news
Breaking Cyber News From Cyberint
Breaking news feed of the latest cyber incidents, breaches, vulnerabilities, malware, ransomware and so much more.
- All Items
- Philippines
- arrest
- South-Eastern Asia
- Asia
- Voice Phishing
- Finance
- Israel
- Zeus
- Middle East
- exclusive
- Viralgod
- Latin America And The Caribbean
- Chile
- Meow
- Manufacturing
- Eastern Asia
- Daikin
- Japan
- Pineapple
- Brazil
- Phishing
- Fluxroot
- Mexico
- Anonymous
- Israeli Ministry Of Defense
- Handala
- Energy
- Blilious Group
- Blenergy
- Amadey
- Crowdstrike
- Global
- global
- microsoft
- United States
- Business Services
- North America
- Life360
- Lockbit
- Fin7
- Blackbasta
- Schneider Electric
- Siemens
- Siemens Energy Global
- Innovalve Bio Medical Ltd.
- Sheba Medical Center
- Sportclick
- Media
- Chucky
- Mustang Panda
- Netherlands
- China
- spyware
- Norway
- Greece
- Europe
- Nato
- Belgium
- United Kingdom
- Mspy
- Telecommunications
- At&T Wireless
- Sonol
- Pemex
- Panchovilla
- National Bureau Of Investigation (Nbi)
- Mekotio
- Dragonforce
- malware
- crypto
- Ticketmaster
- Retail
- Authy
- supplychain
- CVE-2021-40444
- Cve-2021-40444
- Microsoft Mshtml
- Mshtml
- Intelbroker
- Cognizant
- Shopify
- 888
- Canada
- Cve-2024-6387
- CVE-2024-6387
- CVE-2024-6387 - RCE Vulnerability in OpenSSH
- Remote Services
- Apt43
- Office
- South Korea
- Education
- Chrome
- CVE-2017-11882
- Cve-2017-11882
- Enigma Loader
- Risepro
- Smoke Loader
- Southern Asia
- Unfurling Hemlock
- Mystic Stealer
- Eastern Europe
- Western Europe
- Russia
- India
- Germany
- Turkey
- Redline Stealer
- Cve-2024-5806
- CVE-2024-5806
- Credright
- Neiman Marcus
- Tsunami
- Cve-2023-21839
- CVE-2017-10271
- Purecrypter
- Cve-2017-3506
- 8220 Gang
- Weblogic Server
- CVE-2017-3506
- Cve-2017-10271
- CVE-2023-21839
- K4Spreader
- Kenya
- Apt31
- Sub-Saharan Africa
- Hong Kong
- Malaysia
- Rwanda
- Taiwan
- Djibouti
- Donot Team
- Ratel
- Angola
- Sneakychef
- Saudi Arabia
- Africa
- Northern Europe
- Mining
- Government
- Central Asia
- Turkmenistan
- Spicerat
- Sugargh0St
- Latvia
- T-Mobile Us
- Ireland
- Apple
- Technology
- Advanced Micro Devices (Amd)
-
Jul 26, 2024
Group of Cyber Criminals conducting Vishing Attacks against local Philippine banks arrested by Law Enforcement
A group of Vishing operators - composed of 9 members - was arrested by Philippine local police on July 25, 2024. These operators mainly target local bank customers, especially the elders (Senior Citizens). According to the apprehended operators, their modus operandi in conducting these Vishing attacks is to pretend as bank agents and inform the targeted customer that their credit card points can be converted to cash. Lastly, they will ask for the One-Time Pin (OTP) from the targeted customer to start performing fraudulent activities on the victim's bank account. The operators mentioned that they are buying used SIM cards registered under the name of their first owners, probably in underground channels like Telegram, for around 2 to 4 US Dollars—equivalent to 100 to 200 Philippine Pesos. Meanwhile, the local police also retrieved bank documents from the operators' den containing the mobile numbers of potential banks' customers. These documents are bought for around 2 US Dollars, equivalent to 100 Philippine Pesos. The Philippine National Police (PNP) stated that the arrested operators are part of a bigger cyber syndicate group which is still being tracked and investigated further.
-
Jul 25, 2024
'Zeus' Leaks Personal Information of Israeli Olympic Delegation Members
A new hacker known as 'Zeus' has published personal information about the members of the Israeli 2024 Olympic delegation. The exposed data includes phone numbers, email addresses, home addresses, ID numbers, family relations, and more.
-
Jul 25, 2024
Threat Actor offering for sale over 14.5 Million lines of Chilean Citizens Data
The threat actor **ViralGod** is offering for sale on the cybercrime forum "breach forums" a database of Chilean Citizens. The threat actor claims to have over 14.5 million lines of citizens' information, including RUT (Tax ID), Full name, address, Region, and Comuna. The database is being offered at $500 USD
-
Jul 24, 2024
-
Jul 24, 2024
Threat Actors PINEAPPLE and FLUXROOT are abusing Google Cloud to harvest credentials via phishing and propagate stealer malware in LATAM
The Threat Actor, **FLUXROOT**, has been seen targeting LATAM users. Its aim is to harvest login information associated with different online payment platforms in the LATAM region by leveraging Google Cloud serverless projects. On an additional side, but also targeting LATAM users, the Threat Actor **PINEAPPLE**, has been targeting and propagating Brazilian users with the stealer malware known as Astaroth (AKA Guildma) through Google's cloud infrastructure.
-
Jul 24, 2024
Threat Actor ViralGod shared a file that includes 49 SQL Databases from multiple Mexican websites
The Threat Actor **ViralGod** posted on the cybercrime forum " Breachforums" a file that claims to contain 49 SQL databases from different Mexican websites. The threat actor claims to have over 1,000,000 lines, the majority of which contain users' information, such as emails, full names, addresses, and phone numbers.
-
Jul 23, 2024
'Anonymous' Claims Alleged Breach of the Israeli Ministry of Defense
The 'Anonymous' hacker group released a statement today claiming to have breached the Israeli Ministry of Defense. The group released 30GB of allegedly internal information from the MoD, including zip files, PDF files with blueprints and invoices, and screenshots of IDs, among other documents. They have given a 48-hour deadline for the cessation of the war, threatening to release more sensitive information if their demand is not met. Importantly, it remains unclear whether the released information is new or has been taken from previous attacks.
-
Jul 23, 2024
'Handala' Hacker Group Claims Breach of Israeli Company 'BLEnergy'
The pro-Palestinian threat actor group 'Handala' has claimed responsibility for breaching 'BLEnergy', an Israeli renewable energy semiconductor manufacturer that is part of the 'Blilious Group'. They state that the breach was in response to the Israeli attack in Yemen following the Israel-Hamas war. The group has released several screenshots of what they allege to be internal company information as samples. According to their claims, they have obtained 145GB of data, which they plan to release soon.
-
Jul 22, 2024
A New Version of the AMADEY Botnet is offered for sale on Underground Forum
A Threat actor on Exploit forums is offering a new version of the Amadey botnet for sale with the following features and updates: • Build 4.40.3 (dated July 21): The detection of Trojan/Amadey.ROA!MTB by Windows Defender has been removed. • Upcoming Version 5 (expected release in October): ◦ MSI Installer Support: Installation in stealth mode. ◦ File Encryption: Downloaded files can be encrypted using a special utility, Melter, with a unique encryption key for each client. The loader automatically detects and decrypts these files. ◦ hVNC Module: A highly anticipated module with reverse connection capability. ◦ ZIP Format Support: The botnet can download, unpack, and launch files from ZIP archives. These updates enhance stealth, security, and functionality for clients using the botnet.
-
Jul 21, 2024
Threat Actors Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware
Cybersecurity firm CrowdStrike is under scrutiny after a flawed update to Windows devices caused worldwide IT disruptions. Now, threat actors are exploiting the situation by distributing Remcos RAT malware to CrowdStrike customers in Latin America, posing as providers of a hotfix. These attackers are using a ZIP file named "crowdstrike-hotfix.zip," containing a malware loader and Spanish-language instructions, urging targets to run an executable file to fix the issue.
-
Jul 21, 2024
CrowdStrike update crashes Windows systems, causes outages worldwide
A faulty component in the latest CrowdStrike Falcon update has caused significant disruptions to Windows systems worldwide, affecting various organizations and services, including airports, TV stations, and hospitals. Users reported widespread outages, with systems stuck in boot loops or displaying the Blue Screen of Death (BSOD) after installing the update. Emergency services in the U.S. and Canada were also impacted. CrowdStrike acknowledged the issue, attributing it to a problematic Channel File within the update, and provided steps to resolve the problem. Despite the fix, the glitch had already caused extensive disruptions. Airports in Zurich, Melbourne, and other major cities experienced flight delays and cancellations. Hospitals in the Netherlands, Spain, and the U.S. reported operational issues, while 911 services in New York, Alaska, Arizona, and parts of Canada were affected. Television stations like Sky News and ABC also faced disruptions. Users expressed frustration on Reddit, detailing the widespread impact on their companies, with reports of tens of thousands of computers crashing globally. CrowdStrike's CEO assured customers that the company is working to ensure the security and stability of their systems, advising them to communicate through official channels for updates and support.
-
Jul 19, 2024
Major Global Outages caused by CrowdStrike: Latest Updates of CrowdStrike Falcon causes Blue Screen of Death (BSOD) on Windows Machines
Earlier today, CrowdStrike released a new update on their Falcon Sensor. Unfortunately, instead of enhancing the sensor, a technical error has been included in the update causing major outages globally. The issue causes Blue Screen of Death on Windows machines. Reports worldwide states that several industries were affected, such as airlines, banks, media, etc. According to CrowdStrike, they are already aware of the widespread issue causing Blue Screen of Death (BSOD) on Windows machines across several Falcon sensors and is currently being investigated.
-
Jul 18, 2024
Life360 - Breach - 2024-03-11
A threat actor, known by the handle 'emo,' has leaked a database containing the personal information of 442,519 Life360 customers. The data was collected by exploiting a flaw in the login API, which allowed the verification of each user's email address, name, and phone number. Life360 has since fixed the flaw, but the breach occurred in March 2024. In January, Emo also leaked over 15 million email addresses from Trello accounts, collected via an unsecured API. Additionally, Life360 disclosed an extortion attempt after attackers breached a Tile customer support platform, stealing sensitive information, including names, addresses, email addresses, phone numbers, and device identification numbers. The breach likely involved the stolen credentials of a former Tile employee. Life360's CEO, Chris Hulls, assured that more sensitive information, such as credit card numbers and passwords, were not exposed. The company has yet to disclose the extent of the Tile breach or its detection timeline. Life360, a service providing location tracking and emergency assistance to over 66 million members, acquired Tile in December 2021.
-
Jul 18, 2024
FIN7 Members sell EDR killer to other threat actors
The notorious FIN7 hacking group has been observed selling their custom "AvNeutralizer" tool, designed to evade detection by disabling enterprise endpoint protection software on corporate networks. FIN7's custom tool, "AvNeutralizer" (also known as AuKill), was first seen in attacks by the BlackBasta ransomware operation in 2022. While initially thought to be exclusive to BlackBasta, Researcher's data revealed that the tool had been used in attacks by five other ransomware operations, indicating widespread distribution. According to them, "About 10 of these are attributed to human-operated ransomware intrusions that deployed well-known RaaS payloads including AvosLocker, MedusaLocker, BlackCat, Trigona, and LockBit."
-
Jul 16, 2024
Schneider Electric Releases Security Advisories for Critical Vulnerabilities in Industrial Automation Systems
Schneider Electric issued four new advisories covering six vulnerabilities in its Wiser Home Controller, EcoStruxure Foxboro DCS, EcoStruxure Foxboro SCADA FoxRTU Station, and Modicon controllers. The most critical vulnerability affects the discontinued Wiser Home Controller, with recommendations to upgrade to the latest models or remove the affected devices from service. High-severity flaws in EcoStruxure products have been patched, while a medium-severity issue in Modicon controllers awaits a remediation plan. These updates are part of Schneider Electric's ongoing efforts to enhance the security of its industrial automation solutions.
-
Jul 16, 2024
Siemens Issues Critical Security Advisories Addressing Over 50 Vulnerabilities in Industrial Systems
Siemens has released 17 new security advisories addressing over 50 vulnerabilities in its industrial control systems. Among these, the most critical is a bug in the SINEMA Remote Connect server, allowing authenticated attackers to escalate privileges. Additionally, Siemens addressed the "BlastRADIUS" vulnerability in the RADIUS protocol, which could let attackers bypass multi-factor authentication (MFA). Patches have been released for some products, while others are pending updates. Siemens recommends restricting network access to the RADIUS server and ensuring proper configurations to mitigate risks.
-
Jul 15, 2024
'Handala' has claimed responsibility for an attack against 'Sheba Medical Center'
The Pro-Palestinian threat actor group "Handala" has claimed responsibility for breaching the Israeli hospital "Sheba Medical Center" as part of their "OPIsrael" campaign. The group claims to have access to every department but has initially focused on the "Heart Department of Sheba and Innovalve Bio Medical Ltd" as a warning. They have released 50GB of sample data, which allegedly includes medical and personal information of the company's clients, agreements, staff details, and financial documents, and according to their statement, they plan to release a total of 5TB of company information.
-
Jul 15, 2024
Threat Actor Chucky leaked a database potentially related to SportClick Brazil's clients
The threat actor Chucky leaked on the leakbase[.]io forum database potentially related to 628K clients of the Brazilian site sportclick.com.br. The exposed information includes sensitive client information such as user id, names, email, password, etc.
-
Jul 15, 2024
Cyberattack Targets European Maritime Industry: Mustang Panda Suspected
A coordinated cyberespionage campaign has targeted European shipping companies, including Norwegian, Greek, and Dutch vessels. The attacks involved USB drives loaded with malware, aiming to steal sensitive information. Experts attribute the campaign to the China-affiliated hacker group Mustang Panda, known for using the Korplug malware in previous cyberattacks. This marks the first time a China-linked group has focused on commercial shipping. The Norwegian Coastal Administration suggests the attackers sought insights into the maritime sector. There may be unreported incidents, highlighting the need for increased vigilance.
-
Jul 15, 2024
NATO Allies Establish Integrated Cyber Defence Centre in Belgium
NATO has agreed to establish the NATO Integrated Cyber Defence Centre (NICC) at its strategic military headquarters in SHAPE, Belgium. This initiative, decided during the summit on July 10, 2024, aims to enhance NATO and Allied network security, improve situational awareness in cyberspace, and strengthen collective resilience against sophisticated cyber threats.
-
Jul 15, 2024
Hacktivists gained access to a spyware maker's database, publishing millions of users information online
In May 2024, mSpy, a spyware maker, fell victim to a data breach when Hacktivists obtained and published online 142GB of user data and support tickets. The data included 2.4 million unique email addresses, IPs, names, and photos, largely comprised of support tickets seeking assistance in installing the spyware.
-
Jul 15, 2024
AT&T falls victim to a data breach following Snowflake attacks exposing over 100 million customers
In April 2024, AT&T, a U.S.-based telecommunications company, fell victim to a data breach when threat actors gained access to a Snowflake account and stole the call logs of nearly 110 million customers. the data included customers' phone numbers, and phone numbers of those interacted with by the customers.
-
Jul 11, 2024
'Handala Hack' Targets Israeli Energy Company 'Sonol'
The hacker group "Handala Hack" has announced a breach of the Israeli energy company "Sonol" as part of the OPIsrael campaign. The group claims to have obtained 54GB of internal company data and has released a sample of the allegedly stolen information, including details about clients and their activities in the company's branches.
-
Jul 11, 2024
PanchoVilla claims to have compromised a server of the Mexican Oil Company (PEMEX)
On July 8th, the threat actor Pancho Villa published on the cybercrime forum breachforums that he compromised a server of the Mexican Oil Company (Pemex), obtaining over 50 databases. additionally, a sample screenshot was provided. The threat actor is selling the database at $1,000 USD
-
Jul 11, 2024
Four Members of Blood Security Hackers Apprehended in an Entrapment Operation by National Bureau of Investigation (NBI)
On July 10, 2024, National Bureau of Investigation (NBI) released a press statement regarding the arrest of four "Blood Security Hackers" members - namely: - Eden Glenn Petilo y Oñez - Carlo Reyna y Placido - John Kenneth Macarampat - Leonel Obina y Laraga These threat actors were responsible for past cyber intrusions, including, but not limited to, the COMELEC and Sky Cable Data breaches. They are also notorious in terms of illegal carding activities in the past.
-
Jul 10, 2024
-
Jul 08, 2024
DragonForce Outlines Requirements for New RaaS Partners
DragonForce is extending an invitation to specialists from various fields, including access experts and pentesters, to join their team. They offer an infrastructure and tools, retaining only 20% of income while partners keep 80%. In their last post, DragonForce emphasizes the importance of carefully selecting candidates for their Ransomware-as-a-Service (RaaS). Prospective partners are required to prepare a target with an income of at least $5,000,000 and provide detailed information about their ZoomInfo target. Files matching the provided ZoomInfo must be uploaded to a convenient storage location, such as mega.co.nz or SSH. To ensure a smooth process, DragonForce advises candidates to contact them in advance to agree on all details, facilitating faster access to their RaaS.
-
Jul 08, 2024
Massive RockYou2024 Password List Allegedly Leaked with Nearly 10 Billion Entries
A threat actor claims to have leaked a new version of the infamous RockYou password list, dubbed RockYou2024. This updated compilation reportedly includes over 9.9 billion passwords, making it one of the largest collections of compromised credentials to date. According to the threat actor, RockYou2024 builds on the previous RockYou21 list, aggregating data from numerous recent database leaks shared across various forums over the years. This enormous compilation presents a significant security risk, providing cybercriminals with an extensive repository of passwords for credential stuffing and other malicious activities. The original RockYou list, exposed in 2009 after a breach at RockYou.com, contained 32 million passwords and has since been a crucial tool for hackers, inspiring several expanded versions as new breaches emerged.
-
Jul 07, 2024
Ethereum mailing list breach exposes 35,000 to crypto draining attack
A threat actor compromised Ethereum's mailing list provider, sending phishing emails to over 35,000 addresses with a link to a malicious site running a crypto drainer. Ethereum disclosed the incident in a blog post, confirming no material impact on users. The attack occurred on June 23, using the email address ‘updates@blog.ethereum.org,’ and targeted 35,794 addresses with a fake promotion offering a 6.8% APY on staked Ethereum. Recipients were directed to a professionally crafted, malicious website that drained wallets if users connected and signed the transaction. Ethereum's internal security team quickly blocked further emails, alerted the community, and ensured the malicious link was blocked by Web3 wallet providers and Cloudflare. No recipients were affected, and Ethereum has since migrated some email services to prevent future incidents.
-
Jul 07, 2024
Threat actors Leak Taylor Swift Ticket Data, Demand $2 Million Extortion
Threat actors have leaked barcode data for 166,000 Taylor Swift Eras Tour tickets, threatening to release more if a $2 million extortion demand is not met. In May, the threat actor ShinyHunters began selling data on 560 million Ticketmaster customers for $500,000, which was confirmed to be from Ticketmaster’s account on Snowflake, a cloud-based data warehousing company. The breach, starting in April, involved hackers downloading Snowflake databases from at least 165 organizations using stolen credentials, then blackmailing companies for payments. Confirmed victims include Neiman Marcus, Los Angeles Unified School District, and Advance Auto Parts. The latest leak by Sp1d3rHunters includes ticket data for Taylor Swift concerts in Miami, New Orleans, and Indianapolis, with a threat to leak data from other events if the ransom isn't paid. Ticketmaster clarified that unique barcodes are refreshed every few seconds, making the stolen tickets unusable. They also confirmed they did not negotiate with the threat actors, countering ShinyHunters' claims of being offered $1 million to delete the data.
-
Jul 07, 2024
Twilio Secures Authy Endpoint After Breach Exposes 33 Million Phone Numbers
Cloud communications provider Twilio has disclosed that unidentified threat actors exploited an unauthenticated endpoint in Authy, exposing data associated with Authy accounts, including users' cell phone numbers. In response, Twilio secured the endpoint to prevent further unauthorized access. This revelation follows a breach by the online persona ShinyHunters (Which we exposed exclusively), who published a database containing 33 million phone numbers from Authy accounts on BreachForums. Authy, a popular two-factor authentication (2FA) app owned by Twilio, adds an extra layer of security to accounts. Twilio assured users that there is no evidence of the threat actors accessing Twilio's systems or other sensitive data. However, they recommend that users update their Authy apps to the latest versions and remain vigilant against potential phishing and smishing attacks using their phone numbers.
-
Jul 07, 2024
Widespread Polyfill.io Supply Chain Attack Affects Over 380,000 Hosts, Including Major Companies
The supply chain attack on the Polyfill[.]io JavaScript library is more extensive than initially believed, affecting over 380,000 hosts, including prominent companies like WarnerBros, Hulu, Mercedes-Benz, and Pearson. New findings from Censys reveal that these hosts are embedding scripts from the malicious domain as of July 2, 2024, with many located within the Hetzner network in Germany. The attack, which emerged in late June 2024, involves code modifications that redirect users to adult- and gambling-themed websites at specific times. The domain, sold to Chinese company Funnull in February 2024, has since been suspended by Namecheap, with further mitigation efforts from Cloudflare and Google. The attackers attempted to relaunch the service under different domains, with one still active. A broader network of potentially related malicious domains has also been uncovered, suggesting this incident is part of a larger campaign. WordPress security firm Patchstack has warned of cascading risks to sites using legitimate plugins linked to the rogue domain.
-
Jul 04, 2024
Threat Actors Exploit MSHTML Flaw to Deploy MerkSpy Surveillance Tool in Targeted Campaigns
Unknown threat actors have been exploiting a patched security flaw in Microsoft MSHTML to deliver a surveillance tool called MerkSpy, targeting users in Canada, India, Poland, and the U.S. The attack begins with a Microsoft Word document disguised as a job description for a software engineer. Opening the document triggers CVE-2021-40444, a high-severity flaw in MSHTML, allowing remote code execution. This leads to the download of an HTML file, which executes shellcode to download and run further malicious payloads, including MerkSpy. MerkSpy establishes persistence on the compromised system through Windows Registry changes and captures sensitive information such as screenshots, keystrokes, login credentials, and data from the MetaMask browser extension. This data is then transmitted to an external server controlled by the attackers. In parallel, Symantec reported a smishing campaign in the U.S., where users receive SMS messages purportedly from Apple, directing them to bogus credential-harvesting pages. This malicious website includes a CAPTCHA to appear legitimate and mimics an outdated iCloud login template.
-
Jul 04, 2024
Global Police Operation Shuts Down 600 Cybercrime Servers and arrests 54 individuals
A coordinated law enforcement operation named MORPHEUS has dismantled nearly 600 servers used by cybercriminal groups associated with Cobalt Strike, a red teaming framework. The crackdown, led by the UK National Crime Agency and involving multiple international authorities, targeted older, unlicensed versions of Cobalt Strike between June 24 and 28. Of the 690 flagged IP addresses, 590 are no longer accessible. While Cobalt Strike is a legitimate tool for IT security, cracked versions have been misused by malicious actors for post-exploitation purposes, significantly lowering the barrier to cybercrime. In parallel, Spanish and Portuguese authorities arrested 54 individuals involved in vishing schemes targeting elderly citizens, resulting in €2,500,000 in losses. The fraudsters posed as bank employees to extract personal information and subsequently pressured victims into handing over their credit cards and bank details. The stolen funds were funneled through a sophisticated money laundering network. Additionally, INTERPOL dismantled human trafficking rings and disrupted global online scam networks, seizing $257 million in assets and arresting nearly 4,000 suspects across 61 countries in Operation First Light.
-
Jul 03, 2024
Threat Actor "IntelBroker" Allegedly Breached Cognizant, Extracting 12 Million Records
In June 2024, a threat actor named "IntelBroker" claimed to have breached Cognizant, an IT solutions provider, and to have gained access to its Oracle Insurance Policy Administration database. According to the threat actor, 12 million records belonging to approximately 40 thousand users were exposed including policy numbers, client names, and client companies among others.
-
Jul 03, 2024
Threat Actor Allegedly Breached Shopify, Extracting User Information
In July 2024, a threat actor named "888" claimed to have breached Shopify, a Canada-based multinational eCommerce Platform, and to have gained access to a database. According to the threat actor, nearly 180 thousand customer records were taken including names, email addresses, phone numbers, orders made, total spent, and email / SMS subscription details. The threat actor has offered the dataset for sale.
-
Jul 02, 2024
CVE-2024-6387 - RCE Vulnerability in OpenSSH
A critical remote code execution (RCE) vulnerability, CVE-2024-6387, has been discovered in OpenSSH’s server by the Qualys research team. This vulnerability reintroduces an issue previously addressed in 2006, highlighting persistent security challenges in widely-used software. Despite the difficulty of exploiting this flaw, its severity is underscored by its potential impact on systems that use SSH, particularly for accessing Kubernetes nodes. No successful remote attacks have been reported yet, but the vulnerability's presence emphasizes the importance of ongoing vigilance and prompt system updates. The CVE-2024-6387 vulnerability arises from a signal handler race condition in OpenSSH’s default configuration. If an SSH client fails to authenticate within the default LoginGraceTime of 120 seconds, the SIGALRM handler is called, potentially leading to heap corruption and arbitrary code execution with root privileges. While widespread exploitation is considered unlikely due to the need for distribution-specific conditions and extensive login attempts, the risk remains significant. Organizations are urged to upgrade to the latest OpenSSH release and consider temporary workarounds, such as setting LoginGraceTime to 0, to protect their systems from potential attacks.
-
Jul 01, 2024
Kimsuky Using TRANSLATEXT Chrome Extension to Steal Sensitive Data
The North Korea-linked threat actor Kimsuky has been linked to a new malicious Google Chrome extension designed to steal sensitive information as part of an ongoing intelligence collection effort. Observed in early March 2024 and codenamed TRANSLATEXT, the extension is capable of gathering email addresses, usernames, passwords, cookies, and browser screenshots. This targeted campaign focuses on South Korean academia, specifically those involved in North Korean political affairs. The initial access method for this activity remains unclear, though Kimsuky is known for using spear-phishing and social engineering attacks to initiate infection. The attack begins with a ZIP archive, allegedly related to Korean military history, containing a Hangul Word Processor document and an executable file. Executing the file retrieves a PowerShell script from an attacker-controlled server, which exports information about the compromised victim to a GitHub repository and downloads additional PowerShell code via a Windows shortcut (LNK) file. Researchers found a GitHub account, created on February 13, 2024, briefly hosting the TRANSLATEXT extension under the name "GoogleTranslate.crx," although the delivery method remains unknown. TRANSLATEXT, disguised as Google Translate, uses JavaScript code to bypass security measures for services like Google, Kakao, and Naver; steal email addresses, credentials, and cookies; capture browser screenshots; and exfiltrate stolen data. It also fetches commands from a Blogger Blogspot URL to take screenshots of newly opened tabs and delete all cookies from the browser.
-
Jul 01, 2024
New Unfurling Hemlock threat actor floods systems with malware
A threat actor known as **Unfurling Hemlock** has been conducting large-scale malware campaigns, infecting target systems with up to ten different types of malware simultaneously. Security researchers have identified this method as a "malware cluster bomb," where one malware sample spreads additional malicious software on the compromised machine. The malware types include information stealers, botnets, and backdoors. The operation, active since at least February 2023, uses a distinct distribution method involving nested compressed files within a malicious executable named 'WEXTRACT.EXE'. This file arrives via malicious emails or malware loaders and unpacks multiple malware variants in reverse order on the victim's machine. Over 50,000 such "cluster bomb" files have been linked to Unfurling Hemlock, with the majority of attacks targeting systems in the United States, Germany, Russia, Turkey, India, and Canada. Unfurling Hemlock's strategy of deploying multiple payloads provides high redundancy, enhancing persistence and monetization opportunities despite the risk of detection. The malware observed includes Redline, RisePro, Mystic Stealer, Amadey, SmokeLoader, protection disablers, and various utilities for disabling security features and obfuscating malware payloads. The group's activities suggest they may sell info-stealer logs and initial access to other threat actors. Based on linguistic evidence and the use of specific hosting services, researchers believe Unfurling Hemlock operates from an Eastern European country.
-
Jun 30, 2024
Exploit Attempts Recorded Against New MOVEit Transfer Vulnerability
A critical security flaw in Progress Software's MOVEit Transfer, identified as CVE-2024-5806 with a CVSS score of 9.1, is already seeing exploitation attempts following its public disclosure. The flaw involves an authentication bypass in specific versions of MOVEit Transfer, potentially allowing attackers to impersonate any user on the server. Another related vulnerability, CVE-2024-5805, also affects MOVEit Gateway version 2024.0.0. watchTowr Labs highlighted that CVE-2024-5806 comprises two separate issues, one in MOVEit and the other in the IPWorks SSH library. Progress Software has advised users to block public RDP access to MOVEit servers and limit outbound access to trusted endpoints to mitigate these vulnerabilities. exploiting CVE-2024-5806 requires knowledge of an existing username, remote authentication capability, and public accessibility of the SFTP service. Censys data shows around 2,700 MOVEit Transfer instances online, mostly in the U.S., U.K., Germany, and other countries. The urgency of updating to the latest versions is emphasized, especially after similar vulnerabilities led to widespread Cl0p ransomware attacks last year. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported an intrusion into its Chemical Security Assessment Tool (CSAT) due to flaws in the Ivanti Connect Secure appliance. Although no data exfiltration was detected, the agency warned of potential unauthorized access to sensitive information. Progress Software confirmed the vulnerabilities have been fixed and stated there have been no reports of exploitation or direct operational impact on customers.
-
Jun 30, 2024
Threat Actor Allegedly Leaks 70 GB of KYC Data from CredRight
A threat actor has claimed to have leaked data from CredRight, a data-driven lending platform that provides credit to micro, small, and medium enterprises through NBFCs and banks. CredRight streamlines the loan application process by allowing users to register online, upload necessary documents, and apply for loans quickly. The threat actor manages different accounts on the dark web forums, and posted them in two different underground forums. The alleged breach includes 70 GB of KYC (Know Your Customer) documents, comprising photos, videos, and voice recordings. This leak could potentially expose sensitive personal and financial information of numerous CredRight users, raising significant security and privacy concerns for the affected individuals and the platform.
-
Jun 30, 2024
ShinyHunters group leaks Data from Neiman Marcus
According to a post on a dark web forum, a threat actor has shared data purportedly from Neiman Marcus. The post claims that the alleged leak includes account balances, browser user agent details, credit cards, dates of birth, email addresses, gift cards, IP addresses, names, payment histories, payment methods, phone numbers, and physical addresses. The threat actor also mentioned that Neiman Marcus refused to pay the ransom.
-
Jun 30, 2024
8220 Gang Exploits Oracle WebLogic Server Flaws
Security researchers have uncovered more details about the 8220 Gang's cryptocurrency mining operation, which exploits known security flaws in Oracle WebLogic Server. Researchers revealed that the threat actor, tracked as Water Sigbin, uses fileless execution techniques such as DLL reflective and process injection to avoid disk-based detection. Water Sigbin exploits vulnerabilities like CVE-2017-3506, CVE-2017-10271, and CVE-2023-21839 to gain initial access and deploy the miner payload via a multi-stage loading technique. The attack sequence involves deploying a PowerShell script to drop a first-stage loader, which then launches another binary in memory. This binary serves as a conduit for the PureCrypter loader, which exfiltrates hardware information and creates scheduled tasks to run the miner while evading Microsoft Defender Antivirus. Further developments include the use of a new installer tool called k4spreader, which the 8220 Gang has been using since at least February 2024. This tool delivers the Tsunami DDoS botnet and the PwnRig mining program, leveraging security flaws in Apache Hadoop YARN, JBoss, and Oracle WebLogic Server to infiltrate targets. Written in cgo, k4spreader ensures system persistence, self-updates, and executes other malware while disabling firewalls and terminating rival botnets. The QiAnXin XLab team has detailed this tool, highlighting its capabilities and ongoing development.
-
Jun 24, 2024
Flax Typhoon Cyber Espionage Campaign Hits 75 Taiwanese Organizations
A likely China-linked state-sponsored threat actor, tracked as RedJuliett, has been linked to a cyber espionage campaign targeting government, academic, technology, and diplomatic organizations in Taiwan between November 2023 and April 2024. RedJuliett, also known as Flax Typhoon and Ethereal Panda, operates from Fuzhou, China, and supports Beijing's intelligence collection goals related to East Asia. The campaign has targeted 24 organizations, including government agencies in Taiwan, Laos, Kenya, and Rwanda, and at least 75 Taiwanese entities for broader reconnaissance and exploitation. RedJuliett employs tactics such as exploiting internet-facing appliances, SQL injection, and directory traversal attacks to gain initial access. They use open-source software like SoftEther for tunneling malicious traffic and living-off-the-land (LotL) techniques to avoid detection. The group's operations include using web shells like China Chopper, devilzShell, AntSword, and Godzilla, and exploiting Linux vulnerabilities such as DirtyCow (CVE-2016-5195). RedJuliett's interest likely lies in gathering intelligence on Taiwan's economic policy, trade, and diplomatic relations. Their focus on internet-facing devices highlights the limited visibility and security of these devices, making them effective targets for initial access.
-
Jun 24, 2024
Ratel RAT targets outdated Android phones in ransomware attacks
The open-source Android malware 'Ratel RAT' is being widely deployed by cybercriminals to attack outdated devices, often locking them down with a ransomware module that demands payment via Telegram. Researchers detected over 120 campaigns using Ratel RAT, with known threat actors such as APT-C-35 (DoNot Team) involved, and origins traced to Iran and Pakistan. High-profile targets include government and military organizations, mainly in the United States, China, and Indonesia. Most infected devices run end-of-life Android versions (11 and older), which no longer receive security updates, making them particularly vulnerable. Ratel RAT is spread through fake apps mimicking popular brands like Instagram and WhatsApp, tricking users into downloading malicious APKs. During installation, it requests risky permissions to run in the background. The malware supports various commands, including file encryption (ransomware), file deletion, screen locking, SMS and location tracking. In roughly 10% of cases analyzed by Check Point, the ransomware command was issued. To defend against these attacks, users should avoid downloading APKs from untrusted sources, refrain from clicking on suspicious links, and use Play Protect to scan apps before launching them.
-
Jun 23, 2024
Chinese Threat Actors Deploy SpiceRAT and SugarGh0st in Global Espionage Campaign (Operation Diplomatic Specter)
Since August 2023, a previously undocumented Chinese-speaking threat actor codenamed SneakyChef, has been linked to an espionage campaign primarily targeting government entities across Asia, Europe, the Middle East, and Africa with the SugarGh0st malware. SneakyChef uses lures resembling scanned documents from government agencies, focusing on Ministries of Foreign Affairs and embassies. In addition, The same malware that was used in this campaign is likely to focus on various government entities across Angola, India, Latvia, Saudi Arabia, and Turkmenistan based on the lure documents used in the spear-phishing campaigns, indicating a widening of the scope of the countries targeted. The campaign, also tracked as Operation Diplomatic Specter, has targeted government, IT, metallurgy, mining, and telecommunications sectors. SneakyChef utilizes sophisticated tactics, including supply chain attacks and deploying new malware like SpiceRAT, which employs DLL side-loading techniques for evasion and persistence. This underscores the growing threats from advanced persistent threat actors targeting critical infrastructure globally.
-
Jun 23, 2024
IntelBroker Breached into a giant telecom vendor
The threat actor IntelBroker has allegedly leaked data from telecommunications giant T-Mobile. The compromised information reportedly includes source code, SQL files, images, terraform data, certifications, and siloprograms. IntelBroker shared several images of the leaked data but did not specify a price, inviting interested buyers to message them with offers. The threat actor advised against messages from users without rank or reputation. Payments are only accepted in Monero (XMR).
-
Jun 23, 2024
Threat Actor Claims to Sell Unauthorized Access to Major Irish Retailer
A threat actor has recently surfaced, claiming to sell unauthorized access to the network of a major Irish retailer with annual revenue exceeding $500 million. This access, categorized as AnyConnect (AD), could grant significant control over the retailer's network infrastructure. Priced at $800, the access details and verification are provided only to reputable users, old users, or those with a deposit or premium status on their platform. This restricted sharing ensures the access remains secure and maintains trust within their dealings.
-
Jun 19, 2024
Threat Actor "IntelBroker" Allegedly Breached Apple, Gaining Access to Internal Source Code
In June 2024, a threat actor named "IntelBroker" claimed to have breached Apple, a multinational technology company, and to have gained access to internal source code. According to the threat actor, three commonly used tools from Apple's internal site were compromised, named AppleConnect-SSO, Apple-HWE-Confluence-Advanced, and AppleMacroPlugin.
-
Jun 18, 2024
Threat Actor "IntelBroker" Allegedly Breached AMD, Gaining Access To Databases, Source Code And Future Products
In June 2024, a threat actor named "IntelBroker" claimed to have breached AMD, an international semiconductor and electronics manufacturer, and to have gained access to its systems. According to the threat actor, future products, specification sheets, employee and customer databases, property files, ROMs, source code, firmware, and finance information were compromised. The threat actor has offered the data for sale.
