#threat-actor

#threat-actor

Microsoft's attempt to thwart malicious actors from tricking users into executing malware and ransomware, by blocking Visual Basic for Applications (VBA) and Excel 4.0 (XL4) macros by default in its most popular Office applications, has had a profound affect on the cyber criminal landscape, according to data from Proofpoint.

In brief A security researcher whose Google Pixel battery died while sending a text is probably thankful for the interruption - powering it back up led to a discovery that netted him a $70,000 bounty from Google for a lock screen bypass bug.Now patched, the vulnerability would let anyone with a spare SIM card and access to a device to completely bypass the lock screen, giving them unfettered access to the device.

Threat actors were seen adopting public proof-of-concept (PoC) exploit code targeting a cross-site scripting (XSS) vulnerability in the Advanced Custom Fields WordPress plugin only two days after a patch was released, Akamai reports.Tracked as CVE-2023-30777, the high-severity vulnerability could allow attackers to inject malicious scripts and other payloads into vulnerable websites.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added several Linux and Linux-related flaws to its known exploited vulnerabilities (KEV) catalog.The agency added seven new vulnerabilities to its KEV catalog on Friday: Ruckus AP remote code execution (CVE-2023-25717), Red Hat Polkit privilege escalation (CVE-2021-3560), Linux kernel privilege escalations (CVE-2014-0196 and CVE-2010-3904), Jenkins UI information disclosure (CVE-2015-5317), Apache Tomcat remote code execution (CVE-2016-8735), and an Oracle Java SE and JRockit issue (CVE-2016-3427).

A subgroup of the Chinese state-sponsored threat actor known as APT41 has been observed using a new denial-of-service (DoS) technique to disable security software, cybersecurity firm Trend Micro reports.Tracked as Earth Longzhi, the APT41 subgroup is known for the targeting of organizations in the Philippines, Taiwan, and Thailand.

Fortinet recently warned that a FortiOS zero-day vulnerability has been exploited in attacks aimed at government organizations.Google-owned cybersecurity firm Mandiant reported on Thursday that those attacks were likely conducted by a Chinese state-sponsored threat actor.The vulnerability in question is tracked as CVE-2022-41328 and it has been described as a medium-severity path traversal issue in FortiOS that can lead to command execution.

A Cl0p ransomware operator affiliated with the FIN11 and TA505 threat actors has been exploiting recently patched PaperCut vulnerabilities since April 13, Microsoft says.Impacting the PaperCut MF/NG print management system and tracked as CVE-2023-27350 (CVSS score of 9.8), the issue can be exploited to bypass authentication and achieve remote code execution (RCE) with System privileges.

Learn how this cryptocurrency campaign operates and its scope.Then, get tips on protecting vulnerable Kubernetes instances from this cybersecurity threat.The cybersecurity company CrowdStrike has observed the first-ever Dero cryptojacking campaign.The attack targets Kubernetes clusters that were accessible on the internet and allowed anonymous access to the Kubernetes API.

Fortinet released 40 security advisories last week to inform customers about the availability of patches for dozens of vulnerabilities, including critical flaws affecting the FortiNAC and FortiWeb products.Two of the advisories have a 'critical' severity rating and 15 of them have been classified as having 'high' severity.

Cloud storage service Dropbox has been sharing details of how it was successfully targeted by a phishing campaign in which a threat actor impersonated the code integration and delivery platform CircleCI to access one of its GitHub accounts and compromise code and data.The information accessed included API keys used by Dropbox's developers, and data including the names and email addresses of a very limited number of employees, customers, sales leads and vendors, described as in the thousands.

Facebook parent company Meta says it disrupted a novel malware family within weeks after it emerged earlier this year.Dubbed NodeStealer, the threat was designed to steal cookies and usernames and passwords from browsers such as Chrome, Edge, Brave, and Opera, to compromise online accounts.A custom JavaScript malware first observed in January 2023, NodeStealer is likely of Vietnamese origin, being distributed disguised as PDF and XLSX files.

A recently identified financially motivated threat actor is targeting companies in the United States and Germany with custom malware, including a screenlogger it uses for reconnaissance, Proofpoint reports.Tracked as TA866, the adversary appears to have started the infection campaign in October 2022, with the activity continuing into January 2023.

Threat actors with a connection to the Chinese government are infecting a widely used security appliance from SonicWall with malware that remains active even after the device receives firmware updates, researchers said.SonicWall's Secure Mobile Access 100 is a secure remote access appliance that helps organizations securely deploy remote workforces.

T-Mobile on Monday said it experienced a hack that exposed account PINs and other customer data in the company's second network intrusion this year and the ninth since 2018.The intrusion, which started on February 24 and lasted until March 30, affected 836 customers, according to a notification on the website of Maine Attorney General Aaron Frey.

The backers of the Open Software Supply Chain Attack Reference (OSC&R) framework for supply chain security has gone live on Github, enabling anybody to contribute to the model.The MITRE ATT&CK-like framework was launched in February with the stated goal of helping security teams improve their understanding of software supply chain threats, evaluate them and get to grips with them.

A new Linux version of Royal ransomware is targeting VMware ESXi virtual machines.Learn more about this security threat and how to protect from it.Royal ransomware is malware that first appeared around September 2022.The people behind this ransomware are probably a subgroup of the infamous Conti threat actor.

In the past 24 hours, the world has learned of serious breaches hitting chat service Slack and software testing and delivery company CircleCI, though giving the companies' opaque wording-"security issue" and "security incident," respectively-you'd be forgiven for thinking these events were minor.

It's the second Tuesday of the month, and that means it's Update Tuesday, the monthly release of security patches available for nearly all software Microsoft supports.This time around, the software maker has fixed six zero-days under active exploit in the wild, along with a wide range of other vulnerabilities that pose a threat to end users.

More organizations are emerging to confirm impact from the newly disclosed in-the-wild zero-day exploits hitting Fortra's GoAnywhere managed file transfer (MFT) software.Tracked as CVE-2023-0669, the vulnerability was publicly disclosed in early February alongside zero-day exploitation and a patch was released a week later.

Google-owned Mandiant has conducted an analysis of the zero-day vulnerabilities disclosed in 2022 and found that over a dozen of them were used in attacks believed to have been carried out by cyberespionage groups.The cybersecurity community cannot reach an agreement on the definition of zero-day vulnerability.

Italian sports car maker Ferrari said on Monday that a threat actor had demanded a ransom related to customer contact details that may have been exposed in a ransomware attack."Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cybersecurity firm," the iconic car maker said.

A Russia-linked advanced persistent threat (APT) actor tracked as Winter Vivern has been observed targeting government entities in several European and Asian countries.Initially detailed in early 2021, the group is known to support the interests of Belarus and Russia's governments, and was previously observed targeting government organizations in India, Lithuania, Slovakia, and Vatican.

Threat researchers at WithSecure have revealed intelligence on how cyber criminal gangs are sharing tools along the historic Silk Roads of Eurasia, after finding a tool known to have been developed by Chinese cyber criminals being taken up enthusiastically among Russian-speaking ransomware operators.

That didn't take long.A week after the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI released a recovery script to help victims of the widespread ESXiArgs ransomware attacks recover infected systems, an updated variant of the malware aimed at vulnerable VMware ESXi virtual machines can't be remediated with the government agencies' code, according to Malwarebytes.

A threat actor named SiegedSec, whose members have claimed to be hacktivists, announced on its Telegram channel and hacking forums that it "hacked the software company Atlassian".They made 35 Mb of files public.This includes two image files apparently storing floor plans of Atlassian buildings in San Francisco and Sydney, and one file allegedly containing the information of 13,000 Atlassian employees, including names, email addresses, and phone numbers.

Threat actors connected to the North Korean government have been targeting security researchers in a hacking campaign that uses new techniques and malware in hopes of gaining a foothold inside the companies the targets work for, researchers said.Researchers from security firm Mandiant said on Thursday that they first spotted the campaign last June while tracking a phishing campaign targeting a US-based customer in the technology industry.

GoDaddy said on Friday that its network suffered a multi-year security compromise that allowed unknown attackers to steal company source code, customer and employee login credentials, and install malware that redirected customer websites to malicious sites.GoDaddy is one of the world's largest domain registrars, with nearly 21 million customers and revenue in 2022 of almost $4 billion.

Coinbase, one of the world's largest cryptocurrency exchanges, was recently targeted in a sophisticated cyberattack that appears to have been conducted by the same threat group that targeted Twilio, Cloudflare and many others last year.Coinbase revealed on Friday that its employees were targeted in an SMS phishing campaign on Sunday, February 5.

In-the-wild exploitation of a Fortinet FortiNAC vulnerability tracked as CVE-2022-39952 was seen just days after a patch was announced, and on the same day a proof-of-concept (PoC) exploit was made public.Fortinet published 40 security advisories on February 16, including one describing a critical vulnerability in the company's FortiNAC network access control (NAC) solution.

A threat actor is using the PureCrypter downloader to deliver different types of malware to government entities in the Asia-Pacific and North America regions, Menlo Labs warns.As part of the observed attacks, Discord is used for distribution purposes, while the domain of a compromised non-profit organization serves as a command-and-control (C&C) server, hosting a secondary payload.

News Corp., the parent company of The Wall Street Journal and several other news outlets, said that hackers were inside its network for nearly two years and made off with private documents and emails.News Corp. first disclosed the breach in February 2022, in a filing with the Securities and Exchange Commission and an article in The Wall Street Journal.

The threat actor behind a series of compromises of credential management specialist LastPass attacked a DevOps engineer's home computer to gain access to the organisation's decryption keys, it has emerged.The first attack took place in August 2022, and saw LastPass praised for its swift response to the incident, which saw the attacker access some source code and proprietary technical information.

A recently identified post-exploitation framework offered as a service appears to be operated by former affiliates of the LockBit ransomware, cybersecurity company Cyfirma reports.Dubbed Exfiltrator-22 or EX-22, the tool was created using the leaked source code of other post-exploitation frameworks, and uses the same command-and-control (C&C) infrastructure as LockBit 3.0.

LastPass says that a threat actor was able to steal corporate and customer data by hacking an employee's personal computer and installing keylogger malware, which let them gain access to the company's cloud storage.The update provides more information about how the series of hacks happened last year that resulted in the popular password manager's source code and customer vault data being stolen by an unauthorized third party.

German industrial automation solutions provider Wago has released patches for several of its programmable logic controllers (PLCs) to address four vulnerabilities, including ones that can be exploited to take full control of the targeted device.The vulnerabilities were discovered by Ryan Pickren from the Georgia Institute of Technology's Cyber-Physical Security Lab.

IT management software firm GoTo on Tuesday said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach that also affected its LastPass affiliate.GoTo chief executive Paddy Srinivasan confirmed the security breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.

Threat actors exfiltrated encrypted customer account data and an encryption key for a number of GoTo services in a breach first disclosed last November.Remote work technology provider GoTo, formerly LogMeIn, published an update Monday to a blog post dedicated to a breach that occurred last year.At the time the breach was disclosed on Nov. 30, GoTo CEO Paddy Srinivasan wrote that the company was investigating a security incident and had "detected unusual activity within [GoTo's] development environment and third-party cloud storage service."

A Chinese threat actor tracked as DragonSpark has been using the SparkRAT open source remote administration tool (RAT) in recent attacks targeting East Asian organizations, cybersecurity firm SentinelOne reports.Relatively new, SparkRAT is a multi-platform RAT written in Golang that can run on Windows, Linux, and macOS systems, and which can update itself with new versions available through its command and control (C&C) server.

A South Africa-based threat actor known as Automated Libra has been observed adopting increasingly sophisticated techniques to conduct a widespread freejacking campaign against various public cloud services.Freejacking is the act of using free or time-limited access to public cloud resources - such as introductory trial offers - to perform illicit cryptomining.

(Image credit: Gustavo Frazao / Shutterstock)
Scammers have used the traffic from an adult website to generate clicks on Google Ad banners, netting them huge returns, experts have revealed.Researchers from Malwarebytes, which first spotted the campaign, revealed how someone created an ad campaign on one of the major adult ad networks and used the "popunder" ad format.

Microsoft Office files, particularly Excel and Word files, have been targeted by some cybercriminals for a long time.Through different techniques, attackers have used embedded Visual Basic for Applications macros to infect computers with different kinds of malware for cybercrime and cyberespionage.In most cases, users still needed to click their agreement when executing code inside those applications, but some social engineering tricks have enticed unsuspecting victims to click and allow the execution of the malicious macros themselves.

In Brief The squishy brains behind OpenAI's artificial ones are predicting developments like the ChatGPT system will see money flooding in - with a forecast of earning around $1 billion by 2024.According to an investors' briefing document seen by Reuters the machine-learning biz expects to break $200 million in revenues next year and bust through the billion mark 12 months later.

The Lego Group has moved swiftly to fix a pair of application programming interface (API) security vulnerabilities that existed in its BrickLink digital resale platform, after they were identified by Salt Labs, the research arm of API specialist Salt Security.With over a million members, BrickLink is the world's largest forum for buying and selling second-hand Lego sets.

Newish ransomware gang Royal has been spotted targeting the healthcare sector, the US Department of Health and Human Services (HHS) has said.The crew emerged this year, and follows the standard double extortionware playbook: it steals data from infected networks, encrypts those files, and then demands a fee to recover the data and to also not publicly leak the documents.

Password manager LastPass has told customers that some of their information has been accessed in a cybersecurity breach, but says passwords remain safe.LastPass is one of several password managers in the market that aims to reduce the reuse of passwords online, by storing themin a single app.It also makes it easier for users to generate strong passwords as required.