23-Oct-23: In Security News Today

‘Grandoreiro’ Trojan Targets Global Banking Customers

The Brazilian banking malware known as ‘Grandoreiro’ has expanded its campaign to target customers in Spain, in addition to Brazil and Mexico. The malware is delivered through phishing emails containing a malicious URL that leads to a ZIP file containing a loader. Once executed, the loader downloads a vulnerable application that is exploited to deliver the final payload, which can harvest data from online banking login pages. The rise of Brazilian cybercrime can be attributed to a lack of cybersecurity education and awareness among the general population, as well as the growing middle class and increased online presence in the region.

Ragnar Locker Ransomware Boss Arrested in Paris

Law enforcement agencies from 11 countries have arrested the suspected developer of the Ragnar Locker ransomware group in Paris. The arrest was part of a coordinated effort to seize the group’s cybercrime infrastructure. The Ragnar Locker group has been active since 2019, targeting critical infrastructure and using double extortion tactics.

Malicious Apps Spoof Israeli Attack Detectors: Conflict Goes Mobile

A malicious, spoofed version of the RedAlert – Rocket Alerts app, which provides timely alerts about incoming airstrikes in Israel and Gaza, has been detected. The spoofed app collects personal information and is targeting Android users in the affected region. Another incident involved a pro-Palestinian hacktivist group exploiting a vulnerability in the Red Alert: Israel app to send fake alerts, including a message about a nuclear bomb strike. Cybersecurity professionals are advised to be cautious when downloading apps, check developers and reviews, and restrict permissions when necessary.

Casio Data Breach Exposes Personal Information of Customers

Japanese electronics maker Casio has announced a data breach that exposed the personal information of customers in 150 countries and regions. The breach occurred through unauthorized access to a database in the development environment for Casio’s education web application, ClassPad.net. The compromised information includes names, email addresses, country/region of residence, order information, and service usage information.

Okta Customer Support System Compromised, Exposing Sensitive Data

Okta, an identity and access management services provider, revealed that its customer support case management system was hacked, resulting in the exposure of sensitive customer data such as cookies and session tokens. The compromised information could be used by attackers to impersonate valid Okta users. Okta has taken measures to protect its customers, including revoking embedded session tokens, and has provided security teams with IP addresses and user-agents for threat hunting.

SolarWinds Patches High-Severity Vulnerabilities in Access Rights Manager

SolarWinds has released patches for eight high-severity vulnerabilities in its Access Rights Manager (ARM), including three remote code execution issues that can be exploited without authentication. The vulnerabilities were identified by a security researcher and reported to ZDI. The flaws can allow remote, unauthenticated attackers to execute arbitrary code with system privileges, and some can lead to privilege escalation.

US Warns of North Korean Operatives in Freelance IT Market

The US Department of Justice (DoJ) has warned organizations that hire freelance and temporary IT workers to be cautious of individuals working on behalf of the North Korean government. North Korea has flooded the freelance market with skilled IT workers who are secretly directing their earnings to the country’s nuclear weapons program. The workers primarily reside in Russia and China and use various methods to hide their true identities and locations when applying for freelance work.

Data Breach at DC Board of Elections Compromises Full Voter Roll

The District of Columbia Board of Elections (DCBOE) announced that a recent data breach at hosting provider DataNet may have compromised the full voter roll. The breach, initially disclosed on October 6, involved a threat actor accessing 600,000 lines of US voter data. DCBOE stated that the breached database server contained a copy of the voter roll, which includes personal identifiable information such as partial social security numbers, driver’s license numbers, dates of birth, and contact information. The agency will be working with Google’s cybersecurity arm Mandiant to investigate the breach.

DoNot Team’s New Firebird Backdoor Hits Pakistan and Afghanistan

The threat actor known as DoNot Team has been linked to a novel .NET-based backdoor called Firebird, targeting victims in Pakistan and Afghanistan. The attack chains also deliver a downloader named CSVtyrei, resembling Vtyrei. DoNot Team, suspected to be of Indian origin, uses spear-phishing emails and rogue Android apps to propagate malware.

Grandoreiro Banking Malware Expands to Spain and Mexico

Proofpoint researchers have observed an increase in instances of the Grandoreiro banking malware targeting individuals in Spain, deviating from its typical focus on Portuguese and Spanish-speaking individuals in Brazil, Mexico, and other parts of the Americas. The cyber threat landscape in Brazil has become more intricate and diverse, with online banking adoption providing opportunities for threat actors to manipulate individuals. Grandoreiro overlays, which can steal data through keyloggers and screen-grabbers, have expanded to include banks in Spain, allowing threat actors to target victims in multiple geographic regions without altering the malware.

Quasar RAT Leverages DLL Side-Loading to Fly Under the Radar

The Quasar RAT, an open-source remote access trojan, has been observed using DLL side-loading to evade detection and steal data from compromised Windows hosts. The malware disguises itself as legitimate files, such as ctfmon.exe and calc.exe, to exploit the trust placed in these files by the Windows environment. The attack begins with an ISO image file containing a renamed legitimate binary, a renamed DLL file, and a malicious DLL file, which is loaded through DLL side-loading to execute the Quasar RAT payload.

City of Philadelphia Releases Cyber-Breach Notice

The city of Philadelphia has released a notice regarding a data breach that occurred between May 26 and July 28 of this year. The breach involved personal health information, and the investigation is ongoing. The city recommends that individuals remain vigilant and report any suspicious activity to their insurance company, healthcare provider, or financial institution.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.