26-Sep-23: In Security News Today

MOVEit Flaw Leads to 900 University Data Breaches

National Student Clearinghouse, a nonprofit serving thousands of universities, has suffered a data breach due to a flaw in its MOVEit environment. The breach impacted nearly 900 schools, potentially exposing student record information. The organization has rebuilt its MOVEit environment to prevent future cyberattacks, but cybersecurity professionals are criticizing organizations that have not addressed the vulnerability, calling it a case of malpractice.

Xenomorph Android Malware Targets Customers of 30 US Banks

The Xenomorph Android banking Trojan, which has been infecting banks in Europe for over a year, has now set its sights on customers of more than two dozen US banks. The malware, analyzed by researchers at ThreatFabric, also contains features targeting multiple crypto wallets. Thousands of Android users in the US and Spain have downloaded the malware since August, with Samsung and Xiaomi users being targeted specifically. The malware is sophisticated and includes an Automatic Transfer System (ATS) framework for transferring funds from compromised devices to attacker-controlled ones.

UAE-Linked ‘Stealth Falcon’ APT Mimics Microsoft in Homoglyph Attack

Researchers have discovered a sophisticated backdoor called ‘Deadglyph’ used in a cyber-espionage attack in the Middle East. The malware is attributed to the Stealth Falcon advanced persistent threat (APT), a UAE state-sponsored group. The backdoor uses homoglyphs to mimic the name of Microsoft, and its full capabilities are still unknown.

ShadowSyndicate: A New Cybercrime Group Linked to 7 Ransomware Families

Cybersecurity experts have identified a new cybercrime group called ShadowSyndicate that has used seven different ransomware families in the past year. The group has been active since July 2022 and has been linked to ransomware strains such as Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play. They have also used post-exploitation tools like Cobalt Strike and Sliver, as well as loaders such as IcedID and Matanbuchus. The group has been found to have infrastructure overlaps with other malware operations, including TrickBot, Ryuk/Conti, FIN7, and TrueBot.

Huobi Global’s HTX Crypto Exchange Hacked for $7.9 Million

Huobi Global’s HTX crypto exchange was hacked on September 24, resulting in the theft of $7.9 million in cryptocurrency. The hack involved the transfer of 4,999 Ether to an address with no prior transaction history. Huobi Global offered a ‘white-hat bonus’ of 5% of the stolen funds to the attacker if they returned the remaining 95%, and threatened legal action if the funds were not returned by October 2.

Mixin Network Loses $200m in Cryptocurrency in Major Hack

Hong Kong-based decentralized finance (DeFi) project Mixin Network has suffered a major hack, resulting in the loss of around $200m in cryptocurrency. The attack occurred on September 23 when hackers compromised Mixin’s cloud service provider database. Mixin has temporarily suspended deposit and withdrawal services while they investigate the vulnerabilities and work on fixing them.

New Android Banking Trojan Expands on ERMAC’s Legacy

A new analysis reveals that the Android banking trojan known as Hook is based on its predecessor, ERMAC. Hook expands on ERMAC’s functionalities by supporting more commands and gaining complete control over infected devices. Both Hook and ERMAC can log keystrokes, conduct overlay attacks, and steal credentials from over 700 apps.

Sony Investigating After Hackers Offer to Sell Stolen Data

Sony is investigating a ransomware group’s claim that they have compromised the company’s systems and are offering to sell stolen data. The group, named RansomedVC, listed Sony on its Tor-based website and provided files as evidence of their claims. Cybersecurity firm Flashpoint has previously described RansomedVC’s novel approach to extortion, using data protection laws to pressure victims to pay.

Retool Falls Victim to SMS-Based Phishing Attack Affecting 27 Cloud Clients

Software development company Retool experienced a targeted SMS-based social engineering attack, resulting in the compromise of 27 of its cloud customers’ accounts. The attack exploited a Google Account cloud synchronization feature, allowing the threat actors to gain elevated access to internal admin systems and take over customer accounts. The incident highlights the need for users to rely on FIDO2-compliant hardware security keys or passkeys to mitigate the risk of phishing attacks.

Chinese Hackers TAG-74 Targets South Korean Organizations in a Multi-Year Campaign

Chinese state-sponsored cyber espionage group TAG-74 has been conducting a multi-year campaign targeting South Korean academic, political, and government organizations. The group, linked to Chinese military intelligence, poses a significant threat to various entities in South Korea, Japan, and Russia. The attackers use social engineering techniques and deploy a custom variant of the ReVBShell backdoor to drop the Bisonal remote access trojan, which allows them to harvest information, execute commands, and download/upload files.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.