The use of Cloudflare R2 to host phishing pages has increased 61-fold in the past six months, with the majority of campaigns targeting Microsoft login credentials. The phishing pages not only abuse Cloudflare R2, but also use the company’s Turnstile offering to evade detection by anti-bot barriers. The malicious sites are designed to load content only when certain conditions are met, and if no URL parameter is passed, visitors are redirected to www.google.com.
Four security vulnerabilities have been discovered in the ScrutisWeb ATM fleet monitoring software, allowing remote hackers to break into ATMs, upload arbitrary files, and reboot terminals. The vulnerabilities include a directory traversal vulnerability, a remote code execution vulnerability, a cryptographic vulnerability, and an insecure direct object reference vulnerability. The most severe flaw allows an unauthenticated user to upload any file and view it again from a web browser, resulting in command injection. These vulnerabilities have been addressed in ScrutisWeb version 2.1.38.
A threat actor has exploited a recent Citrix vulnerability (CVE-2023-3519) to infect roughly 2,000 NetScaler instances with a backdoor. The vulnerability allows unauthenticated, remote attackers to execute arbitrary code on vulnerable Citrix Application Delivery Controller (ADC) and Gateway appliances. The infections occurred before organizations applied the provided patch, indicating that administrators have not properly checked for signs of successful exploitation.
The Monti ransomware group has reemerged after a two-month hiatus with a new Linux version of their encryptor. This version exhibits significant changes from previous Linux-based versions, including the use of a different encryptor and the addition of new behaviors. The changes are aimed at enhancing the ransomware’s ability to evade detection, making it more challenging to identify and mitigate.
The latest BlackBerry Global Threat Intelligence Report reveals a 40% increase in cyberattacks against government and public service organizations compared to the previous quarter. The report highlights the challenges faced by publicly funded organizations with limited resources and immature cyber defense programs. The healthcare and financial services industries remain the most targeted sectors, with threat actors deploying novel malware samples and targeting these industries with ransomware and infostealers.
Israeli threat intelligence company Hudson Rock has discovered credentials associated with cybercrime forums on approximately 120,000 computers infected with information stealers. The analysis of over 14.5 million infected machines revealed that the cybercrime forum ‘Nulled.to’ had the highest number of compromised users, followed by ‘Cracked.io’ and ‘Hackforums.net’. Hudson Rock also noted that info-stealer infections have surged by 6000% since 2018, making them the primary initial attack vector for threat actors to infiltrate organizations and execute cyberattacks.
Canadian dental benefits administrator Alberta Dental Service Corporation (ADSC) has suffered a ransomware attack, compromising the personal information of 1.5 million individuals. The attackers had access to the network for over two months and copied certain data, including personal and banking information. ADSC paid a ransom to the 8Base ransomware gang and claims that the stolen data was deleted.
A new Android banking malware called Gigabud RAT is targeting account holders of numerous financial institutions in Thailand, Indonesia, Vietnam, the Philippines, and Peru. The malware is unique in that it doesn’t execute any malicious actions until the user is authorized into the malicious application by a fraudster, making it harder to detect. Gigabud RAT gathers sensitive information primarily through screen recording and is spread via phishing websites and APK files sent through messages on WhatsApp.
A new wave of highly targeted attacks on the npm package registry has been linked to North Korean threat actors. The attackers are using social engineering tactics to entice developers into downloading malicious modules. The attack involves the installation of packages that initiate encrypted communication with a remote server, allowing the attackers to issue further payloads and potentially compromise targeted machines.
Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.