26-Feb-24: In Security News Today

LockBit Ransomware Group Resurfaces After Law Enforcement Takedown

The LockBit ransomware group has resurfaced on the dark web with new infrastructure after an international law enforcement operation seized its servers. The group has moved its data leak portal to a new .onion address and attributed the server seizure to a potential PHP vulnerability exploitation. Meanwhile, Russian authorities have arrested three individuals linked to the SugarLocker ransomware group, accused of developing custom malware and engaging in fraudulent schemes.

North Korean State-Sponsored Actors Targeting Developers with Malicious npm Packages

A set of fake npm packages discovered on the Node.js repository have been linked to North Korean state-sponsored actors, containing malicious scripts including a cryptocurrency and credential stealer. The threat actors concealed obfuscated malicious code in a test file to steal credentials from web browsers and install additional scripts. Connections to North Korean actors were identified through the overlap of JavaScript malware in the npm package with a known campaign named Contagious Interview, which targets developers through fake identities in freelance job portals.

Massive Spam Operation Utilizing Hijacked Trusted Brand Domains

Over 8,000 domains and 13,000 subdomains of legitimate brands have been hijacked by a threat actor named ResurrecAds for a spam operation called SubdoMailing. The campaign bypasses security measures by using images in emails, tailoring content based on device type and location, and circumventing email authentication methods like SPF, DKIM, and DMARC. Guardio Labs has created a tool to help domain administrators check for signs of compromise and dismantle the infrastructure.

Data Breach at loanDepot Exposes Personal Information of 17 Million Customers

loanDepot, a mortgage company, experienced a ransomware attack in January resulting in the theft of personal data of nearly 17 million customers by the ALPHV/Blackcat ransomware gang. The compromised information includes social security numbers, names, dates of birth, email and postal addresses, financial account numbers, and phone numbers. This incident highlights the increasing threat of ransomware attacks targeting financial institutions and the importance of robust cybersecurity measures to protect customer data.

New IDAT Loader Attacks Using Steganography to Deploy Remcos RAT

Ukrainian entities in Finland have been targeted in a malicious campaign distributing Remcos RAT using IDAT Loader, with steganography as a technique. The attack has been linked to a threat actor tracked by CERT-UA as UAC-0184. IDAT Loader has also been used to distribute DanaBot, SystemBC, and RedLine Stealer, while a separate campaign targeted defense forces with a booby-trapped Excel document executing COOKBOX malware.

Ultimate Member WordPress Plugin Vulnerability

A vulnerability in the Ultimate Member WordPress plugin with over 200,000 active installations allows attackers to exploit unpatched WordPress sites, granting them administrator-level privileges with minimal effort. Despite attempts to fix the flaw in version 2.6.5, the patch was ineffective, leading to continued exploitation. Users are strongly advised to update to version 2.6.7 immediately to address this critical security issue, rated 9.8 out of 10 in severity.

Importance of Memory-Safe Programming Languages in Cybersecurity

The White House is urging the tech industry to adopt memory-safe programming languages to eliminate memory safety vulnerabilities, which are a prevalent issue in software and hardware. These vulnerabilities can lead to security breaches and cyberattacks. The Office of the National Cyber Director emphasizes the need for software and hardware developers to implement memory-safe languages to enhance cybersecurity and protect critical systems.

Russian Cyberspies Exploit Dormant Cloud Accounts for Espionage

Russian cyber espionage groups, notably APT29/Cozy Bear, have shifted tactics to target cloud services through dormant accounts and bypass multi-factor authentication, leveraging brute-force attacks and ‘MFA fatigue’ techniques. Agencies from the Five Eyes alliance have issued warnings and recommend robust defense strategies including the implementation of multi-factor authentication, strong password policies, and vigilant monitoring of service accounts to mitigate risks. These measures are essential for organizations transitioning to cloud infrastructure to protect against such sophisticated threats.

NIST Releases Cybersecurity Framework 2.0

The National Institute for Standards and Technology (NIST) has released Cybersecurity Framework 2.0, expanding its guidance to consider organizations beyond critical infrastructure and addressing governance and supply chain cybersecurity. The framework builds on existing recommendations and includes a new function ‘Govern’ in addition to the five basic functions. NIST’s update aims to make the framework more relevant to a wider range of users by reflecting recent cybersecurity challenges and management practices.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.