#threat-actor

#threat-actor

A subgroup of the Chinese state-sponsored threat actor known as APT41 has been observed using a new denial-of-service (DoS) technique to disable security software, cybersecurity firm Trend Micro reports.Tracked as Earth Longzhi, the APT41 subgroup is known for the targeting of organizations in the Philippines, Taiwan, and Thailand.

Domain security firm InfoBlox discovered a command-and-control exploit that, while extremely rare and complex, could be a warning growl from a new, as-yet anonymous state actor.If you do a search for the most recent reports on Domain Name System attacks, you may have a hard time finding one since IDC's 2021 report noting that in 2020, 87% of organizations experienced a DNS attack during 2020.

Threat actors aligned with Russia and Belarus are targeting elected US officials supporting Ukraine, using attacks that attempt to compromise their email accounts, researchers from security firm Proofpoint said.The campaign, which also targets officials of European nations, uses malicious JavaScript that's customized for individual webmail portals belonging to various NATO-aligned organizations, a report Proofpoint published Thursday said.

Australian casino giant Crown Resorts this week confirmed that the Cl0p ransomware group contacted them to claim the theft of data as part of the GoAnywhere attack.The incident occurred in late January, when a zero-day vulnerability in Fortra's GoAnywhere managed file transfer (MFT) software was exploited to access files belonging to Fortra customers.

More organizations are emerging to confirm impact from the newly disclosed in-the-wild zero-day exploits hitting Fortra's GoAnywhere managed file transfer (MFT) software.Tracked as CVE-2023-0669, the vulnerability was publicly disclosed in early February alongside zero-day exploitation and a patch was released a week later.

Fortinet recently warned that a FortiOS zero-day vulnerability has been exploited in attacks aimed at government organizations.Google-owned cybersecurity firm Mandiant reported on Thursday that those attacks were likely conducted by a Chinese state-sponsored threat actor.The vulnerability in question is tracked as CVE-2022-41328 and it has been described as a medium-severity path traversal issue in FortiOS that can lead to command execution.

US wireless carrier T-Mobile is informing some customers that their personal information was compromised in a recent data breach.After being alerted to unauthorized activity on its systems, the company discovered that a malicious actor had access to a "small number" of T-Mobile accounts between late February and March 2023.

The backers of the Open Software Supply Chain Attack Reference (OSC&R) framework for supply chain security has gone live on Github, enabling anybody to contribute to the model.The MITRE ATT&CK-like framework was launched in February with the stated goal of helping security teams improve their understanding of software supply chain threats, evaluate them and get to grips with them.

GoDaddy said on Friday that its network suffered a multi-year security compromise that allowed unknown attackers to steal company source code, customer and employee login credentials, and install malware that redirected customer websites to malicious sites.GoDaddy is one of the world's largest domain registrars, with nearly 21 million customers and revenue in 2022 of almost $4 billion.

News Corp., the parent company of The Wall Street Journal and several other news outlets, said that hackers were inside its network for nearly two years and made off with private documents and emails.News Corp. first disclosed the breach in February 2022, in a filing with the Securities and Exchange Commission and an article in The Wall Street Journal.

Researchers have uncovered yet another supply chain attack targeting an open source code repository, showing that the technique, which has gained wide use in the past few years, isn't going away any time soon.This time, the repository was PyPI, short for the Python Package Index, which is the official software repository for the Python programming language.

In brief A security researcher whose Google Pixel battery died while sending a text is probably thankful for the interruption - powering it back up led to a discovery that netted him a $70,000 bounty from Google for a lock screen bypass bug.Now patched, the vulnerability would let anyone with a spare SIM card and access to a device to completely bypass the lock screen, giving them unfettered access to the device.

T-Mobile on Monday said it experienced a hack that exposed account PINs and other customer data in the company's second network intrusion this year and the ninth since 2018.The intrusion, which started on February 24 and lasted until March 30, affected 836 customers, according to a notification on the website of Maine Attorney General Aaron Frey.

Microsoft has already seen millions of phishing emails sent every day by attackers using this phishing kit.Learn how to protect your business from this AitM campaign.New research from Microsoft's Threat Intelligence team exposed the activities of a threat actor named DEV-1101, which started advertising for an open-source phishing kit to deploy an adversary-in-the-middle campaign.

Google-owned Mandiant has conducted an analysis of the zero-day vulnerabilities disclosed in 2022 and found that over a dozen of them were used in attacks believed to have been carried out by cyberespionage groups.The cybersecurity community cannot reach an agreement on the definition of zero-day vulnerability.

The recent exploitation of a zero-day vulnerability in the GoAnywhere managed file transfer (MFT) software has been linked by a cybersecurity firm to a known cybercrime group that has likely attempted to exploit the flaw in a ransomware attack.On February 1, Fortra alerted GoAnywhere MFT users about a zero-day remote code injection exploit.

A new Linux version of Royal ransomware is targeting VMware ESXi virtual machines.Learn more about this security threat and how to protect from it.Royal ransomware is malware that first appeared around September 2022.The people behind this ransomware are probably a subgroup of the infamous Conti threat actor.

Fortinet released 40 security advisories last week to inform customers about the availability of patches for dozens of vulnerabilities, including critical flaws affecting the FortiNAC and FortiWeb products.Two of the advisories have a 'critical' severity rating and 15 of them have been classified as having 'high' severity.

Russian cybercrime group TA505 has been observed using new hVNC (Hidden Virtual Network Computing) malware in recent attacks, threat intelligence company Elastic reports.Called Lobshot, the malware allows attackers to bypass fraud detection engines and provides them with stealthy, direct access to the infected machines.

A Cl0p ransomware operator affiliated with the FIN11 and TA505 threat actors has been exploiting recently patched PaperCut vulnerabilities since April 13, Microsoft says.Impacting the PaperCut MF/NG print management system and tracked as CVE-2023-27350 (CVSS score of 9.8), the issue can be exploited to bypass authentication and achieve remote code execution (RCE) with System privileges.

Learn how this cryptocurrency campaign operates and its scope.Then, get tips on protecting vulnerable Kubernetes instances from this cybersecurity threat.The cybersecurity company CrowdStrike has observed the first-ever Dero cryptojacking campaign.The attack targets Kubernetes clusters that were accessible on the internet and allowed anonymous access to the Kubernetes API.

Hackers working on behalf of the North Korean government have pulled off a massive supply chain attack on Windows and macOS users of 3CX, a widely used voice and video calling desktop client, researchers from multiple security firms said.The attack compromised the software build system used to create and distribute both Windows and macOS versions of the app, which provides both VoIP and PBX services to " 600,000+ customers," including American Express, Mercedes-Benz, and Price Waterhouse Cooper.

Italian sports car maker Ferrari said on Monday that a threat actor had demanded a ransom related to customer contact details that may have been exposed in a ransomware attack."Upon receipt of the ransom demand, we immediately started an investigation in collaboration with a leading global third-party cybersecurity firm," the iconic car maker said.

A Russia-linked advanced persistent threat (APT) actor tracked as Winter Vivern has been observed targeting government entities in several European and Asian countries.Initially detailed in early 2021, the group is known to support the interests of Belarus and Russia's governments, and was previously observed targeting government organizations in India, Lithuania, Slovakia, and Vatican.

Threat researchers at WithSecure have revealed intelligence on how cyber criminal gangs are sharing tools along the historic Silk Roads of Eurasia, after finding a tool known to have been developed by Chinese cyber criminals being taken up enthusiastically among Russian-speaking ransomware operators.

Fortinet warns that a recently addressed FortiOS vulnerability has been exploited by a sophisticated threat actor in highly targeted attacks against governmental and government-related entities.Patched last week, the bug is tracked as CVE-2022-41328 and is described as a medium-severity path traversal issue leading to command execution.

Threat actors with a connection to the Chinese government are infecting a widely used security appliance from SonicWall with malware that remains active even after the device receives firmware updates, researchers said.SonicWall's Secure Mobile Access 100 is a secure remote access appliance that helps organizations securely deploy remote workforces.

A threat actor is using the PureCrypter downloader to deliver different types of malware to government entities in the Asia-Pacific and North America regions, Menlo Labs warns.As part of the observed attacks, Discord is used for distribution purposes, while the domain of a compromised non-profit organization serves as a command-and-control (C&C) server, hosting a secondary payload.

Researchers at cybersecurity firm Forescout have shown how various vulnerabilities discovered in recent years in industrial control systems (ICS) can be chained for deep lateral movement in operational technology (OT) networks, and even to cause significant physical damage.Two vulnerabilities found last year in Schneider Electric's Modicon programmable logic controllers (PLCs) are at the center of this research.

German industrial automation solutions provider Wago has released patches for several of its programmable logic controllers (PLCs) to address four vulnerabilities, including ones that can be exploited to take full control of the targeted device.The vulnerabilities were discovered by Ryan Pickren from the Georgia Institute of Technology's Cyber-Physical Security Lab.

The Lego Group has moved swiftly to fix a pair of application programming interface (API) security vulnerabilities that existed in its BrickLink digital resale platform, after they were identified by Salt Labs, the research arm of API specialist Salt Security.With over a million members, BrickLink is the world's largest forum for buying and selling second-hand Lego sets.

A South Africa-based threat actor known as Automated Libra has been observed adopting increasingly sophisticated techniques to conduct a widespread freejacking campaign against various public cloud services.Freejacking is the act of using free or time-limited access to public cloud resources - such as introductory trial offers - to perform illicit cryptomining.

(Image credit: Gustavo Frazao / Shutterstock)
Scammers have used the traffic from an adult website to generate clicks on Google Ad banners, netting them huge returns, experts have revealed.Researchers from Malwarebytes, which first spotted the campaign, revealed how someone created an ad campaign on one of the major adult ad networks and used the "popunder" ad format.