‘Large volume’ of data stolen from UN agency after ransomware attack
The attack is just the latest in a string targeting the multilateral body in recent years.
MITRE says state hackers breached its network via Ivanti zero-days
The MITRE Corporation says a state-backed hacking group breached its systems in January 2024 by chaining two Ivanti VPN zero-days.
LastPass Users Lose Master Passwords to Ultra-Convincing Scam
CryptoChameleon attackers trade quantity for quality, dedicating time and resources to trick even the most diligent into handing over their high-value credentials.
Ransomware payments drop to record low of 28% in Q1 2024
Ransomware actors have had a rough start this year, as stats from cybersecurity firm Coveware show that the trend of victims declining to pay the cybercriminals continues and has now reached a new record low of 28%.
‘The machine did it coldly’: Israel used AI to identify 37,000 Hamas targets
Israeli intelligence sources reveal use of ‘Lavender’ system in Gaza war and claim permission given to kill civilians in pursuit of low-ranking militants
Hackers are threatening to leak World-Check, a huge sanctions and financial crimes watchlist | TechCrunch
A financially motivated criminal hacking group says it has stolen a confidential database containing millions of records that companies use for screening potential customers for links to sanctions and financial crime. The hackers, which call themselves GhostR, said they stole 5.3 million records from the World-Check screening database in March and are threatening to publish the data online.
China Orders Apple to Remove Popular Messaging Apps
WhatsApp, Signal and Telegram among apps cut from iPhone app store to comply with censorship demand
'Crude' ransomware tools proliferating on the dark web for cheap, researchers find
Cheap ransomware is being sold for one-time use on dark web forums, allowing inexperienced freelancers to get into cybercrime without any interaction with affiliates. Researchers at the intelligence unit at the cybersecurity firm Sophos found 19 ransomware varieties being offered for sale or advertised as under development on four forums from June 2023 to February 2024.
Ransomware attack has cost UnitedHealth $872 million; total expected to surpass $1 billion
he ransomware attack on a company owned by healthcare giant UnitedHealth Group (UHG) has so far caused $872 million in losses, according to the corporation’s latest earnings report. UnitedHealth owns Change Healthcare, a key cog in the U.S. healthcare industry that was crippled by a ransomware attack in February. Change Healthcare and UHG subsidiary Optum took hundreds of systems offline as a result of the incident and faced criticism from the White House and Congress over its handling of the ransomware attack.
Cisco: Hacker breached multifactor authentication message provider on April 1
Cisco said one of the providers it uses to send multifactor authentication (MFA) messages was breached by a threat actor on April 1. In emails to customers, Cisco said the incident specifically affected Duo — a multifactor authentication company it acquired in 2018. The attacker breached the system of a telephony supplier that Duo uses to send MFA messages through texts and phone calls to its customers.
The Fall of LabHost: Law Enforcement Shuts Down Phishing Service Provider | Trend Micro (US)
On Thursday, April 18, 2024, the UK’s Metropolitan Police Service, along with fellow UK and international law enforcement, as well as several trusted private industry partners, conducted an operation that succeeded in taking down the Phishing-as-a-Service (PhaaS) provider LabHost. This move was also timed to coincide with a number of key arrests related to this operation. In this entry, we will briefly explain what LabHost was, how it affected its victims, and the impact of this law enforcement operation — including the assistance provided by Trend Micro.
New Backdoor, MadMxShell
Beginning in March of 2024, Zscaler ThreatLabz observed a threat actor weaponizing a cluster of domains masquerading as legitimate IP scanner software sites to distribute a previously unseen backdoor. The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged GoogleAds to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites. The newly discovered backdoor uses several techniques such as multiple stages of DLL sideloading, abusing the DNS protocol for communicating with the command-and-control (C2) server, and evading memory forensics security solutions. We named this backdoor “MadMxShell” for its use of DNS MX queries for C2 communication and its very short interval between C2 requests.
Idle GPUs Are the Devil's Workshop
Salad, a company that pays gamers in Fortnite skins and Roblox gift cards to rent their idle GPUs remotely to generative AI companies, is using those idle computers to create AI-generated porn. Though 404 Media hasn’t seen evidence that any of the images produced by Salad and its network of idle gaming PCs produced nonconsensual AI-generated sexual images, it’s technically possible, and Salad has had a generative AI client that previously produced that type of content.
Exclusive: Northrop Grumman working with Musk's SpaceX on U.S. spy satellite system | Reuters
Aerospace and defense company Northrop Grumman is working with SpaceX, the space venture of billionaire entrepreneur Elon Musk, on a classified spy satellite project already capturing high-resolution imagery of the Earth, according to people familiar with the program.
Students turning to cyberfraud as huge phishing
LabHost enabled users to set up websites designed to trick victims into revealing personal information – with 70,000 allegedly duped in the UK
Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters
Microsoft recently uncovered an attack that exploits new critical vulnerabilities in OpenMetadata to gain access to Kubernetes workloads and leverage them for cryptomining activity.
Unearthing APT44: Russia’s Notorious Cyber Sabotage Unit Sandworm
APT44 is a threat actor that is actively engaged in the full spectrum of espionage, attack, and influence operations.
Hackers Linked to Russia’s Military Claim Credit for Sabotaging US Water Utilities | WIRED
Cyber Army of Russia Reborn, a group with ties to the Kremlin’s Sandworm unit, is crossing lines even that notorious cyberwarfare unit wouldn’t dare to.
Over 500 people targeted by Pegasus spyware in Poland, officials say
Prosecutor General Adam Bodnar says an investigation into Pegasus use by current and former government officials has expanded to hundreds more people than initially reported.
Ivanti warns of critical flaws in its Avalanche MDM solution
Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management (MDM) solution, two of them critical heap overflows that can be exploited for remote command execution.
Security Brief: TA547 Targets German Organizations with Rhadamanthys Stealer
What happened Proofpoint identified TA547 targeting German organizations with an email campaign delivering Rhadamanthys malware. This is the first time researchers observed TA547 use Rhadamanthys,...
Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)
Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain .GOVs - we’re not here to comment on that, but sounds humorous.
DDoS threat report for 2024 Q1
2024 started with a bang. Cloudflare’s autonomous systems mitigated over 4.5 million DDoS attacks in the first quarter of the year — a 50% increase compared to the previous year.
The US Government Has a Microsoft Problem
Microsoft has stumbled through a series of major cybersecurity failures over the past few years. Experts say the US government’s reliance on its systems means the company continues to get a free pass.
Change Healthcare stolen patient data leaked by ransomware gang
This is the second group to demand a ransom payment from Change Healthcare to prevent the release of stolen patient data in as many months.
Open Source Security (OpenSSF) and OpenJS Foundations Issue Alert for Social Engineering Takeovers of Open Source Projects
XZ Utils cyberattack likely not an isolated incident
Réunion en ligne avec un faux chef (technique de deep fake) : fraude au CEO 2.0
09.04.2024 - Le service financier d’une entreprise reçoit de son patron une demande de paiement soi-disant urgente. Le CEO explique que si le responsable financier n’effectue pas le paiement dans les plus brefs délais, cela aura de graves conséquences pour l’entreprise, car une commande importante sera perdue. Ensuite, le chef n’est étrangement plus joignable pour répondre à d’autres questions. Tel est le scénario typique d’une fraude au CEO. La plupart du temps, ces attaques ne sont pas très sophistiquées et sont faciles à détecter. L’intelligence artificielle et le deep fake ne s’arrêtent toutefois pas à cette méthode d’escroquerie plutôt simple, comme le montre un exemple récent signalé à l’OFCS.
Leaked LockBit builder in a real-life incident response case | Securelist
Kaspersky researchers revisit the leaked LockBit 3.0 builder and share insights into a real-life incident involving a custom targeted ransomware variant created with this builder.
From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering | Proofpoint US
Key takeaways TA427 regularly engages in benign conversation starter campaigns to establish contact with targets for long-term exchanges of information on topics of strategic importance to the No...
CISA: Email from federal agencies possibly accessed in Russian breach of Microsoft
CISA publicly released an emergency directive issued to federal agencies earlier this month, detailing how a breach at Microsoft could have affected the government.