New Strain of Ransomware Targets Small Businesses and Individuals
Researchers have discovered a new strain of ransomware called TZW that has been active since 2019 and targets individuals and small businesses. Unlike typical ransomware, TZW demands small ransoms from each victim instead of large sums. The ransomware has been misclassified and misattributed in the past, causing confusion for researchers, but they have now successfully identified it as a spinoff of the Adhubllka ransomware family.
Russian ‘Telekopye’ Telegram Phishing Bot Enables Easy Phishing Attacks
A Telegram bot called ‘Telekopye’ is being used by Russian-language users to automate phishing campaigns against popular ecommerce sites like eBay. The bot allows cybercriminals with little technical capability to conduct full-fledged phishing attacks, targeting online shoppers and sellers primarily in Russia but also in other countries. The success of Telekopye is evident from its eight-year existence and continuous updates, and its community operates in a corporate-like structure with administrators, moderators, and workers who earn commissions on each scam.
University of Minnesota Confirms Data Breach, No Ransomware Involved
The University of Minnesota has confirmed that data was stolen from its systems, but no malware infection or file encryption was identified. The breach occurred one month after a threat actor claimed to have accessed the university’s database containing information about students, staff, and faculty. The university has launched an investigation and stated that no ongoing activity related to the incident has been detected, and there have been no disruptions to current operations.
Threat Actor Exploits Zero-Day in WinRAR to Target Crypto Accounts
A threat actor, possibly connected to the Evilnum group, has been targeting users in online cryptocurrency trading forums using a now-patched bug in WinRAR. The bug allowed the attackers to hide malicious code in zip archives and distribute them in the forums. The attacks have been ongoing since at least April, and even though a patch has been released, some systems remain infected.
Lazarus Group Exploits Zoho ManageEngine Flaw to Deploy QuiteRAT Malware
The Lazarus Group, a North Korea-linked threat actor, has been observed exploiting a critical security flaw in Zoho ManageEngine ServiceDesk Plus to distribute the remote access trojan QuiteRAT. The targets of these attacks include internet backbone infrastructure and healthcare entities in Europe and the U.S. The Lazarus Group’s use of the Qt framework in QuiteRAT is seen as an intentional effort to make analysis more challenging, and the group continues to evolve its tactics and expand its malicious arsenal.
Cisco Patches Vulnerabilities Exposing Switches, Firewalls to DoS Attacks
Cisco has released patches for three high-severity vulnerabilities in NX-OS and FXOS software that could lead to denial-of-service (DoS) conditions. The vulnerabilities include improper handling of specific SNMP requests, insufficient input validation in the IS-IS protocol, and an incorrect input validation issue in TACACS+ and RADIUS remote authentication. Cisco has also patched a medium-severity issue in the Application Policy Infrastructure Controller (APIC) that could allow an authenticated, remote attacker to read, modify, or delete non-tenant policies.
New Malware Whiffy Recon Scans for Wi-Fi Access Points to Obtain Device Location
Researchers at Secureworks have discovered a new piece of malware called Whiffy Recon that scans for nearby Wi-Fi access points to obtain the location of the infected device. The malware targets Windows systems and conducts Wi-Fi scanning every 60 seconds, with the collected data being sent to a geolocation API from Google. The motivation behind the malware’s operation is unclear, but threat actors could potentially use the data to track compromised systems and intimidate or pressure victims into complying with their demands.
New Malware Whiffy Recon Scans for Wi-Fi Access Points to Obtain Device Location
Researchers at Secureworks have discovered a new piece of malware called Whiffy Recon that scans for nearby Wi-Fi access points to obtain the location of the infected device. The malware targets Windows systems and conducts Wi-Fi scanning every 60 seconds, with the collected data being sent to a geolocation API from Google. The motivation behind the malware’s operation is unclear, but threat actors could potentially use the data to track compromised systems and intimidate or pressure victims into complying with their demands.
North Korea’s Lazarus APT Uses GUI Framework to Build Stealthy RAT
North Korea’s Lazarus Group, a notorious threat actor, has developed a new remote access Trojan (RAT) called QuiteRAT. QuiteRAT is an ultra-compact and highly evasive RAT that can steal information and run commands. What makes it unique is that it is built on the Qt framework, a graphical user interface (GUI) framework, which allows it to bypass malware detection tools.
FBI Warns of Cryptocurrency Heists by North Korea’s Lazarus Group
The FBI is warning cryptocurrency companies about the Lazarus Group, a cybercrime group affiliated with North Korea, that has stolen hundreds of millions of dollars in cryptocurrency. The group recently moved 1,580 bitcoins from multiple heists and is holding the funds in six different bitcoin addresses. The FBI recommends that private sector entities examine these addresses and be cautious of transactions from them.
FBI Warns of Ongoing Attacks Exploiting Barracuda Email Security Gateway Vulnerability
The FBI has issued a warning stating that the patches released for a recent vulnerability in Barracuda Email Security Gateway (ESG) were ineffective, and organizations are advised to remove all ESG appliances immediately. The vulnerability, tracked as CVE-2023-2868, has been exploited as a zero-day since October 2022 and continues to be targeted by a Chinese state-sponsored cyberespionage group. The FBI advises affected organizations to isolate and replace the appliances, scan networks for indicators of compromise, and monitor for abnormal activity.
Rockwell ThinManager Vulnerabilities Could Expose Industrial HMIs to Attacks
Researchers have discovered critical and high-severity vulnerabilities in Rockwell Automation’s ThinManager ThinServer product, which could be exploited to attack industrial control systems (ICS). The flaws allow remote attackers to take control of servers and hack human-machine interfaces (HMIs), potentially causing a denial-of-service condition, deleting arbitrary files, and uploading arbitrary files. The US Cybersecurity and Infrastructure Security Agency (CISA) has also published an advisory to inform organizations about these vulnerabilities, highlighting the potential for threat actors to target Rockwell Automation products in their operations.
A financially motivated cybercrime group has been exploiting a zero-day vulnerability in WinRAR to deliver malware to traders and steal their money. The vulnerability, tracked as CVE-2023-38831, has been exploited since at least April 2023 and was patched by WinRAR developers in August. The attackers posted malicious archives on popular trading forums, disguising them as harmless files, and gained access to victims’ broker accounts to conduct unauthorized transactions and withdraw funds.
CloudNordic Loses All Customer Data in Ransomware Attack
Danish cloud hosting provider CloudNordic experienced a ransomware attack that resulted in the loss of all customer data. The attack occurred during a transition to a new data center, allowing the attackers to encrypt all systems and backup systems. CloudNordic has no plans to pay the ransom and is working on restoring new systems to help customers recover their services.
Tornado Cash Founders Charged in Billion-Dollar Crypto Laundering Scandal
The founders of Tornado Cash, a cryptocurrency mixer service, have been charged by the U.S. Justice Department with laundering over $1 billion in criminal proceeds. The individuals, Roman Storm and Roman Semenov, are accused of operating Tornado Cash and knowingly facilitating money laundering. The service, which processed over $7 billion worth of crypto assets, was used to obfuscate the origins and owners of funds, making it attractive to criminal actors.
Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.