporate hack-for-hire scene and its ties to state-sponsored cyber actors. The ongoing use of Noodle RAT, coupled with its misclassification and underrated threat level, underscores the persistent and evolving nature of Chinese cyber espionage efforts.

  • Jun 13, 2024

    • Phishing
    • Uri Hijacking

    Windows search protocol Phishing Campaign

    A new phishing campaign is leveraging HTML attachments to exploit the Windows search protocol (search-ms URI) to deliver malware. This technique allows attackers to force Windows Search to query file shares on remote hosts, thus opening a custom search window. Initially highlighted by Prof. Dr. Martin Johns in 2020, this functionality can be abused to share malicious files. Security researchers, including Trustwave SpiderLabs, have observed this method being used in the wild, with threat actors sending emails containing HTML attachments disguised as invoice documents. When opened, these attachments automatically open a malicious URL using the tag, or a clickable link if the refresh fails, leading to a search on a remote host for a file labeled "INVOICE." The recent attacks begin with a malicious email carrying an HTML attachment within a small ZIP archive, which helps evade security scanners. The HTML file directs the browser to a URL for the Windows Search protocol, performing a search on a remote server masked by Cloudflare. The search results display a shortcut (LNK) file named as an invoice, which triggers a batch script (BAT) when clicked. While Trustwave could not determine the exact function of the BAT due to the server being down, the potential for harmful operations is significant. To defend against this threat, Trustwave recommends deleting registry entries associated with the search-ms/search URI protocol, though this action should be taken with caution as it may impact legitimate applications relying on this protocol.

  • Jun 13, 2024

    • ransomware
    • arrest

    LockBit & Conti Ransomware Affiliate Arrested in Ukraine

    A 28-year-old Ukrainian man has been arrested for his work as a freelance developer for the Russian ransomware groups Conti and LockBit. He specialized in creating cryptors, software that hides malware from antivirus detection, and frequently worked for these groups in exchange for cryptocurrency. His cryptors were identified in successful ransomware attacks in Belgium and the Netherlands, potentially leading to a prison sentence of up to 15 years. The arrest is part of Operation Endgame, an international law enforcement effort against cybercrime, and was facilitated by Dutch officials and the National Cyber Security Center.

  • Jun 10, 2024

    • global
    • campaign
    • google

    Google Takes Down Influence Campaigns Tied to China, Indonesia, and Russia

    Google has taken significant action against coordinated influence operations, removing 1,320 YouTube channels and 1,177 Blogger blogs linked to the People's Republic of China (PRC). These channels were spreading content in Chinese and English about China and U.S. foreign affairs. Additionally, Google terminated various accounts connected to influence campaigns from Indonesia, which supported the ruling party, and dismantled a network of 378 YouTube channels managed by a Russian consulting firm that promoted pro-Russian and anti-Ukrainian narratives. Other notable takedowns included channels from Pakistan, France, Russia, and Myanmar that were involved in spreading political propaganda. These efforts are part of a broader initiative by tech companies to combat disinformation. For instance, Meta and OpenAI recently disrupted an influence campaign by the Tel Aviv-based Stoic firm, which propagated pro-Israel messages amid the Israel-Hamas conflict. Microsoft also reported on Russia's escalating disinformation campaigns targeting the 2024 Summer Olympics in France, using AI-generated content to undermine the International Olympic Committee (IOC) and promote pro-Kremlin narratives. These actions highlight the ongoing battle against disinformation and the importance of robust measures to protect the integrity of information platforms.

  • Jun 10, 2024

    • microsoft
    • vulnerability
    • exploit

    Microsoft Warns of Potential Abuse by Threat Actors

    Microsoft has warned about threat actors' potential misuse of Azure Service Tags to bypass firewall rules and gain unauthorized access to cloud resources. The concern arises from findings by cybersecurity firm Tenable, which revealed that relying solely on Azure Service Tags for firewall rules could allow an attacker from one tenant to send crafted web requests to access resources in another tenant. This vulnerability affects at least ten Azure services, including Azure DevOps and Azure Machine Learning. Microsoft emphasizes that Service Tags should not be treated as a security boundary but as a routing mechanism used in conjunction with other validation controls. They recommend that customers review their use of Service Tags and ensure additional security measures are in place to authenticate trusted network traffic. Following the disclosure, Microsoft updated its documentation to highlight that Service Tags alone are insufficient for securing traffic without considering the nature of the service and the traffic it handles.

  • Jun 10, 2024

    • malware
    • microsoft

    Malicious VSCode extensions with millions of installs discovered

    Israeli researchers have uncovered significant security flaws in the Visual Studio Code (VSCode) Marketplace, highlighting vulnerabilities through an experiment that "infected" over 100 organizations by trojanizing a popular theme. They created a fake extension mimicking the popular 'Dracula Official' theme, which included risky code designed to collect system information and send it to a remote server. This experiment revealed that even high-value targets, such as a company with a $483 billion market cap, major security firms, and a national justice court network, were susceptible to such attacks. The researchers emphasized the need for better security measures in the VSCode Marketplace. The study further identified thousands of extensions with potential security risks, including 1,283 with known malicious code, 8,161 communicating with hardcoded IP addresses, and 1,452 running unknown executables. Despite reporting these findings to Microsoft, many of these risky extensions remain available for download. The researchers plan to release a tool named 'ExtensionTotal' to help developers scan their environments for threats, underscoring the need for the security community to focus on this exposed and high-risk attack vector.

  • Jun 10, 2024

    • Europe
    • Phishing
    • Russia
    • Belarus
    • Technology
    • Maldoc In Pdf
    • Eastern Europe
    • Phishing For Information
    • Email Accounts
    • Manufacturing

    Sticky Werewolf Expands Cyber Attack Targets in Russia and Belarus

    Cybersecurity researchers have disclosed details about a threat actor known as Sticky Werewolf, linked to cyber attacks targeting entities in Russia and Belarus. These phishing attacks have expanded beyond their initial focus on government organizations to include a pharmaceutical company, a Russian microbiology research institute, and the aviation sector, according to a report by Morphisec. Previous campaigns by Sticky Werewolf involved phishing emails containing links to download malicious files from platforms like gofile.io. The latest campaign uses archive files with LNK files pointing to a payload on WebDAV servers. These attacks aim to deliver commodity RATs and information-stealing malware such as Rhadamanthys and Ozone RAT. Although there's no definitive evidence of the group's national origin, the geopolitical context suggests possible links to a pro-Ukrainian cyberespionage group or hacktivists. This development follows BI.ZONE's revelation of another threat cluster, Sapphire Werewolf, responsible for over 300 attacks on Russian sectors using Amethyst malware.

  • Jun 09, 2024

    • Venezuela
    • exclusive
    • Latin America And The Caribbean
    • Glorysec

    GlorySec Launches Malware Attack in Venezuela

    In a concerning development, the hacker group GlorySec has revealed a cyber operation targeting companies in Ciudad Guayana, Venezuela. They claim to have deployed worm-type malware via USB sticks, infiltrating the systems of over 100 companies. This represents a significant escalation in GlorySec’s activities as they expand their influence and capabilities. According to GlorySec, their malware has spread widely, enabling a complete system takeover and access to personal PCs. The group posted proof of their actions on their storage channel, including screenshots from a compromised PC named “KingBike.” GlorySec stated their intention was to test the limits of their new malware without causing major harm, while showcasing its reach and capabilities. They also declared a political motive, aiming to destabilize the regime of Venezuelan President Nicolás Maduro. GlorySec hinted at a possible future deployment of their worm in Russia, contingent on the escalation of the Russo-Ukrainian war and the direct involvement of the United States. This potential operation highlights the group's strategic focus on geopolitical conflicts and their readiness to exploit such situations to test and demonstrate their cyber warfare tools.

  • Jun 09, 2024

    • Europe
    • Ireland
    • Hacknet
    • Northern Europe
    • exclusive

    HackNeT Allegedly Targeted Ireland Because of EU Elections

    HackNeT announced an alleged cyberattack targeting Ireland on the second day of the elections. The threat actor shared details of their actions on their Telegram channel, including images as proof. Their post highlights the second day of the European Parliament elections and specifies a focus on Ireland. They claim to have attacked the websites of Ireland’s election portal and National Transport Authority, providing CheckHost links as evidence. Given that attackers highlight and associate specific countries with each day, more attacks on other countries may follow. The European Parliament elections are scheduled for June 6 to June 9, 2024.

  • Jun 05, 2024

    • Middle East
    • Elfi-Tech
    • Asia
    • Israel
    • Handala

    Handala Hacker Group Claims Breach of Israeli Medical Equipment Manufacturer 'Elfi-Tech'

    Hackers group "Handala" claimed to have hacked the Israeli medical equipment manufacturer "Elfi-Tech" and obtained 9GB of sensitive company data. "Elfi-Tech" specializes in developing non-invasive blood flow monitoring solutions for both in-hospital and home care. While the group has yet to release any samples of the stolen data, they have provided evidence that the company's website has been defaced and is currently inaccessible.

  • Jun 05, 2024

    • Middle East
    • Daixin
    • Asia
    • Dubai Municipality
    • United Arab Emirates

    Daixin Ransomware Group Claims Attack on Dubai Municipality

    The ransomware group "Daixin" has claimed responsibility for an attack on "Dubai Municipality," the municipal body responsible for city services and facility maintenance in Dubai, United Arab Emirates. Although the group has not yet released the stolen data, they have listed the organization as a victim on their website and attached a txt file describing the types of information obtained. According to Daixin, the stolen data includes sensitive information such as financial records, identification documents (IDs and passports), customer information, and more. The group has not specified a release date for the stolen data.

  • Jun 04, 2024

    • Tech In Asia
    • exclusive
    • Sanggiero

    Threat Actor Claims to Have Breached Tech In Asia

    Cyberint Argos has detected that a threat actor named "Sanggiero" has allegedly breached Tech In Asia, a news, job search, and event conference organizing platform for the Asian market, by exploiting several vulnerabilities in the platform's API and accessing their data. The Database taken contains approximately 230 thousand records belonging to the platform's customers including names and email addresses.

  • Jun 03, 2024

    • North America
    • Shinyhunters
    • Lumma Stealer
    • Snowflake
    • United States
    • Business Services

    ShinyHunters - Snowflake - Breach - 2024-04-16

    In April and May of 2024, Snowflake, a cloud data warehousing company, became the victim of a data breach when a threat actor named "ShinyHunters" gained access to its systems using stolen employee credentials. According to the threat actor, customer data of 400 companies using Snowflake's services was extracted.

  • Jun 02, 2024

    • Middle East
    • Asia
    • Saudi Arabia
    • Riyadh Airports
    • exclusive

    Threat Actor Claims to Have Leaked Riyadh Airport Employee Database

    A threat actor (”888”) from Breachforums, claims to have leaked sensitive employee data from Riyadh Airport, potentially exposing the personal information of hundreds of employees. Details of the Alleged Leak: The reported database supposedly includes information on 864 employees, encompassing: • Employee numbers • Full names • Email addresses • Mobile numbers About Riyadh Airports Company: Riyadh Airports Company, established as part of Saudi Arabia’s aviation sector privatization program, manages and operates King Khalid International Airport in Riyadh. The company focuses on developing the airport’s infrastructure and expanding its services and facilities to better serve the capital.

  • Jun 02, 2024

    • Telecommunications
    • Chalubo
    • Technology
    • North America
    • United States

    Mysterious Cyber Attack Took Down 600,000+ Routers in the U.S.

    Over 600,000 small office/home office (SOHO) routers have been rendered inoperable following a cyber attack by unidentified actors, disrupting internet access for many users. The incident, codenamed Pumpkin Eclipse by Lumen Technologies' Black Lotus Labs, occurred between October 25 and 27, 2023, affecting three specific router models issued by a single U.S. internet service provider (ISP): ActionTec T3200, ActionTec T3260, and Sagemcom. The attack took place over a 72-hour period, bricking the devices and necessitating hardware replacements. While the ISP was not named, evidence suggests it could be Windstream, which experienced an outage around the same time. Lumen's analysis later identified a remote access trojan (RAT) called Chalubo as the culprit, a malware first documented by Sophos in October 2018. Chalubo is known for its ability to perform DDoS attacks and execute Lua scripts, which were likely used to deliver the destructive payload. The exact initial access method remains unclear, but it may have involved exploiting weak credentials or exposed administrative interfaces. This attack stands out due to its scale and the need to replace such a large number of devices, marking it as an unprecedented event in cybersecurity history.

  • May 30, 2024

    • Du Emirates
    • Middle East
    • Asia
    • Ddarknotevil
    • United Arab Emirates

    Suspected Data Breach of "DU Emirates": Hacker Claims Theft of Over 360 GB of Sensitive Information

    A cybersecurity threat has surfaced targeting "DU Emirates", Integrated Telecommunications Corporation, with a hacker known as "Ddarknotevil" claiming to have stolen over 360 GB of sensitive data, including employee emails, network logs, customer device details, and proprietary software, which he is offering for USD 3,200. The hacker also released samples of the allegedly stolen data. Despite these claims, DU's official website shows no signs of disruption, and the breach remains unverified as DU officials have not responded. This incident highlights the increasing vulnerability of telecom operators to sophisticated cyber threats. If confirmed, the DU breach could lead to severe privacy violations, operational disruptions, reputational damage, financial losses, and national security concerns, underscoring the urgent need for robust cybersecurity measures in the industry.

  • May 30, 2024

    • Cryptocurrency
    • exclusive
    • Global
    • Email Collection
    • Data From Local System
    • Valid Accounts
    • Acquire Access
    • Data From Information Repositories
    • Account Manipulation
    • Account Discovery

    CRYPTO PLATFORM ACCESS OFFERED FOR SALE

    Cyberint Argos has identified an initial access broker offering system admin panel access to a crypto platform. This access is priced significantly higher than usual, at $50,000. The seller mentions that "further escalation is needed for direct withdrawal," with specific details to be discussed privately with interested, highly rated buyers. The access includes RDP via VPN and provides access to the user database and user portfolio, including phone numbers, emails, and other information.

  • May 30, 2024

    • Smoke Loader
    • Trickbot
    • Pikabot
    • Systembc
    • Icedid
    • Bumblebee

    Police seize over 100 malware loader servers, arrest four cybercriminals

    An international law enforcement initiative dubbed 'Operation Endgame' has dismantled over 100 servers used by major malware loader operations, including IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC. Conducted between May 27 and 29, 2024, the operation led to searches across 16 locations in Europe, resulting in the arrest of four individuals—one in Armenia and three in Ukraine. Additionally, eight fugitives have been identified and will be added to Europol’s ‘Most Wanted’ list. The seized infrastructure, spread across Europe and North America, hosted over 2,000 domains used for illicit services. Operation Endgame was a collaborative effort involving police forces from Germany, the United States, the United Kingdom, France, Denmark, and the Netherlands, with intelligence support from cybersecurity firms such as Bitdefender, Proofpoint, and Spamhaus. Europol revealed that one of the main suspects earned at least €69 million by renting out infrastructure for ransomware deployment.

  • May 30, 2024

    • Technology
    • Deliver Malicious App Via Other Means
    • Installer Packages
    • Credentials From Web Browsers

    Cybercriminals pose as "helpful" Stack Overflow users to push malware

    Cybercriminals are leveraging Stack Overflow to spread malware by answering user questions and promoting a malicious PyPi package named 'pytoileur.' This package, part of the known 'Cool package' campaign, masquerades as an API management tool but installs Windows information-stealing malware. Researchers discovered that threat actors uploaded 'pytoileur' to the PyPi repository and used Stack Overflow to suggest it as a solution, exploiting the platform's trust and extensive developer community. The malicious package contains an obfuscated 'setup.py' file that, when executed, downloads and runs 'runtime.exe,' a Python program converted into an executable. This program steals cookies, passwords, browser history, credit card information, and specific document data, sending it back to the attackers for potential sale on the dark web or further account breaches. This tactic highlights the evolving methods of cybercriminals and underscores the importance of verifying the sources and inspecting the code of any packages developers integrate into their projects.

  • May 27, 2024

    • Retail
    • North America
    • United States
    • Storm-0539

    US retailers under attack by gift card-thieving Threat actors gang

    Earlier this month, the FBI issued a private industry notification concerning Storm-0539, also known as Atlas Lion, a cybercriminal group based in Morocco known for targeting retailers and orchestrating fraudulent gift card schemes. Microsoft conducted a more thorough analysis of the group's tactics, revealing their adept reconnaissance abilities, exploitation of cloud environments, and efforts to minimize operational costs. Storm-0539 cleverly poses as legitimate non-profits to secure sponsored or discounted cloud services, utilizes free trials or student accounts, and hijacks recently registered WordPress domains to host fraudulent pages. Storm-0539's modus operandi involves extracting personal and work-related contact information of employees from publicly available sources, then launching targeted smishing campaigns to lure victims into clicking malicious links. Once compromised, the attackers register their own devices within the victim's environment to intercept multifactor authentication (MFA) prompts. With access to employee accounts, Storm-0539 navigates through networks, identifying gift card-related operations to exploit. They create fraudulent gift cards using compromised accounts, either redeeming their value, selling them on black markets, or employing money mules for cashing out. Despite countermeasures implemented by some organizations, Storm-0539 persists, adapting techniques to capitalize on the increased gift card fraud during holiday seasons in the US, with a notable 30% surge in intrusion activity observed by Microsoft in recent months.

  • May 27, 2024

    • Cve-2024-4835
    • CVE-2024-4835

    High-severity GitLab flaw lets attackers take over accounts

    GitLab has patched a high-severity vulnerability (CVE-2024-4835) in the VS code editor (Web IDE) that allowed unauthenticated attackers to take over user accounts through cross-site scripting (XSS) attacks. This flaw enables threat actors to steal restricted information via maliciously crafted pages, although user interaction is necessary, adding complexity to the attack. GitLab released versions 17.0.1, 16.11.3, and 16.10.6 for its Community Edition (CE) and Enterprise Edition (EE) to address this and six other medium-severity vulnerabilities, including a CSRF flaw in the Kubernetes Agent Server and a denial-of-service bug. GitLab accounts, which often contain sensitive data, are popular targets for attackers who could insert malicious code into CI/CD environments. The Cybersecurity and Infrastructure Security Agency (CISA) recently warned of active exploitation of another severe vulnerability (CVE-2023-7028), which allows account takeover via password resets, urging U.S. federal agencies to secure their systems promptly.

  • May 27, 2024

    • malware
    • global

    Threat actors phish finance orgs using trojanized Minesweeper clone

    Threat actors are exploiting code from a Python clone of Microsoft's Minesweeper game to conceal malicious scripts in attacks on financial organizations in Europe and the US. The Ukrainian cybersecurity agencies CSIRT-NBU and CERT-UA attribute these attacks to the threat actor 'UAC-0188,' who hides Python scripts within the game code to download and install the legitimate remote management software SuperOps RMM, granting remote access to compromised systems. The attack starts with an email from "support@patient-docs-mail.com," impersonating a medical center and prompting recipients to download a 33MB .SCR file from Dropbox. This file contains Minesweeper game code and malicious Python code that downloads further scripts from anotepad.com. The embedded Minesweeper code masks the malicious base64-encoded string, which decodes to a ZIP file containing an MSI installer for SuperOps RMM, enabling unauthorized access. CERT-UA reports at least five breaches in financial and insurance institutions, urging organizations not using SuperOps RMM to consider its presence a sign of compromise.

  • May 27, 2024

    • Southern Asia
    • Government
    • India
    • Asia
    • exclusive

    Indian Navy Directorate of Weapon & Equipment's Data Leak

    Cyberint's Argos has detected a data leak being offered for sale related to India's military. According to the threat actor, the data includes information on all weapons used by the Indian Navy, such as BrahMos, SRGM, MRSAM, and LRSAM. The leak is 6GB in size and is being sold for $700, a surprisingly low price for such sensitive information. The threat actor has provided their TOX contact information, and other XSS forum members have already expressed interest in purchasing the leak.

  • May 27, 2024

    • Bloodalchemy
    • South-Eastern Asia
    • Southern Asia
    • Asia
    • Sharppanda

    BLOODALCHEMY Malware Targeting ASEAN Government Networks

    Cybersecurity researchers have identified that the malware BLOODALCHEMY, used in attacks on government organizations in Southern and Southeastern Asia, is an updated version of Deed RAT, which is itself a successor to ShadowPad. According to ITOCHU Cyber & Intelligence, the origins of BLOODALCHEMY and Deed RAT trace back to ShadowPad, a tool frequently used in advanced persistent threat (APT) campaigns. Documented by Elastic Security Labs in October 2023, BLOODALCHEMY was linked to the REF5961 intrusion set targeting ASEAN countries. The malware, a barebones x86 backdoor written in C, is injected into a benign process using DLL side-loading, allowing it to gather host information, load additional payloads, and uninstall itself. Researchers suggest that the limited commands of BLOODALCHEMY might indicate it is either part of a larger malware package still in development or a highly focused tool for specific tactical uses. The attack chain involves compromising a maintenance account on a VPN device to deploy the malware, which then sideloads a loader to execute the BLOODALCHEMY shellcode. This malware uses a run mode to evade sandbox analysis, establish persistence, contact a remote server, and control the infected host. ITOCHU's analysis found code similarities between BLOODALCHEMY and Deed RAT, both used by the Space Pirates threat actor, suggesting a lineage from PlugX to ShadowPad. This connection underscores the extensive use of these tools by China-nexus hacking groups. Recent leaks from a Chinese state contractor revealed that overlapping tools and techniques among Chinese hacking groups result from "digital quartermasters" managing a centralized pool of resources. Meanwhile, the China-linked Sharp Dragon threat actor has expanded its cyber espionage activities to target government organizations in Africa and the Caribbean.

  • May 26, 2024

    • Middle East
    • Education
    • Israel
    • Asia
    • Ramat Gan Academic College
    • exclusive

    RAMAT GAN ACADEMIC COLLEGE Attack

    The Handala group has attacked Ramat Gan Academic college. The group announced on the attack on their official user on Ramp forum. There is a proof of concept, where it shown that the official site has been corrupted. In addition, they managed to access a database where all students data is available to download on their Telegram channel.

  • May 26, 2024

    • Windows Management Instrumentation
    • Indicator Removal On Host
    • Visual Basic
    • Data Encrypted For Impact
    • Shrinklocker

    New ShrinkLocker ransomware uses BitLocker to encrypt files

    Security researchers have observed a new ransomware strain called ShrinkLocker, which encrypts corporate systems by creating a new boot partition using Windows BitLocker. ShrinkLocker, named for its method of shrinking available non-boot partitions to create a boot volume, has targeted government entities and companies in the vaccine and manufacturing sectors. While the use of BitLocker for ransomware attacks is not new, ShrinkLocker introduces previously unreported features designed to maximize damage. Written in Visual Basic Scripting (VBScript), a language being deprecated and now a feature-on-demand in Windows 11, version 24H2, this ransomware is particularly notable. ShrinkLocker uses Windows Management Instrumentation (WMI) to detect the Windows version on the target machine, proceeding only if certain conditions, such as domain matching and the OS version being newer than Vista, are met. If the criteria are satisfied, ShrinkLocker employs the diskpart utility to shrink each non-boot partition by 100MB and create new primary volumes from the unallocated space. For versions like Windows 2008 and 2012, it saves boot files and volume indexes before resizing partitions. Finally, ShrinkLocker reinstalls the boot files on the new partitions using the BCDEdit command-line tool, ensuring the encryption process is thoroughly disruptive.

  • May 26, 2024

    • Google
    • Global

    Arc browser’s Windows launch targeted by Google ads malvertising

    A new Google Ads malvertising campaign has emerged alongside the launch of the Arc web browser for Windows, tricking users into downloading malware through trojanized installers. The Arc browser, known for its innovative interface, was eagerly anticipated after a successful launch on macOS in July 2023. Threat actors exploited this anticipation by setting up malicious ads on Google Search, which appeared to display legitimate URLs. When users clicked on these ads, they were redirected to typo-squatted domains resembling the genuine Arc website. Downloading from these sites led to the installation of a trojanized installer that fetched additional malicious payloads, including 'bootstrap.exe' and 'JRWeb.exe,' from external resources and MEGA hosting platform. Malwarebytes reported that the malicious installers used MEGA's API for command and control operations and employed sophisticated techniques such as injecting code via a Python executable into msbuild.exe. The final payload is believed to be an info-stealer, though this is not yet confirmed. As the Arc browser installs correctly, users are unlikely to detect the malware. This campaign underscores the persistence of threat actors in leveraging the excitement around new software launches to distribute malware. To avoid such threats, users should avoid promoted search results, use ad blockers, verify domain authenticity, and scan downloaded files with updated antivirus tools before executing them.

  • May 26, 2024

    • crypto
    • arrest

    Indian man stole $37 million in crypto using fake Coinbase Pro site

    Indian national Chirag Tomar pleaded guilty to wire fraud conspiracy for stealing over $37 million by creating a fake Coinbase Pro website to obtain user credentials. Arrested on December 20, 2023, at the Atlanta airport, Tomar and his co-conspirators launched the fraudulent site in June 2021, luring legitimate Coinbase customers to enter their login details and two-factor authentication codes. They then used social engineering techniques, including fake login errors and impersonating Coinbase representatives, to gain control of victims' accounts and transfer funds to their wallets. The stolen cryptocurrency was quickly converted and moved among various wallets before being cashed out. Tomar used the illicit gains to fund a lavish lifestyle, including luxury items and international travel.

  • May 23, 2024

    • Cryptocurrency
    • Xmrig

    REF4578

    A sophisticated crypto-mining campaign named 'REF4578' has been identified, deploying a payload called GhostEngine. This payload exploits vulnerable drivers to disable security products and install the XMRig miner. Researchers from Elastic Security Labs and Antiy have noted the complexity of these attacks and provided detection rules but have not identified the threat actors or targets involved. ### GhostEngine The initial method of server breach remains unclear. The attack begins with the execution of a file named 'Tiworker.exe,' which pretends to be a legitimate Windows file. This executable acts as the initial payload for GhostEngine, a PowerShell script that downloads various modules to perform different actions on the infected device. When 'Tiworker.exe' is executed, it downloads a PowerShell script named 'get.png' from the attacker's command and control (C2) server, serving as GhostEngine's primary loader. This PowerShell script downloads additional modules, disables Windows Defender, enables remote services, and clears various Windows event logs. Next, 'get.png' checks for at least 10MB of free space to further the infection and creates scheduled tasks named 'OneDriveCloudSync,' 'DefaultBrowserUpdate,' and 'OneDriveCloudBackup' for persistence. The PowerShell script then downloads and launches an executable named 'smartscreen.exe,' which acts as GhostEngine's primary payload. This malware terminates and deletes EDR software and launches the XMRig miner. To terminate EDR software, GhostEngine loads two vulnerable kernel drivers: aswArPots.sys (Avast driver) to terminate EDR processes and IObitUnlockers.sys (Iobit driver) to delete the associated executables. A list of targeted EDR processes is hardcoded into the malware. For persistence, a DLL named 'oci.dll' is loaded by a Windows service named 'msdtc.' When started, this DLL downloads a fresh copy of 'get.png' to install the latest version of GhostEngine on the machine. While Elastic Security hasn't observed significant earnings from the single payment ID they examined, it's possible each victim is associated with a unique wallet, suggesting the total financial gain could be substantial.

  • May 22, 2024

    • Asia
    • Middle East
    • Goldfarb Seligman
    • Israel

    Cyber Attack Targets One of Israel's Largest Law Firms "Goldfarb Seligman"

    The Israeli law firm "Goldfarb Seligman" was targeted in a cyber attack that reportedly resulted in hackers gaining access to their email server and potentially stealing client email correspondences. As of now, no ransom demand has been made, and no cyber group has claimed responsibility for the attack. Consequently, it remains unclear who initiated the cyber attack and what their intentions are with the stolen data. "Goldfarb Seligman" is one of the leading law firms in Israel, representing high-profile clients such as Israeli banks, telecommunications companies, and senior business figures. The incident was reported to the company by the Israel National Cyber Directorate.

  • May 20, 2024

    • global
    • crypto

    Chinese Nationals Arrested for Laundering $73 Million in Pig Butchering Crypto Scam

    Two Chinese nationals, Daren Li and Yicheng Zhang, have been arrested in the U.S. for allegedly laundering $73 million through a "pig butchering" cryptocurrency scam. This scheme involved tricking victims into investing in fake crypto ventures and funneling their funds through various shell companies and financial institutions. The laundered money was then transferred to international bank accounts and converted to cryptocurrencies such as USDT, with Li and Zhang overseeing the operation. The scam targeted wealthy individuals via social engineering techniques on dating and social media platforms. These scams often pose as romantic interests to build trust and manipulate victims into transferring their money. The arrested individuals face multiple charges of money laundering, with each count carrying a potential 20-year prison sentence. The case highlights the growing threat of crypto-related financial crimes and the ongoing efforts by authorities to combat them.

  • May 20, 2024

    • Latrodectus
    • Icedid

    Latrodectus Malware Loader Emerges as IcedID's Successor in Phishing Campaigns

    Cybersecurity researchers have identified a surge in email phishing campaigns since early March 2024, distributing Latrodectus, a new malware loader believed to be the successor to IcedID. Latrodectus can deploy additional payloads like QakBot, DarkGate, and PikaBot, facilitating various post-exploitation activities. Recent enhancements include commands to enumerate desktop files and retrieve running process ancestry from infected machines. The attack starts with phishing emails masquerading as QuickBooks invoices, urging users to install Java, which downloads a malicious JAR file. This file executes a PowerShell script to launch DarkGate. Additionally, social engineering campaigns have utilized an updated phishing-as-a-service platform, Tycoon, to harvest Microsoft 365 and Gmail session cookies and bypass multi-factor authentication.

  • May 20, 2024

    • Caspersecurity Stealer
    • exclusive

    CasperSecurity Stealer 2.0 Version 2 Released

    Cyberint’s Argos detected an updated version of the CasperSecurity Stealer, posted by its developer. This second version of the malware enhances its ability to steal a wide range of sensitive data, including browser information (passwords, cookies, history, credit cards, autofills, downloads), wallet data (desktop and extensions), and password manager details. Additionally, it can steal Telegram and Discord sessions. The malware supports over 20 browsers and is compatible with the latest Windows environments.

  • May 19, 2024

    • Global
    • Kinsing
    • Exploits
    • Botnet

    Kinsing Threat Actors Exploits More Flaws to Expand Botnet for Cryptojacking

    Kinsing, also known as H2Miner, is a notorious malware and threat actor that has expanded its toolkit to exploit new vulnerabilities, enrolling infected systems into a crypto-mining botnet. Their infrastructure is divided into three main categories: initial servers for scanning and exploiting vulnerabilities, download servers for payloads and scripts, and command-and-control (C2) servers to maintain contact with compromised systems. The IP addresses for C2 servers are primarily in Russia, while download servers span Luxembourg, Russia, the Netherlands, and Ukraine. The group predominantly targets open-source runtime applications, databases, and cloud infrastructure. This trend highlights the growing threat of botnet malware expanding its reach. The group is Active since 2019. Kinsing targets both Linux and Windows systems, leveraging flaws in software such as Apache, Atlassian Confluence, and Docker.

  • May 19, 2024

    • Finance
    • Grandoreiro

    Banking malware Grandoreiro returns after police disruption

    After a police operation disrupted the Grandoreiro banking malware operation in January 2024, the malware has resurfaced in a large-scale phishing campaign affecting over 60 countries, targeting customer accounts of roughly 1,500 banks. Initially targeting Spanish-speaking countries, Grandoreiro now also targets English-speaking regions and has evolved with new features, including improved encryption, expanded command sets, and enhanced victim profiling. Despite arrests and seizures, the creators remain active, renting the malware to cybercriminals through a Malware-as-a-Service (MaaS) model. The resurgence and technical improvements highlight the ongoing threat posed by Grandoreiro.

  • May 16, 2024

    • Turla
    • Middle East
    • Government
    • Asia
    • Lunarmail
    • Lunarweb

    Turla Group Deploys LunarWeb and LunarMail Backdoors in Diplomatic Missions

    The Turla cyber espionage group has been observed deploying two new malware families called LunarWeb and Extremeclear. These malware variants have been used in attacks targeting government entities and military organizations in Eastern Europe. LunarWeb is a backdoor capable of executing arbitrary commands on infected systems and exfiltrating sensitive data to command-and-control servers. Extremeclear, on the other hand, is a sophisticated implant designed to achieve persistence on compromised systems and facilitate data exfiltration. Turla, also known as Waterbug or Venomous Bear, has a history of conducting targeted cyber espionage operations against diplomatic and government entities. The deployment of LunarWeb and Extremeclear underscores the group's continued efforts to evolve its toolset and tactics to evade detection and maintain persistent access to compromised networks. The use of these new malware families highlights the ongoing threat posed by advanced persistent threat (APT) actors targeting critical infrastructure and government agencies in Eastern Europe and beyond.

  • May 16, 2024

    • global
    • crypto
    • arrest

    Brothers arrested for $25 million theft in Ethereum blockchain attack

    Two brothers have been arrested in Israel for allegedly orchestrating a massive theft of $25 million in Ethereum cryptocurrency. The theft occurred through a cyberattack targeting an individual who had stored the private keys to their cryptocurrency wallet on an unsecured device. The brothers reportedly accessed the victim's computer remotely and transferred the stolen Ethereum to various cryptocurrency exchanges. This cybercrime was one of the largest cryptocurrency thefts in Israel's history, leading to the arrest of the suspects after an extensive investigation by Israeli authorities. The brothers are accused of using sophisticated hacking techniques to gain unauthorized access to the victim's computer and steal the private keys necessary for transferring the Ethereum funds. They then allegedly transferred the stolen cryptocurrency to various accounts on cryptocurrency exchanges in an attempt to launder the funds. The arrest highlights the growing threat of cybercrime targeting cryptocurrencies and the importance of securing private keys and digital assets against unauthorized access.

  • May 16, 2024

    • Ghostsec
    • Stormous
    • exclusive

    GhostSec Announce on Retirement From the "Cybercrime Scene"

    GhostSec, formerly engaged in financially motivated cybercrimes, has declared their withdrawal from the cybercrime and ransomware domain to refocus on hacktivism, their initial mission. The group's leaders conveyed this message via their private Telegram channel, indicating their continued activity for the time being, during which they will offer hacking courses. Furthermore, they announced the discontinuation of the ghostlocker ransomware, with plans to release the complete code of the third version of Stormous and transition customers from Ghostlocker to the new Stormous locker.

  • May 12, 2024

    • South-Eastern Asia
    • exclusive
    • Indonesia
    • Asia
    • Jakarta University

    JAKARTA UNIVERSITY DATABASE Free Download

    The Threat Actor - pigcad, was posted a link to a free download of the Jakarta University database. The data include all students information, such as passwords, personal details, family names, phone number, email, and more. The Intel item was found by Argos system on XSS Forums.

  • May 12, 2024

    • breach
    • global

    Europol confirms web portal breach, says no operational data stolen

    Europol has confirmed a breach of its web portal but assured that no operational data was compromised during the incident. The breach occurred through a third-party service provider used by Europol. The compromised information primarily consisted of administrative documents related to internal affairs and contained personal data of Europol staff. Europol stated that the breach did not impact the organization's operational activities, and steps have been taken to address the incident and strengthen security measures. The breach highlights the ongoing cybersecurity challenges faced by organizations, even those involved in law enforcement and intelligence operations. Europol's response underscores the importance of implementing robust security protocols and conducting regular audits to safeguard sensitive information and maintain operational continuity amidst evolving cyber threats

  • May 12, 2024

    • Eastern Europe
    • Europe
    • exclusive
    • Bulgaria

    Access for Big Financial Company is Offered For sale

    On May 11th, a threat actor named "goodz" posted on Exploit forums offering access to a major Bulgarian organization for $25,000. The high price suggests that the buyer will gain access to valuable information, including user data such as dashboards, through RDP access to a System Administrator account. This indicates that the compromised access could provide significant intelligence to the purchaser.

  • May 12, 2024

    • Cryptocurrency
    • Apt43
    • Durian

    North Korean Threat actor Kimsuky Deploy New Golang Malware 'Durian' Against Crypto Firms

    North Korean state-sponsored Threat actors, known as Kimsuky have been observed deploying a new malware strain written in Golang, a programming language gaining popularity among cybercriminals due to its efficiency and cross-platform compatibility. The malware, named "Scout," is being used in ongoing cyber espionage campaigns targeting defense and aerospace sectors in South Korea. Scout is designed to evade detection by traditional security tools and enable the attackers to gain unauthorized access to sensitive information. The deployment of Scout marks a shift in tactics by North Korean threat actors, leveraging a new malware variant to infiltrate high-value targets. The use of Golang in the malware's development highlights the trend of threat actors adopting more sophisticated and versatile programming languages to enhance their malicious activities. Organizations, especially those operating in the defense and aerospace sectors, are advised to bolster their cybersecurity defenses and remain vigilant against evolving threats posed by state-sponsored hacking groups like Lazarus Group.

  • May 12, 2024

    • Netsupportmanager Rat
    • Diceloader
    • Fin7
    • Phishing

    FIN7 Group Leverages Malicious Google Ads to Deliver NetSupport RAT

    The FIN7 cybercrime group has been observed using a new phishing technique involving malicious USB drives to target organizations, as reported by cybersecurity researchers. FIN7, also known as Carbanak Group or Navigator Group, is notorious for its sophisticated hacking operations targeting the retail and hospitality sectors. In this latest campaign, the attackers distribute USB drives containing malicious files designed to exploit vulnerabilities and deploy malware when inserted into a victim's computer. The USB-based phishing attack by FIN7 represents an innovative approach to bypassing traditional email-based defenses. By physically delivering the malware via USB drives, the threat actors increase the likelihood of successful infiltration into target networks. Security experts emphasize the importance of implementing robust security measures, such as endpoint protection and user awareness training, to mitigate the risk posed by such novel attack techniques employed by cybercriminal groups like FIN7.

  • May 08, 2024

    • Middle East
    • Ghostsec
    • Asia
    • Medocann Group
    • Israel
    • Mkm S.K Company Ltd
    • Regulus Cyber

    GhostSec Hackers Claim Breach of Israeli Industrial Control Systems

    The hacker group "GhostSec" claimed to have infiltrated and damaged several Industrial Control Systems (ICS) belonging to Israeli entities. According to the group they gained access to multiple devices, including the energy protection system controller in the city of Netanya, the water cooling system produced by the Israeli company 'MKM', 12 control panels used for medical-grade cannabis cultivation belonging to the company 'Medocann Group', and a ring radar system from the Israeli firm 'Regulus'. The group released a video allegedly demonstrating their access to the aforementioned devices.

  • May 08, 2024

    • global
    • ttps

    New attack leaks VPN traffic using rogue DHCP servers

    A new attack technique known as "TunnelVision" has been discovered, allowing threat actors to intercept and leak VPN (Virtual Private Network) traffic using rogue DHCP (Dynamic Host Configuration Protocol) servers. This attack exploits vulnerabilities in how VPN clients handle DNS (Domain Name System) requests and responses. By deploying rogue DHCP servers on the same network segment as a targeted VPN client, attackers can intercept DNS traffic and redirect it to malicious servers under their control. The TunnelVision attack leverages the fact that VPN clients may accept DNS responses from any source, including unauthorized DHCP servers. This enables attackers to reroute VPN traffic to their servers, potentially exposing sensitive information transmitted over the VPN connection. Security researchers recommend implementing protective measures such as ensuring VPN clients use secure DNS settings and implementing network segmentation to mitigate the risk of TunnelVision attacks.

  • May 08, 2024

    • Cve-2024-2876
    • Cve-2023-40000
    • CVE-2022-22605
    • CVE-2023-40000
    • CVE-2024-2876
    • Cve-2022-22605

    Threat actors exploit LiteSpeed Cache flaw to create WordPress admins

    Threat actors have been exploiting a vulnerability in LiteSpeed Cache, a popular WordPress plugin, to gain unauthorized access and create new WordPress administrator accounts. This flaw allows attackers to perform remote code execution on affected websites. By exploiting this vulnerability, Threat actors can create malicious admin accounts and potentially take control of the compromised WordPress sites. The vulnerability, tracked as CVE-2022-22605, affects LiteSpeed Cache versions prior to 3.6.3. Website administrators are strongly advised to update the plugin to the latest version to mitigate the risk of exploitation. LiteSpeed Technologies, the developer of LiteSpeed Cache, has released a patch addressing this vulnerability to protect WordPress sites from being compromised by malicious actors.

  • May 07, 2024

    • Middle East
    • The Five Families
    • Stormous
    • Asia
    • United Arab Emirates

    The Five Families Group Claims Major Breach on UAE Targets

    On May 1st, 2024, the 'Stormous' hackers group, which is part of 'The Five Families' group, claimed to have gained access to several key entities in the UAE, including governmental agencies. The group is demanding 150 BTC and threatens to publicly offer the breached data for sale if the payment is not received before the deadline on May 7th. Additionally, they indicate that some of the stolen data will be leaked, even if it is also offered for sale.

  • May 06, 2024

    • CVE-2024-26305
    • Cve-2024-26305
    • Cve-2024-33511
    • CVE-2024-33511
    • CVE-2024-33512
    • CVE-2024-26304
    • Cve-2024-26304
    • Technology
    • Aruba Networks
    • Cve-2024-33512
    • North America
    • United States

    Four Critical Vulnerabilities Expose HPE Aruba Devices to RCE Attacks

    Four critical vulnerabilities have been discovered in the PTC Axeda agent, a widely used IoT device management software. These vulnerabilities, collectively named "AXIDA," could allow attackers to gain full control over affected devices remotely. The vulnerabilities include insecure transport of credentials, unauthenticated remote code execution, unrestricted file upload, and XML external entity (XXE) injection. Successful exploitation of these flaws could lead to unauthorized access, data exfiltration, and potentially taking control of IoT devices connected to the affected software. Users are advised to update to the latest version of PTC Axeda agent and implement necessary security measures to mitigate the risk posed by these vulnerabilities, given their critical nature and potential impact on IoT device security.

  • May 02, 2024

    • Xehook Stealer
    • exclusive

    XEHOOK STEALER Update

    The developer of the XEHOOK Stealer posted an update regarding the malware methods of logs transferring, and new testing methods of protection against runtime detections. according to him, the method of transferring logs to the spacer servers has been changed, now the log is transferred to the server in encrypted form, and also much faster than before.

Ready to
experience hyper-relevance?

See Argos Edge in action!

Schedule a demo

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start