Lockbit Associates Arrested, Evil Corp Bigwig Outed
Operation Cronos has led to the arrest of four key LockBit ransomware associates and uncovered significant ties between LockBit and Russia’s Evil Corp, notorious for banking Trojans like Zeus and Dridex. Aleksandr Ryzhenkov, previously Evil Corp’s second-in-command, was sanctioned and named as a LockBit affiliate, highlighting cross-affiliation within major cybercrime groups. Law enforcement efforts across multiple countries have intensified, aiming to disrupt LockBit’s infrastructure and expose its links to large-scale ransomware and financial crimes.
Zero-Day Breach At Rackspace Sparks Vendor Blame Game
Rackspace experienced a data breach due to a zero-day vulnerability in a third-party utility bundled with ScienceLogic’s SL1 monitoring software. The breach exposed limited internal monitoring information, including customer details and encrypted credentials, but did not impact other Rackspace products or services. This follows a previous ransomware attack in 2022, further highlighting vulnerabilities within Rackspace’s infrastructure and the software supply chain.
Roblox Cheaters Targeted By Cybercriminals Offering Malicious Gaming ‘Hacks’
Malware campaigns targeting Roblox cheaters have surged, with cybercriminals distributing malicious Python packages and executables via platforms like Github and Discord. These malware variants, including Skuld Stealer and Blank Grabber, are designed to steal sensitive data from browsers, Discord, and cryptocurrency wallets. Young gamers are particularly vulnerable, as they often disable antivirus protections to run game cheats, exposing them to serious security risks.
Fake Trading Apps Target Victims Globally Via Apple App Store And Google Play
A global fraud campaign, known as “pig butchering,” uses fake trading apps to lure victims via the Apple App Store, Google Play, and phishing websites, promising high financial returns through cryptocurrency and other investments. These apps, including UniShadowTrade and SBI-INT, manipulate users through social engineering tactics, ultimately stealing their funds when they attempt to withdraw investments, often demanding additional fees. The attackers exploit trusted app distribution platforms, employ web-based components to avoid detection, and target victims across various regions including Asia-Pacific and Europe.
China-Linked Ceranakeeper Targeting Southeast Asia With Data Exfiltration
CeranaKeeper, a China-linked threat actor, has been targeting Southeast Asia since 2023, primarily focusing on governmental institutions in countries like Thailand, Myanmar, and Taiwan. Leveraging tools such as TONESHELL and newly developed malware like WavyExfiller and BingoShell, the group employs sophisticated methods for data exfiltration through cloud services like Dropbox and OneDrive. The attackers use custom backdoors, abuse compromised machines as update servers, and continuously adapt their toolset to evade detection and maximize data collection across infected networks.
CISA: Network Switch Rce Flaw Impacts Critical Infrastructure
CISA has issued an alert regarding two critical vulnerabilities (CVE-2024-41925 and CVE-2024-45367) in Optigo Networks ONS-S8 Aggregation Switches, allowing remote code execution and authentication bypass. These flaws, which impact all versions up to 1.3.7, stem from weak authentication enforcement and improper user input validation, creating serious risks for critical infrastructure and manufacturing units globally. As no patches are available yet, CISA advises isolating the management interface, using VPNs, and following risk mitigation strategies to secure affected systems.
Alert: Over 700,000 Draytek Routers Exposed To Hacking Via 14 New Vulnerabilities
DrayTek routers have been found vulnerable to 14 security flaws, including two critical vulnerabilities that allow for remote code execution (RCE) and denial-of-service (DoS) attacks. Over 700,000 routers worldwide, primarily in the U.S., are exposed to these risks, making them a significant target for cybercriminals. Patches have been released to address the vulnerabilities, and security experts advise disabling remote access, implementing access control lists, and using two-factor authentication to mitigate potential threats.
Critical Zimbra RCE Flaw Exploited To Backdoor Servers Using Emails
Attackers are leveraging the CVE-2024-45519 remote code execution flaw in Zimbra’s postjournal service by sending specially crafted emails that execute base64-encoded commands via the SMTP server’s CC field. This exploitation results in the installation of webshells, providing attackers with full access to compromised servers for data exfiltration and lateral movement within networks. Cybersecurity professionals should urgently apply the latest Zimbra patches, disable the postjournal service if unnecessary, and ensure proper configuration of network access controls to mitigate this widespread threat.
Data Leak Hits Latin America’s Financial Institutions, Leads Point To Fintech App
A significant data leak from the fintech platform Bankingly has compromised the personal information of nearly 135,000 clients across seven financial institutions in Latin America, with the majority of affected individuals residing in the Dominican Republic. The incident, attributed to misconfigured Azure Blob Storage buckets, highlights the risks associated with third-party service providers in the financial sector, as exposed personally identifiable information (PII) could facilitate social engineering attacks and credential stuffing. Despite securing the leaked data, the incident raises concerns about the potential for sophisticated phishing schemes targeting vulnerable clients and the ongoing threat posed by third-party vulnerabilities in digital banking.
Record-Breaking DDoS Attack Peaked At 3.8 Tbps, 2.14 Billion Pps
Cloudflare has successfully mitigated a historic DDoS attack that peaked at 3.8 Tbps and 2.14 billion packets per second, targeting an unidentified customer of a hosting provider utilizing its services. This attack is part of a month-long campaign that began in early September, during which Cloudflare managed to defend against over 100 similar hyper-volumetric attacks, many surpassing 2 billion Pps and 3 Tbps. The attack origins were global, with significant contributions from compromised systems in Vietnam, Russia, Brazil, Spain, and the United States, affecting sectors such as financial services and telecommunications.
Andariel Hacking Group Shifts Focus To Financial Attacks On U.S. Organizations
Andariel, a North Korean state-sponsored hacking group linked to the Lazarus Group, has shifted its focus to financially motivated attacks, targeting three U.S. organizations in August 2024 without deploying ransomware. Symantec reported that the attacks involved tools like Dtrack and a newly observed backdoor named Nukebot, suggesting a potential increase in extortion attempts against U.S. entities despite ongoing government countermeasures. This shift in strategy indicates a growing trend of North Korean cyber actors engaging in financially driven operations, reflecting a broader threat landscape for cybersecurity professionals to monitor.
Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.