The Russian ransomware group known as Cuba has been targeting US organizations and critical infrastructure providers in highly profitable ransomware attacks. The group employs a variety of techniques, including exploiting vulnerabilities such as Zerologon and a bug in Veeam backup software, deploying custom malware programs like BUGHATCH and BURNTCIGAR, and using off-the-shelf tools like Metasploit and Cobalt. Cuba also employs tactics to evade detection, such as moving slowly and deliberately within the target network and using initial access brokers to obtain valid credentials.
A new variant of the XLoader infostealer has been spreading widely in the wild, indicating a shift in hackers’ ability to target macOS environments effectively. The new XLoader is written natively in C and Objective C, packaged in an application file with a legitimate-sounding name and an Apple developer signature. It can steal credentials saved in Firefox and Chrome, as well as the user’s clipboard. Cybersecurity professionals are advised to layer extra security on top of Apple’s built-in security measures to ensure better visibility and protection.
The FBI has identified six cryptocurrency wallets operated by North Korean hackers that are believed to contain approximately 1,580 Bitcoin stolen from recent heists. The stolen funds are estimated to be worth over $40 million. The FBI has urged private sector entities to be vigilant and examine blockchain data associated with these addresses to prevent transactions with stolen funds.
A study by Spin.AI found that 51% of browser extensions have overly permissive access and could execute potentially malicious behaviors. These extensions, often used in enterprise environments, pose risks such as data theft and compliance issues. Organizations are advised to establish and enforce policies based on third-party risk management frameworks, assess extensions for risks, and consider implementing automated controls based on organizational policies.
More than 3,000 Openfire servers have not been patched against a recent vulnerability, leaving them exposed to attacks using a new exploit. The vulnerability, tracked as CVE-2023-32315, allows unauthenticated attackers to access restricted pages in the admin console. Threat actors have been exploiting this vulnerability for over two months, creating new admin console user accounts to install a remote web shell and gain unauthorized access to the server.
Permiso Security’s p0 Labs team has identified and tracked an attacker developing and deploying incremental iterations of their credential harvesting malware while developing infrastructure for a campaign targeting various cloud services. The campaign includes multi-cloud support, structural and syntactical changes, and the utilization of multiple FQDNs. The attacker’s infrastructure and code suggest that the author may be a native German speaker.
A Syrian threat actor named EVLF has been identified as the creator of the CypherRAT and CraxsRAT malware. These remote access trojans allow attackers to control victim devices’ camera, location, and microphone. EVLF has been operating a web shop since September 2022, offering the malware to other cybercriminals as part of a malware-as-a-service scheme.
The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the National Institute of Standards and Technology (NIST) have released guidance urging organizations to plan for post-quantum cryptography migration. The guidance emphasizes the need for early planning, including creating quantum-readiness roadmaps, conducting inventories, assessing risks, and engaging with vendors. It also encourages organizations to proactively prepare for migrating to products that adhere to post-quantum cryptographic standards and to reduce the risks posed by cryptanalytically-relevant quantum computers.
A malicious toolset called Spacecolon is being used to spread variants of the Scarab ransomware across organizations worldwide. The toolset is deployed by compromising vulnerable web servers or brute forcing RDP credentials. The threat actor, known as CosmicBeetle, primarily targets servers with missing security updates and uses ScHackTool to deploy an installer that installs a backdoor and retrieves system information, ultimately delivering the Scarab ransomware.
A campaign targeting Roblox game developers has been discovered, involving over a dozen malicious packages on the npm package repository. The packages masquerade as the legitimate package noblox.js and deploy an information stealer called Luna Token Grabber. The malicious packages were downloaded 963 times before being taken down, highlighting the need for vigilance in the software supply chain.
Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.