MUST READ

Atlassian addressed four new RCE flaws in its products

 | 

CISA adds Qualcomm flaws to its Known Exploited Vulnerabilities catalog

 | 

Experts demonstrate a post-exploitation tampering technique to display Fake Lockdown mode

 | 

GST Invoice Billing Inventory exposes sensitive data to threat actors

 | 

Threat actors breached US govt systems by exploiting Adobe ColdFusion flaw

 | 

ENISA published the ENISA Threat Landscape for DoS Attacks Report

 | 

Russia-linked APT28 group spotted exploiting Outlook flaw to hijack MS Exchange accounts

 | 

Google fixed critical zero-click RCE in Android

 | 

New P2PInfect bot targets routers and IoT devices

 | 

Malvertising attacks rely on DanaBot Trojan to spread CACTUS Ransomware

 | 

LockBit on a Roll - ICBC Ransomware Attack Strikes at the Heart of the Global Financial Order

 | 

Zyxel fixed tens of flaws in Firewalls, Access Points, and NAS devices

 | 

New Agent Raccoon malware targets the Middle East, Africa and the US

 | 

Security Affairs newsletter Round 448 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Researchers devised an attack technique to extract ChatGPT training data

 | 

Fortune-telling website WeMystic exposes 13M+ user records

 | 

Expert warns of Turtle macOS ransomware

 | 

Black Basta Ransomware gang accumulated at least $107 million in Bitcoin ransom payments since early 2022

 | 

CISA adds ownCloud and Google Chrome bugs to its Known Exploited Vulnerabilities catalog

 | 

Apple addressed 2 new iOS zero-day vulnerabilities

 | 

Critical Zoom Room bug allowed to gain access to Zoom Tenants

 | 

Rhysida ransomware group hacked King Edward VII’s Hospital in London

 | 

Google addressed the sixth Chrome Zero-Day vulnerability in 2023

 | 

Okta reveals additional attackers' activities in October 2023 Breach

 | 

Thousands of secrets lurk in app images on Docker Hub

 | 

Threat actors started exploiting critical ownCloud flaw CVE-2023-49103

 | 

International police operation dismantled a prominent Ukraine-based Ransomware group

 | 

Daixin Team group claimed the hack of North Texas Municipal Water District

 | 

Healthcare provider Ardent Health Services disclosed a ransomware attack

 | 

Ukraine's intelligence service hacked Russia's Federal Air Transport Agency, Rosaviatsia

 | 

Iranian hacker group Cyber Av3ngers hacked the Municipal Water Authority of Aliquippa in Pennsylvania

 | 

The hack of MSP provider CTS potentially impacted hundreds of UK law firms

 | 

Security Affairs newsletter Round 447 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Rhysida ransomware gang claimed China Energy hack

 | 

North Korea-linked APT Lazarus is using a MagicLine4NX zero-day flaw in supply chain attack

 | 

Hamas-linked APT uses Rust-based SysJoker backdoor against Israel

 | 

App used by hundreds of schools leaking children's data

 | 

Microsoft launched its new Microsoft Defender Bounty Program

 | 

Exposed Kubernetes configuration secrets can fuel supply chain attacks

 | 

North Korea-linked Konni APT uses Russian-language weaponized documents

 | 

ClearFake campaign spreads macOS AMOS information stealer

 | 

Welltok data breach impacted 8.5 million patients in the U.S.

 | 

North Korea-linked APT Diamond Sleet supply chain attack relies on CyberLink software

 | 

Automotive parts giant AutoZone disclosed data breach after MOVEit hack

 | 

New InfectedSlurs Mirai-based botnet exploits two zero-days

 | 

SiegedSec hacktivist group hacked Idaho National Laboratory (INL)

 | 

CISA adds Looney Tunables Linux bug to its Known Exploited Vulnerabilities catalog

 | 

Citrix provides additional measures to address Citrix Bleed

 | 

Tor Project removed several relays associated with a suspicious cryptocurrency scheme

 | 

Experts warn of a surge in NetSupport RAT attacks against education and government sectors

 | 

The Top 5 Reasons to Use an API Management Platform

 | 

Canadian government impacted by data breaches of two of its contractors

 | 

Rhysida ransomware gang is auctioning data stolen from the British Library

 | 

Russia-linked APT29 group exploited WinRAR 0day in attacks against embassies

 | 

DarkCasino joins the list of APT groups exploiting WinRAR zero-day

 | 

US teenager pleads guilty to his role in credential stuffing attack on a betting site

 | 

Security Affairs newsletter Round 446 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

8Base ransomware operators use a new variant of the Phobos ransomware

 | 

Russian APT Gamaredon uses USB worm LitterDrifter against Ukraine

 | 

The board of directors of OpenAI fired Sam Altman

 | 

Medusa ransomware gang claims the hack of Toyota Financial Services

 | 

CISA adds Sophos Web Appliance bug to its Known Exploited Vulnerabilities catalog

 | 

Zimbra zero-day exploited to steal government emails by four groups

 | 

Vietnam Post exposes 1.2TB of data, including email addresses

 | 

Samsung suffered a new data breach

 | 

FBI and CISA warn of attacks by Rhysida ransomware gang

 | 

Critical flaw fixed in SAP Business One product

 | 

Law enforcement agencies dismantled the illegal botnet proxy service IPStorm

 | 

Gamblers’ data compromised after casino giant Strendus fails to set password

 | 

VMware disclosed a critical and unpatched authentication bypass flaw in VMware Cloud Director Appliance

 | 

Danish critical infrastructure hit by the largest cyber attack in Denmark's history

 | 

Major Australian ports blocked after a cyber attack on DP World

 | 

Nuclear and Oil & Gas are Major Targets of Ransomware Groups in 2024

 | 

CISA adds five vulnerabilities in Juniper devices to its Known Exploited Vulnerabilities catalog

 | 

LockBit ransomware gang leaked data stolen from Boeing

 | 

North Korea-linked APT Sapphire Sleet targets IT job seekers with bogus skills assessment portals

 | 

The Lorenz ransomware group hit Texas-based Cogdell Memorial Hospital

 | 

The State of Maine disclosed a data breach that impacted 1.3M people

 | 

Security Affairs newsletter Round 445 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Police seized BulletProftLink phishing-as-a-service (PhaaS) platform

 | 

Serbian pleads guilty to running ‘Monopoly’ dark web drug market

 | 

McLaren Health Care revealed that a data breach impacted 2.2 million people

 | 

After ChatGPT, Anonymous Sudan took down the Cloudflare website

 | 

Industrial and Commercial Bank of China (ICBC) suffered a ransomware attack

 | 

SysAid zero-day exploited by Clop ransomware group

 | 

Dolly.com pays ransom, attackers release data anyway

 | 

DDoS attack leads to significant disruption in ChatGPT services

 | 

Russian Sandworm disrupts power in Ukraine with a new OT attack

 | 

Veeam fixed multiple flaws in Veeam ONE, including critical issues

 | 

Pro-Palestinian hackers group 'Soldiers of Solomon' disrupted the production cycle of the biggest flour production plant in Israel

 | 

Iranian Agonizing Serpens APT is targeting Israeli entities with destructive cyber attacks

 | 

Critical Confluence flaw exploited in ransomware attacks

 | 

QNAP fixed two critical vulnerabilities in QTS OS and apps

 | 

Attackers use Google Calendar RAT to abuse Calendar service as C2 infrastructure

 | 

Socks5Systemz proxy service delivered via PrivateLoader and Amadey

 | 

US govt sanctioned a Russian woman for laundering virtual currency on behalf of threat actors

 | 

Security Affairs newsletter Round 444 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Lazarus targets blockchain engineers with new KandyKorn macOS Malware

 | 

Kinsing threat actors probed the Looney Tunables flaws in recent attacks

 | 

ZDI discloses four zero-day flaws in Microsoft Exchange

 | 

Okta customer support system breach impacted 134 customers

 | 

Multiple WhatsApp mods spotted containing the CanesSpy Spyware

 | 

Russian FSB arrested Russian hackers who supported Ukrainian cyber operations

 | 

MuddyWater has been spotted targeting two Israeli entities

 | 

Clop group obtained access to the email addresses of about 632,000 US federal employees

 | 

Okta discloses a new data breach after a third-party vendor was hacked

 | 

Suspected exploitation of Apache ActiveMQ flaw CVE-2023-46604 to install HelloKitty ransomware

 | 

Boeing confirmed its services division suffered a cyberattack

 | 

Resecurity: Insecurity of 3rd-parties leads to Aadhaar data leaks in India

 | 

Who is behind the Mozi Botnet kill switch?

 | 

CISA adds two F5 BIG-IP flaws to its Known Exploited Vulnerabilities catalog

 | 

Threat actors actively exploit F5 BIG-IP flaws CVE-2023-46747 and CVE-2023-46748

 | 

Pro-Hamas hacktivist group targets Israel with BiBi-Linux wiper

 | 

British Library suffers major outage due to cyberattack

 | 

Critical Atlassian Confluence flaw can lead to significant data loss

 | 

WiHD leak exposes details of all torrent users

 | 

Experts released PoC exploit code for Cisco IOS XE flaw CVE-2023-20198

 | 

Canada bans WeChat and Kaspersky apps on government-issued mobile devices

 | 

Florida man sentenced to prison for SIM Swapping conspiracy that led to theft of $1M in cryptocurrency

 | 

Wiki-Slack attack allows redirecting business professionals to malicious websites

 | 

HackerOne awarded over $300 million bug hunters

 | 

StripedFly, a complex malware that infected one million devices without being noticed

 | 

IT Army of Ukraine disrupted internet providers in territories occupied by Russia

 | 

Security Affairs newsletter Round 443 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Bug hunters earned $1,038,250 for 58 unique 0-days at Pwn2Own Toronto 2023

 | 

Lockbit ransomware gang claims to have stolen data from Boeing

 | 

How to Collect Market Intelligence with Residential Proxies?

 | 

F5 urges to address a critical flaw in BIG-IP

 | 

Hello Alfred app exposes user data

 | 

iLeakage attack exploits Safari to steal data from Apple devices

 | 

Cloudflare mitigated 89 hyper-volumetric HTTP distributed DDoS attacks exceeding 100 million rps

 | 

Seiko confirmed a data breach after BlackCat attack

 | 

Winter Vivern APT exploited zero-day in Roundcube webmail software in recent attacks

 | 

Pwn2Own Toronto 2023 Day 1 - organizers awarded $438,750 in prizes

 | 

VMware addressed critical vCenter flaw also for End-of-Life products

 | 

Citrix warns admins to patch NetScaler CVE-2023-4966 bug immediately

 | 

New England Biolabs leak sensitive data

 | 

Former NSA employee pleads guilty to attempted selling classified documents to Russia

 | 

Experts released PoC exploit code for VMware Aria Operations for Logs flaw. Patch it now!

 | 

How did the Okta Support breach impact 1Password?

 | 

PII Belonging to Indian Citizens, Including their Aadhaar IDs, Offered for Sale on the Dark Web

 | 

Spain police dismantled a cybercriminal group who stole the data of 4 million individuals

 | 

CISA adds second Cisco IOS XE flaw to its Known Exploited Vulnerabilities catalog

 | 

Cisco warns of a second IOS XE zero-day used to infect devices worldwide

 | 

City of Philadelphia suffers a data breach

 | 

SolarWinds fixed three critical RCE flaws in its Access Rights Manager product

 | 

Don't use AI-based apps, Philippine defense ordered its personnel

 | 

Vietnamese threat actors linked to DarkGate malware campaign

 | 

MI5 chief warns of Chinese cyber espionage reached an unprecedented scale

 | 

The attack on the International Criminal Court was targeted and sophisticated

 | 

Security Affairs newsletter Round 442 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

A threat actor is selling access to Facebook and Instagram's Police Portal

 | 

Threat actors breached Okta support system and stole customers' data

 | 

US DoJ seized domains used by North Korean IT workers to defraud businesses worldwide

 | 

Alleged developer of the Ragnar Locker ransomware was arrested

 | 

CISA adds Cisco IOS XE flaw to its Known Exploited Vulnerabilities catalog

 | 

Tens of thousands Cisco IOS XE devices were hacked by exploiting CVE-2023-20198

 | 

Law enforcement operation seized Ragnar Locker group's infrastructure

 | 

THE 11TH EDITION OF THE ENISA THREAT LANDSCAPE REPORT IS OUT!

 | 

North Korea-linked APT groups actively exploit JetBrains TeamCity flaw

 | 

Multiple APT groups exploited WinRAR flaw CVE-2023-38831

 | 

Californian IT company DNA Micro leaks private mobile phone data

 | 

Threat actors have been exploiting CVE-2023-4966 in Citrix NetScaler ADC/Gateway devices since August

 | 

A flaw in Synology DiskStation Manager allows admin account takeover

 | 

D-Link confirms data breach, but downplayed the impact

 | 

CVE-2023-20198 zero-day widely exploited to install implants on Cisco IOS XE systems

 | 

Russia-linked Sandworm APT compromised 11 Ukrainian telecommunications providers

 | 

Ransomware realities in 2023: one employee mistake can cost a company millions

 | 

Malware-laced 'RedAlert - Rocket Alerts' app targets Israeli users 

 | 

Cisco warns of active exploitation of IOS XE zero-day

 | 

Signal denies claims of an alleged zero-day flaw in its platform

 | 

Microsoft Defender thwarted Akira ransomware attack on an industrial engineering firm

 | 

DarkGate malware campaign abuses Skype and Teams

 | 

The Alphv ransomware gang stole 5TB of data from the Morrison Community Hospital

 | 

Security Affairs newsletter Round 441 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Lockbit ransomware gang demanded an 80 million ransom to CDW

 | 

CISA warns of vulnerabilities and misconfigurations exploited in ransomware attacks

 | 

Stayin' Alive campaign targets high-profile Asian government and telecom entities. Is it linked to ToddyCat APT?

 | 

FBI and CISA published a new advisory on AvosLocker ransomware

 | 

More than 17,000 WordPress websites infected with the Balada Injector in September

 | 

Ransomlooker, a new tool to track and analyze ransomware groups' activities

 | 

Phishing, the campaigns that are targeting Italy

 | 

A new Magecart campaign hides the malicious code in 404 error page

 | 

CISA adds Adobe Acrobat Reader flaw to its Known Exploited Vulnerabilities catalog

 | 

Mirai-based DDoS botnet IZ1H9 added 13 payloads to target routers

 | 

Air Europa data breach exposed customers' credit cards

 | 

#OpIsrael, #FreePalestine & #OpSaudiArabia - How Cyber Actors Capitalize On War Actions Via Psy-Ops

 | 

Microsoft Patch Tuesday updates for October 2023 fixed three actively exploited zero-day flaws

 | 

New 'HTTP/2 Rapid Reset' technique behind record-breaking DDoS attacks

 | 

Exposed security cameras in Israel and Palestine pose significant risks

 | 

A flaw in libcue library impacts GNOME Linux systems

 | 

Hacktivists in Palestine and Israel after SCADA and other industrial control systems

 | 

Large-scale Citrix NetScaler Gateway credential harvesting campaign exploits CVE-2023-3519

 | 

The source code of the 2020 variant of HelloKitty ransomware was leaked on a cybercrime forum

 | 

Gaza-linked hackers and Pro-Russia groups are targeting Israel

 | 

Flagstar Bank suffered a data breach once again

 | 

Android devices shipped with backdoored firmware as part of the BADBOX network

 | 

Security Affairs newsletter Round 440 by Pierluigi Paganini – International edition

 | 

North Korea-linked Lazarus APT laundered over $900 million through cross-chain crime

 | 

QakBot threat actors are still operational after the August takedown

 | 

Ransomware attack on MGM Resorts costs $110 Million

 | 

Cybersecurity, why a hotline number could be important?

 | 

Multiple experts released exploits for Linux local privilege escalation flaw Looney Tunables

 | 

Cisco Emergency Responder is affected by a critical Static Credentials bug. Fix it immediately!

 | 

Belgian intelligence service VSSE accused Alibaba of ‘possible espionage’ at European hub in Liege

 | 

CISA adds JetBrains TeamCity and Windows flaws to its Known Exploited Vulnerabilities catalog

 | 

NATO is investigating a new cyber attack claimed by the SiegedSec group

 | 

Global CRM Provider Exposed Millions of Clients’ Files Online

 | 

Sony sent data breach notifications to about 6,800 individuals

 | 

Apple fixed the 17th zero-day flaw exploited in attacks

 | 

Atlassian Confluence zero-day CVE-2023-22515 actively exploited in attacks

 | 

A cyberattack disrupted Lyca Mobile services

 | 

Chipmaker Qualcomm warns of three actively exploited zero-days

 | 

DRM Report Q2 2023 - Ransomware threat landscape

 | 

Phishing campaign targeted US executives exploiting a flaw in Indeed job search platform

 | 

San Francisco’s transport agency exposes drivers’ parking permits and addresses

 | 

BunnyLoader, a new Malware-as-a-Service advertised in cybercrime forums

 | 

Exclusive: Lighting the Exfiltration Infrastructure of a LockBit Affiliate (and more)

 | 

Two hacker groups are back in the news, LockBit 3.0 Black and BlackCat/AlphV

 | 

European Telecommunications Standards Institute (ETSI) suffered a data breach

 | 

WS_FTP flaw CVE-2023-40044 actively exploited in the wild

 | 

National Logistics Portal (NLP) data leak: seaports in India were left vulnerable to takeover by hackers

 | 

North Korea-linked Lazarus targeted a Spanish aerospace company

 | 

Ransomware attack on Johnson Controls may have exposed sensitive DHS data

 | 

BlackCat gang claims they stole data of 2.5 million patients of McLaren Health Care

 | 

Security Affairs newsletter Round 439 by Pierluigi Paganini – International edition

 | 

ALPHV/BlackCat ransomware gang hacked the hotel chain Motel One

 | 

FBI warns of dual ransomware attacks

 | 

Progress Software fixed two critical severity flaws in WS_FTP Server

 | 

Child abuse site taken down, organized child exploitation crime suspected – exclusive

 | 

A still unpatched zero-day RCE impacts more than 3.5M Exim servers

 | 

Chinese threat actors stole around 60,000 emails from US State Department in Microsoft breach

 | 

Misconfigured WBSC server leaks thousands of passports

 | 

CISA adds JBoss RichFaces Framework flaw to its Known Exploited Vulnerabilities catalog

 | 

Cisco urges to patch actively exploited IOS zero-day CVE-2023-20109

 | 

Dark Angels Team ransomware group hit Johnson Controls

 | 

GOOGLE FIXED THE FIFTH CHROME ZERO-DAY OF 2023

 | 

Russian zero-day broker is willing to pay $20M for zero-day exploits for iPhones and Android devices

 | 

China-linked APT BlackTech was spotted hiding in Cisco router firmware

 | 

Watch out! CVE-2023-5129 in libwebp library affects millions applications

 | 

DarkBeam leaks billions of email and password combinations

 | 

'Ransomed.vc' in the Spotlight - What is Known About the Ransomware Group Targeting Sony and NTT Docomo

 | 

Top 5 Problems Solved by Data Lineage

 | 

Threat actors claim the hack of Sony, and the company investigates

 | 

Canadian Flair Airlines left user data leaking for months

 | 

The Rhysida ransomware group hit the Kuwait Ministry of Finance

 | 

BORN Ontario data breach impacted 3.4 million newborns and pregnancy care patients

 | 

Xenomorph malware is back after months of hiatus and expands the list of targets

 | 

Smishing Triad Stretches Its Tentacles into the United Arab Emirates

 | 

Crooks stole $200 million worth of assets from Mixin Network

 | 

A phishing campaign targets Ukrainian military entities with drone manual lures

 | 

Alert! Patch your TeamCity instance to avoid server hack

 | 

Is Gelsemium APT behind a targeted attack in Southeast Asian Government?

 | 

Nigerian National pleads guilty to participating in a millionaire BEC scheme

 | 

New variant of BBTok Trojan targets users of +40 banks in LATAM

 | 

Deadglyph, a very sophisticated and unknown backdoor targets the Middle East

 | 

Alphv group claims the hack of Clarion, a global manufacturer of audio and video equipment for cars

 | 

Security Affairs newsletter Round 438 by Pierluigi Paganini – International edition

 | 

National Student Clearinghouse data breach impacted approximately 900 US schools

 | 

Government of Bermuda blames Russian threat actors for the cyber attack

 | 

Recently patched Apple and Chrome zero-days exploited to infect devices in Egypt with Predator spyware

 | 

CISA adds Trend Micro Apex One and Worry-Free Business Security flaw to its Known Exploited Vulnerabilities catalog

 | 

Information of Air Canada employees exposed in recent cyberattack

 | 

Sandman APT targets telcos with LuaDream backdoor

 | 

Apple rolled out emergency updates to address 3 new actively exploited zero-day flaws

 | 

Ukrainian hackers are behind the Free Download Manager supply chain attack

 | 

Space and defense tech maker Exail Technologies exposes database access

 | 

Pro-Russia hacker group NoName launched a DDoS attack on Canadian airports causing severe disruptions

 | 

Experts found critical flaws in Nagios XI network monitoring software

 | 

The dark web drug marketplace PIILOPUOTI was dismantled by Finnish Customs

 | 

International Criminal Court hit with a cyber attack

 | 

GitLab addressed critical vulnerability CVE-2023-5009

 | 

Trend Micro addresses actively exploited zero-day in Apex One and other security Products

 | 

ShroudedSnooper threat actors target telecom companies in the Middle East

 | 

Recent cyber attack is causing Clorox products shortage

 | 

Earth Lusca expands its arsenal with SprySOCKS Linux malware

 | 

Microsoft AI research division accidentally exposed 38TB of sensitive data

 | 

German intelligence warns cyberattacks could target liquefied natural gas (LNG) terminals

 | 

Deepfake and smishing. How hackers compromised the accounts of 27 Retool customers in the crypto industry

 | 

FBI hacker USDoD leaks highly sensitive TransUnion data

 | 

North Korea's Lazarus APT stole almost $240 million in crypto assets since June

 | 

Clop gang stolen data from major North Carolina hospitals

 | 

CardX released a data leak notification impacting their customers in Thailand

 | 

Security Affairs newsletter Round 437 by Pierluigi Paganini – International edition

 | 

TikTok fined €345M by Irish DPC for violating children’s privacy

 | 

Dariy Pankov, the NLBrute malware author, pleads guilty

 | 

Dangerous permissions detected in top Android health apps

 | 

Caesars Entertainment paid a ransom to avoid stolen data leaks

 | 

Free Download Manager backdoored to serve Linux malware for more than 3 years

 | 

Lockbit ransomware gang hit the Carthage Area Hospital and the Clayton-Hepburn Medical Center in New York

 | 

The iPhone of a Russian journalist was infected with the Pegasus spyware

 | 

Kubernetes flaws could lead to remote code execution on Windows endpoints

 | 

Threat actor leaks sensitive data belonging to Airbus

 | 

A new ransomware family called 3AM appears in the threat landscape

 | 

Redfly group infiltrated an Asian national grid as long as six months

 | 

Mozilla fixed a critical zero-day in Firefox and Thunderbird

 | 

Microsoft September 2023 Patch Tuesday fixed 2 actively exploited zero-day flaws

 | 

Save the Children confirms it was hit by cyber attack

 | 

Adobe fixed actively exploited zero-day in Acrobat and Reader

 | 

A new Repojacking attack exposed over 4,000 GitHub repositories to hack

 | 

MGM Resorts hit by a cyber attack

 | 

Anonymous Sudan launched a DDoS attack against Telegram

 | 

Iranian Charming Kitten APT targets various entities in Brazil, Israel, and the U.A.E. using a new backdoor

 | 

GOOGLE FIXED THE FOURTH CHROME ZERO-DAY OF 2023

 | 

CISA adds recently discovered Apple zero-days to Known Exploited Vulnerabilities Catalog

 | 

UK and US sanctioned 11 members of the Russia-based TrickBot gang

 | 

New HijackLoader malware is rapidly growing in popularity in the cybercrime community

 | 

Some of TOP universities wouldn’t pass cybersecurity exam: left websites vulnerable

 | 

Evil Telegram campaign: Trojanized Telegram apps found on Google Play

 | 

Rhysida Ransomware gang claims to have hacked three more US hospitals

 | 

Akamai prevented the largest DDoS attack on a US financial company

 | 

Security Affairs newsletter Round 436 by Pierluigi Paganini – International edition

 | 

US CISA added critical Apache RocketMQ flaw to its Known Exploited Vulnerabilities catalog

 | 

Ragnar Locker gang leaks data stolen from the Israel's Mayanei Hayeshua hospital

 | 

North Korea-linked threat actors target cybersecurity experts with a zero-day

 | 

Zero-day in Cisco ASA and FTD is actively exploited in ransomware attacks

 | 

Zero-days fixed by Apple were used to deliver NSO Group’s Pegasus spyware

 | 

Apple discloses 2 new actively exploited zero-day flaws in iPhones, Macs

 | 

A malvertising campaign is delivering a new version of the macOS Atomic Stealer

 | 

Two flaws in Apache SuperSet allow to remotely hack servers

 | 

Chinese cyberspies obtained Microsoft signing key from Windows crash dump due to a mistake

 | 

Google addressed an actively exploited zero-day in Android

 | 

A zero-day in Atlas VPN Linux Client leaks users' IP address

 | 

MITRE and CISA release Caldera for OT attack emulation

 | 

ASUS routers are affected by three critical remote code execution flaws

 | 

Hackers stole $41M worth of crypto assets from crypto gambling firm Stake

 | 

Freecycle data breach impacted 7 Million users

 | 

Meta disrupted two influence campaigns from China and Russia

 | 

A massive DDoS attack took down the site of the German financial agency BaFin

 | 

"Smishing Triad" Targeted USPS and US Citizens for Data Theft

 | 

University of Sydney suffered a security breach caused by a third-party service provider

 | 

Cybercrime will cost Germany $224 billion in 2023

 | 

PoC exploit code released for CVE-2023-34039 bug in VMware Aria Operations for Networks

 | 

Security Affairs newsletter Round 435 by Pierluigi Paganini – International edition

 | 

LockBit ransomware gang hit the Commission des services electriques de Montréal (CSEM)

 | 

UNRAVELING EternalBlue: inside the WannaCry’s enabler

 | 

Researchers released a free decryptor for the Key Group ransomware

 | 

Fashion retailer Forever 21 data breach impacted +500,000 individuals

 | 

Russia-linked hackers target Ukrainian military with Infamous Chisel Android malware

 | 

Akira Ransomware gang targets Cisco ASA without Multi-Factor Authentication

 | 

Paramount Global disclosed a data breach

 | 

National Safety Council data leak: Credentials of NASA, Tesla, DoJ, Verizon, and 2K others leaked by workplace safety organization

 | 

Abusing Windows Container Isolation Framework to avoid detection by security products

 | 

Critical RCE flaw impacts VMware Aria Operations Networks

 | 

UNC4841 threat actors hacked US government email servers exploiting Barracuda ESG flaw

 | 

Hackers infiltrated Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) for months

 | 

FIN8-linked actor targets Citrix NetScaler systems

 | 

Japan's JPCERT warns of new 'MalDoc in PDF' attack technique

 | 

Attackers can discover IP address by sending a link over the Skype mobile app

 | 

Cisco fixes 3 high-severity DoS flaws in NX-OS and FXOS software

 | 

Cloud and hosting provider Leaseweb took down critical systems after a cyber attack

 | 

Crypto investor data exposed by a SIM swapping attack against a Kroll employee

 | 

China-linked Flax Typhoon APT targets Taiwan

 | 

Researchers released PoC exploit for Ivanti Sentry flaw CVE-2023-38035

 | 

Resecurity identified a zero-day vulnerability in Schneider Electric Accutech Manager

 | 

The malware factory

Pierluigi Paganini June 16, 2012

Article Published on The Hacker New Magazine – June Edition “Malware” With the term malware we refer a heterogeneous family of malicious software designed with the purpose to disrupt computer operation, gather sensitive information, or gain unauthorized access to victims systems. With the term we indicate in fact several types of malicious code such as computer viruses, worms, trojan, spyware, ramsonware, adware, rootkits, and other applications. In recent years we have witnessed an unprecedented growth in the development of malware linked to rapidly changing of the technological context supported by the increased use of internet and the explosion of mobile services. Internet has condensed billions of entities into a single virtual marketplace in which the spread of pathogens is to be considered natural as would happen in real life between individuals. To give an idea of what we have observed in the recent years consider that in the last couple of years the release rate of malicious code and other unwanted programs was greater of the one related to previous 20 years. To monitor the diffusion of the cyber threats major security firms have deployed specific  network all over the world capturing spam, phishing and malware data through a variety of sources, such as decoy accounts and network probes. Billions email messages and Web requests are processed daily processed in dedicated data centers, gathered information are put in relation with data acquired through an antifraud community of enterprises, law enforcement advisor and consumers feedback. Let’s see the case of Symantec that with a similar model of analysis provides periodically report and bulletins on the evolution of malware and more in general of any cyber threat. Giving look to the last issue “Internet Security Threat Report” we can have an idea on the trend related to malware evolution and the sector mainly impacted.

It has been reported an increase respect last year result of a surge in polymorphic malware attacks, particularly from those found in Web attack kits and socially engineered attacks using email-borne malware. Particularly dangerous are malware that exploit zero-day vulnerabilities, almost impossible to know when they attack a target, because they are developed to operate in stealth mode to evade detection systems. According the report it has been registered an increase of unique variants of malware 140% respect 2010, passing from 286 million of variants to 403 million. The trend is also confirmed looking data related to new zero-Dayvulnerabilities rate that is of 8 new vulnerabilities per day.

The principal channels for propagation of malware

The spread of malware in recent years has been made possible following various schemes for which we try to provide a quick overview below. One of the main channels exploited for Malware is internet and in particular the possibility to host the malicious agent on compromised web site. The categories of web sites mainly impacted by this type of attack are Blogs & Web communications, Hosting/Personal hosted sites, Business/Economy, Shopping and Education & Reference. The malware diffusion during last year is rapidly increased due to the growth of “Drive-by attacks” against internet users. The figures are amazing with hundreds of millions of system infected every year. The infection process is subtle but effective, it is sufficient that users visit a compromised website. The redirection of the user navigation on the site follows different schemas, for example it is necessary a click on a link contained in an email or on a link published on social network, in this way the victim is hijacked on infected websites. Very common are attack techniques such as ‘clickjacking’ or ‘likejacking’ that deceives the users attracting him to watch a video or simply expressing its pleasure regarding a specific topic using “I like” function. Another factor that has dramatically impacted on the malware diffusion is the availability in internet of exploit toolkits which allow creation new malware requesting few capabilities. This peculiarity it has facilitated the rapid adoption and diffusion of the attack kits in the criminal world that have intercepted the growing demand in a millionaire business, a phenomenon that continues in its inexorable rise. Let also consider how quickly these kit are updated with new exploits, in some cases new development are commitment to add new features to an existent malware, we are facing with the malware factory. If you are scared of the price of these toolkit, don’t worry, usually they are really cheap with prices ranging from a few dollars to a few thousand. Another preferred channel used to spread malware is of course the email. During the last year the number of malicious email is increased targeting mainly large company. Usually malicious emails contain infected file as attachment that exploit vulnerabilities in the target system, it’s clear that to circumvent the user the content of the mail appears legitimate and try to catch the attention of the victim. Similar attacks are used by cybercriminal but also by governments like happened in Syria where the regime to persecute opponents has used malicious email containing malware to trace them. This is not the only schema for malware diffusion, as we have already discussed malicious emails could also contain link to infected web site. I have left for last the discussion of another method of malware diffusion that is seriously impacting user’s digital life, the social networks. During the last year with the impressive growth of social network we have also observed the increase of the number of malware propagated using the popular social platforms. Millions of user always connected and with low awareness on the cyber threats are ideal victims for cybercrime that once again uses malware to exploit user’s vulnerabilities. In the social networking the fundamental factor is use of social engineering techniques to circumvent users that most often are redirected on compromised web sites through the sharing of “malicious hyperlink”. The most important social network are always under attacks, cyber criminals and hackers daily address social network’s users with any kind of malware variant, it’s the case for example of the last discovered related to Zeus Trojan. The experts of Trusteer firm have discovered a new variant Zeus malware responsible for a series of attacks against principal internet service providers. The variant carried out attacks using the P2P network architecture targeting users of Facebook, Hotmail and Yahoo and Google Mail. The malware is really appreciated by cyber criminals that have improved its feature over the months. Zeus Trojan is born as an agent able to steal banking information by logging keystrokes and form grabbing, it is spread mainly through phishing and drive-by downloads schemes. The malware variant that hit Facebook uses a web injection mechanism to propose to the victims a special price reduced of 20% for purchases made with Visa or MasterCard debit card using their Facebook account. The scam promises in fact that after registering debit card information, the victim will earn cash back when they purchase Facebook points. Of course to the user is proposed a form for the registration of debit card info that is equivalent to a legitimate one also in term of proposed layout

What are the main motivations behind the design of a malware?

The use of malware, as described, presents a sustained growth trend thanks to the operational flexibility of the cyber threat that makes fruitful use of malicious programs in several areas. The areas where the malware have found major use are:

The criminal organizations are the most active in the development and diffusion of malware, malicious programs that could be developed to realize complex frauds with reduce risks. Criminal gangs have discovered how much lucrative is the cybercrime and how reduced are the possibility to be legally pursued. Computer crime by its nature has placed in the cyberspace with direct effects on the real world, but due this characteristic, its persecution is virtually impossible for the absence of globally shared regulations against this type of illicit. Malware could be used in different fraud patterns, mainly their use is to steal user sensible information like banking credentials. The diffusion could happen through several channels like social networking, mail spamming, visiting infecting host or hijacking web navigation. The common factor is the identity theft of the user for fraudulent activity. During the last weeks we have assisted to the rapid diffusion of new generations of Ransomware demonstrating that the use of malware could be adapted for different model of cybercrimes. Ransomware is a type of malware which restricts access to the computer resources of the victim demanding the payment of a ransom for the removal of the restrictions. To prevent the access to the resources the malware encrypt files of infected machine. Cybercrime is not only the sector that adopts malware for its purposes, one of the most interesting usage is related to cyber warfare.  Borrowing definition of “cyber weapon” provided by security experts Thomas Rid and Peter McBurney :

“a computer code that is used, or designed to be used, with the aim of threatening or causing physical, functional, or mental harm to structures, systems, or living beings“

we can immediately think to the effect of a computer malware targeted against a strategic objective such as a critical infrastructure. Over the years many cyber weapons have been identified, without a doubts the most famous of which is the virus Stuxnet, for its development is common opinion that has been involved, by US and Israel Governments, a pool of high specialists. Stuxnet is not the unique example of usage of malware as cyber weapon, Duqu malware in fact is a similar agent that has been deployed with the purpose of information gathering, ideal for espionage operations. The reality is more complex, the future for malware in cyber warfare scenario is made of dedicated platform used to create multiform and modular agent that could target specific objectives simply including new components. We are facing with open projects that evolve with the need and in function with specific targets present new offensive features. Kaspersky’s director of global research & analysis, Costin Raiu, discovered with his team the existence of a common platform to build the malwares Duqu and Stuxnet, that they named “Tilded platform” because many of the files in agents have names beginning with the tilde symbol “~” and the letter “d.””. What is really interesting is that the researcher is convinced that the same framework has been also used to create at least three other pieces of malware confirming the existence of a “factory” platform that Costin Raiu defined using the following statement:

“It’s like a Lego set. You can assemble the components into anything: a robot or a house or a tank,”

But malware could be also the next option of group of hacktivist such as Anonymous. During the last couple of years we have witnessed the escalation of operations conducted by the Anonymous group, the hacker group that is expressing a social dissent through cyber attacks. Is common conviction that the group use only DDoS attacks for its operations, but the collective is changing and some security experts believe that they are also exploring other options such as malware deployment.  The purposes of malware usage maybe be different, malicious software could be used to attack strategic objectives with targeted campaign and also to conduct cyber espionageoperations. Also DDoS attacks could be automated infecting machines of the victims or simply hosting a malware on a website that redirect the attacks against the chosen targets. Another regrettable usage of malware is monitoring and controlling, typically implemented by governments and intelligence agencies. In most cases virus and trojan have been used to infect computer used to attack dissident, opponents and political oppositions. The purpose is to track their operation on the web, gather sensible information and localize them. In many cases the use of malware has made possible the capture of the victims and their ruthless suppression. During the Syrian repression the government has discovered that dissidents were using program such as Skype to communicate, so it has used the same channel to spread the backdoor “Xtreme RAT”. The schema of the targeted attacks was simple, after the arrest of some dissidents, the government has used their Skype accounts to spread a malware hidden in a file called MACAddressChanger.exe that was accepted by others activists. The dissidents were confident in the MACAddressChanger usage that they have used in the past to elude the monitoring system of the government. Xtreme Rat is a malware that belong to the Remote Access Tool category really simple to retrieve on line at a low price (Full version Price: €100 EUR). To confirm that backdoor has been installed by the Syrian Government is the IP address of the command server that belongs to Syrian Arab Republic — STE (Syrian Telecommunications Establishment). The sample reported is not the only one, the experts of the Trend Micro firm have in fact discovered the usage of the malware DarkComet to infect the computers of the opposition movement. The malware is used to steal documents from the victims and it appears to have been spread through Skype chats.  Once in execution the malware try to contact the command and control (C&C) server to receive instruction and also to transfer the stolen information. It has been observed that the C&C server is resident in Syria, the range of the IP addresses is under the control of the government of Damascus.

Which future for malware?

The scenarios reported share the same trend in the malware growth, more complex agents are daily developed being able to exploit well know vulnerabilities but also 0-days ones. Millions of PC are infected with new variants of malware composing scary botnet that are used for several purpose, the major concerns come from mobile technologies and cloud computing paradigm, in particular the mobile world has registered the major number of malware that have targeted its platforms and operating system. To give an idea on how much attractive is the mobile technology for malware developer let’s give a look to the Mobile Threat Report released by security firms F-Secure that warns of a dramatic increase in malware targeting mobile devices, especially Androind OS based. The following table reports interesting statistics on mobile threats discovered between 2004 and 2011, showing an impressive growth grouped by malware type.

According the report “In Q1 2011, 10 new families and variants were discovered. A year later, this number has nearly quadrupled with 37 new families and variants discovered in Q1 2012 alone,” the report states.

The experts of F-Secure attributes the growth to the increasing number of variants designed to evade antivirus protections by utilizing a greater number of signatures.

“A comparison between the number of malicious Android application package files (APKs) received in Q1 2011 and in Q1 2012 reveals a more staggering find — an increase from 139 to 3063 counts. This growth in number can be attributed to malware authors crafting their infected or trojanized applications to defeat anti-virus signature detection, distributing their malware in different application names, and trojanizing widely popular applications,” the report notes.

The situation can only worsen in the near future, more than worry about evolution of malware in the mobile landscape I’m worried by the impressive increase of polymorphic malware that are able to provide different signatures to evade security systems making difficult pattern-matching detection implemented by major antimalware software. The battle against these powerful cyber threats must move on two parallel tracks, prevention and response. The first aspect requires a high level of awareness of the related risks that can be obtained through well-designed information campaigns and through the establishment of a greater number of control centers and monitoring institutions. Regarding the second aspect it is desirable that computer crimes can be prosecuted with a globally recognized law that provides stiff penalties for criminals.   About the Author : Pierluigi Paganini, Security Specialist CEH – Certified Ethical Hacker, EC Council Security Affairs ( http://securityaffairs.co/wordpress ) Email : [email protected]

botnet cyber espionage cyber threat Cybercrime DDoS Governments monitoring Hacktivism malware phishing Social Engineering Social Network Syria The Hacker New Magazine Tilded Platform Trojan virus warfare worm zero-Day Zeus Trojan

you might also like

Pierluigi Paganini December 06, 2023
Atlassian addressed four new RCE flaws in its products
Read more
Pierluigi Paganini December 06, 2023
CISA adds Qualcomm flaws to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

recent articles

Atlassian addressed four new RCE flaws in its products

Security / December 06, 2023

CISA adds Qualcomm flaws to its Known Exploited Vulnerabilities catalog

Security / December 06, 2023

Experts demonstrate a post-exploitation tampering technique to display Fake Lockdown mode

Security / December 06, 2023

GST Invoice Billing Inventory exposes sensitive data to threat actors

Hacking / December 06, 2023

Threat actors breached US govt systems by exploiting Adobe ColdFusion flaw

Security / December 06, 2023