18-Sep-24: In Security News Today

Australian Police Infiltrate Encrypted Messaging App Ghost And Arrest Dozens

Australian police, in collaboration with a global taskforce, infiltrated the encrypted messaging app Ghost, used by organized crime groups for illegal activities such as drug trafficking and contract killings, leading to 38 arrests across multiple countries. The app’s alleged administrator, Jay Je Yoon Jung, was arrested in Sydney, accused of supporting criminal organizations and profiting from the platform. By compromising Ghost’s software updates, police intercepted over 125,000 messages, preventing multiple violent crimes and gaining access to crucial communications used by global criminal networks.

North Korean Hackers Target Energy And Aerospace Industries With New Mistpen Malware

North Korean hackers, linked to the Lazarus Group (UNC2970), have launched a phishing campaign targeting energy and aerospace industries with a newly discovered malware, MISTPEN. The campaign, known as Operation Dream Job, uses job-themed spear-phishing lures and trojanized PDF readers to deliver MISTPEN, a backdoor embedded in a Notepad++ plugin, via a launcher called BURNBOOK. MISTPEN allows the attackers to download and execute files from a command-and-control server, and the malware is continuously evolving to evade detection.

Russian Security Firm Doctor Web Hacked

Doctor Web, a Russian antimalware company, was recently hit by a cyberattack that forced it to disconnect all resources from its network for inspection. The company claims the attack was detected early, with no impact on users, and their virus databases have since been restored. While Doctor Web has not disclosed the attackers’ identity, cybersecurity firms, including Kaspersky and Avanpost, have also been recent targets of state-sponsored and hacktivist groups.

Chinese Botnet Infects 260,000 Soho Routers, Ip Cameras With Malware

Chinese botnet Raptor Train has infected over 260,000 SOHO routers, IP cameras, and other devices, targeting critical infrastructure across the US and Taiwan. This sophisticated, multi-tiered botnet employs a variant of the Mirai malware called Nosedive and has been linked to state-sponsored Chinese hackers known as Flax Typhoon. Despite its recent partial disruption by the FBI and cybersecurity researchers, Raptor Train continues to pose a significant threat due to its dynamic infrastructure and extensive exploitation tactics.

Gitlab Releases Fix For Critical Saml Authentication Bypass Flaw

GitLab has issued updates to patch a critical SAML authentication bypass vulnerability (CVE-2024-45409) affecting self-managed GitLab CE and EE installations. The flaw, caused by insufficient validation in the OmniAuth-SAML and Ruby-SAML libraries, allows attackers to bypass authentication and gain unauthorized access. Users are advised to upgrade to the latest versions or, if an immediate upgrade isn’t feasible, to enable two-factor authentication and restrict SAML 2FA bypass to mitigate potential risks.

Qr Phishing Scams Gain Motorized Momentum In Uk

QR phishing scams, also known as “quishing,” are increasingly targeting tourists in the UK and beyond, with threat groups deploying malicious QR codes on parking meters to steal personal and financial information. The schemes, which have also spread to Canada and the US, trick victims into entering sensitive data on phishing websites masquerading as legitimate parking payment apps, leading to potential financial loss and parking fines. Experts recommend vigilance and the use of official parking apps to mitigate the risk of falling victim to these sophisticated scams.

Microsoft: Vanilla Tempest Hackers Hit Healthcare With Inc Ransomware

Vanilla Tempest, a ransomware affiliate tracked by Microsoft, is now targeting U.S. healthcare organizations with INC ransomware, using malware like Gootloader and backdoor tools like Supper and AnyDesk. The attack methodology involves initial access through Storm-0494, lateral movement via RDP, and the deployment of ransomware across networks. Vanilla Tempest, active since 2021, has previously targeted sectors like healthcare and education using various ransomware strains, including BlackCat and Rhysida.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.