Police seized Crimemarket, the largest German-speaking cybercrime marketplace
German police seized the largest German-speaking cybercrime marketplace Crimemarket and arrested one of its operators.
BlackCat ransomware turns off servers amid claim they stole $22 million ransom
The ALPHV/BlackCat ransomware gang has shut down its servers amid claims that they scammed the affiliate responsible for the attack on Optum, the operator of the Change Healthcare platform, of $22 million.
Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment
The transaction, visible on Bitcoin's blockchain, suggests the victim of one of the worst ransomware attacks in years may have paid a very large ransom.
Russia’s chief propagandist leaks intercepted German military Webex conversation
Russia has been accused of attempting to inflame divisions in Germany by publishing an intercepted conversation in which Bundeswehr officials discuss the country’s support for Ukraine, particularly around the supply of Taurus cruise missiles. The 38-minute conversation, which took place on February 19, was first published on social media platform Telegram by Margarita Simonyan, the editor-in-chief of RT and a sanctioned propagandist, who said the recording had been provided to her by “comrades in uniform.”
Ubiquiti owners warned Moscow may build another botnet • The Register
Non-techies told to master firmware upgrades and firewall rules. For the infosec hardheads: have some IOCs Original joint-cybersecurity-advisory
ALPHV/BlackCat hits healthcare after retaliation threat, FBI says
The gang claimed responsibility for a high-profile attack against Change Healthcare Wednesday.
Popular video doorbells can be easily hijacked, researchers find
Walmart and Temu pulled the affected doorbell cameras from their stores. Amazon and others have taken no action.
FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga. – Krebs on Security
The FBI’s takedown of the LockBit ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in Fulton County, Ga. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the county’s ongoing criminal prosecution of former President Trump, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials
LoanDepot Ransomware Attack Exposed 16.9 Million Individuals - SecurityWeek
Lending firm LoanDepot said the personal information of 16.9 million individuals was stolen in a ransomware attack in early January 2024.
US prescription market hamstrung for 9 days (so far) by ransomware attack | Ars Technica
Patients having trouble getting lifesaving meds have the AlphV crime group to thank.
Mail in the middle – a tool to automate spear phishing campaigns
The idea is simple; take advantage of the typos that people make when they enter email addresses. If we positioned ourselves in between the sender of an email (be it a person or a system) and the legitimate recipient, we may be able to capture plenty of information about the business, including personally identifiable information, email verification processes, etc. This scenario is effectively a Person-in-the-Middle (PiTM), but for email communications.
Russia publishes German army meeting on Ukraine
German chancellor promises probe after leak of officers discussing the supply of long-range missiles.
NoName057(16) DDoSia project: 2024 updates and behavioural shifts
Learn about NoName057(16), a pro-Russian hacktivist group behind Project DDoSia targeting entities supporting Ukraine. Discover an overview of the changes made by the group, both from the perspective of the software shared by the group to generate DDoS attacks and the specifics of the evolution of the C2 servers. It also provides an overview of the country and sectors targeted by the group for 2024.
Here Come the AI Worms
Security researchers created an AI worm in a test environment that can automatically spread between generative AI agents—potentially stealing data and sending spam emails along the way.
GitHub besieged by millions of malicious repositories in ongoing attack | Ars Technica
GitHub keeps removing malware-laced repositories, but thousands remain.
CISA cautions against using hacked Ivanti VPN gateways even after factory resets
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) revealed today that attackers who hack Ivanti VPN appliances using one of multiple actively exploited vulnerabilities may be able to maintain root persistence even after performing factory resets.
Failles d’Ivanti : une centaine d’organisations victimes en France
Dans la plupart des cas, les attaquants n’ont pas tenté d’aller plus loin, sauf quelques exceptions. Il s’agissait vraisemblablement pour les attaquants de mettre d’abord un premier pied chez leur cible.
Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Connect and Policy Secure Gateways | CISA
Based upon the authoring organizations’ observations during incident response activities and available industry reporting, as supplemented by CISA’s research findings, the authoring organizations recommend that the safest course of action for network defenders is to assume a sophisticated threat actor may deploy rootkit level persistence on a device that has been reset and lay dormant for an arbitrary amount of time. For example, as outlined in PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure), sophisticated actors may remain silent on compromised networks for long periods. The authoring organizations strongly urge all organizations to consider the significant risk of adversary access to, and persistence on, Ivanti Connect Secure and Ivanti Policy Secure gateways when determining whether to continue operating these devices in an enterprise environment.
The Predator spyware ecosystem is not dead
Discover our TDR team's revelations about Predator spyware: its C2 infrastructure and list of countries still using its cyber espionage tool.
DNS Used to Hide Fake Investment Platform Schemes | Infoblox
Learn how the threat actor Savvy Seahorse Facebook ads to lure users to fake investment platforms and leverages DNS to allow their attacks to persist for years.
BlackCat Ransomware Affiliate TTPs
This blog post provides a detailed look at the TTPs of a ransomware affiliate operator. In this case, the endpoint had been moved to another infrastructure (as illustrated by various command lines, and confirmed by the partner), so while Huntress SOC analysts reported the activity to the partner, no Huntress customer was impacted by the ransomware deployment.
Lazarus and the FudModule Rootkit: Beyond BYOVD with an Admin-to-Kernel Zero-Day - Avast Threat Labs
The Lazarus Group is back with an upgraded variant of their FudModule rootkit, this time enabled by a zero-day admin-to-kernel vulnerability for CVE-2024-21338. Read this blog for a detailed analysis of this rootkit variant and learn more about several new techniques, including a handle table entry manipulation technique that directly targets Microsoft Defender, CrowdStrike Falcon, and HitmanPro.
Google CEO Sundar Pichai calls AI tool’s responses ‘completely unacceptable’
In a memo to employees sent Tuesday evening, Sundar Pichai vowed to make structural changes to address the issues found in Gemini’s racially inaccurate images.
Bundesamt für Verfassungsschutz - Counter-intelligence - Joint Cyber Security Advisory
Warning of North Korean cyber threats targeting the Defense Sector
Civil society complaint raises concern that LinkedIn is violating DSA ad targeting restrictions
On 26 February, EDRi and its partners Global Witness, Gesellschaft für Freiheitsrechte and Bits of Freedom have submitted a complaint to the European Commission regarding a potential infringement of the Digital Services Act (DSA). Specifically, we have raised concerns that LinkedIn, a designated Very Large Online Platform (VLOP) under the DSA, infringes the DSA’s new prohibition of targeting online adverts based on profiling using sensitive categories of personal data such as sexuality, political opinions, or race.
Joomla: PHP Bug Introduces Multiple XSS Vulnerabilities
- Sonar’s Vulnerability Research Team has discovered an issue that led to multiple XSS vulnerabilities in the popular Content Management System Joomla. The issue discovered with the help of SonarCloud affects Joomla’s core filter component and is tracked as CVE-2024-21726. Attackers can leverage the issue to gain remote code execution by tricking an administrator into clicking on a malicious link. The underlying PHP bug is an inconsistency in how PHP’s mbstring functions handle invalid multibyte sequences. The bug was fixed with PHP versions 8.3 and 8.4, but not backported to older PHP versions. * Joomla released a security announcement and published version 5.0.3/4.4.3, which mitigates the vulnerability.
“SubdoMailing” — Thousands of Hijacked Major-Brand Subdomains Found Bombarding Users With Millions of Malicious Emails
Guardio Labs uncovers a sprawling campaign of subdomain hijacking, compromising already over 8,000 domains from esteemed brands and institutions, including MSN, VMware, McAfee, The Economist, Cornell University, CBS, Marvel, eBay and others. This malicious activity, dubbed “SubdoMailing”, leverages the trust associated with these domains to circulate spam and malicious phishing emails by the Millions each day, cunningly using their credibility and stolen resources to slip past security measures. In our detailed analysis, we disclose how we detected this extensive subdomain hijacking effort, its mechanisms, its unprecedented scale and the main threat actor behind it. Furthermore, we developedthe “SubdoMailing” checker — a website designed to empower domain owners to reclaim control over their compromised assets and shield themselves against such pervasive threats. This report not only sheds light on the magnitude of the issue but also serves as a call to action for enhancing domain security against future exploits.
PIKABOT, I choose you!
Elastic Security Labs observed new PIKABOT campaigns, including an updated version. PIKABOT is a widely deployed loader malicious actors utilize to distribute additional payloads.
SEO Poisoning to Domain Control: The Gootloader Saga Continues
Key Takeaways More information about Gootloader can be found in the following reports: The DFIR Report, GootloaderSites, Mandiant, Red Canary, & Kroll. An audio version of this report can be … Read More
LockBit ransomware returns, restores servers after police disruption
The LockBit gang is relaunching its ransomware operation on a new infrastructure less than a week after law enforcement hacked their servers, and is threatening to focus more of their attacks on the government sector.