New LightSpy variant targets Southern Asia and India as part of espionage campaign
BlackBerry researchers observed LightSpy activity targeting individuals in Southern Asia and probably India as part of a mobile espionage campaign. The activity involves a new LightSpy iteration, dubbed F_Warehouse, that has a modular framework with capabilities including shell command execution, file exfiltration, audio recording, image capture, data harvesting, and system access. The initial infection vector likely involves compromised news websites carrying stoires related to Hong Kong.
Earth Hundun targets APAC organisations with Waterbear and Deuterbear
Trend Micro researchers detailed the Waterbear backdoor and its latest downloader, dubbed Deuterbear, active since 2022. The malware is attributed to the cyberespionage group Earth Hundun, with a recent surge in Watebear attacks against technology, research, and government organisations in the Asia Pacific (APAC) region identified. Deuterbear enables HTTPS tunnel to protect network traffic, implements multiple obfuscation methods for anti-analysis, and includes changes to anti-memory scanning and decryption routines.
New MadMxShell backdoor delivered via malvertising campaign
Zscaler researchers identified a new backdoor, dubbed MadMxShell, being distributed via fake websites for IP scanners and other software tools typically used by IT professionals. The threat actor abuses Google Ads to push their malicious sites to the top of search results. Each of the sites mirror the legitimate software’s websites but contain additional JavaScript code that redirects users to download a malicious file when the download button is clicked.
New global SteganoAmor campaign attributed to TA558
Positive Technologies researchers analysed an ongoing global campaign, dubbed SteganoAmor, attributed to TA558. Over 320 attacks against organisations in Latin America, but also Russia, Romania, Turkey, and other countries, across various sectors were identified. TA558 makes use of steganography to conceal malicious code inside images for malware delivery, with observed malware including AgentTesla, FormBook, Remcos, LokiBot, Guloader, Snake Keylogger, and XWorm. The campaign involves phishing emails containing Excel and Word file attachments that exploit CVE-2017-11882.
TA427 impersonates US and South Korean foreign policy experts in phishing campaign
Proofpoint researchers analysed email phishing campaigns, attributed to North Korean threat actor, TA472, targeting experts for insight into United States and South Korean foreign policy since 2023. TA427 uses domain-based message authentication abuse, typosquatting, and private email account spoofing, to impersonate individuals working in think tanks, academics, journalists, and government personnel.
Ransomware
Volume of blog posts by operators during the last week.
Atlassian Confluence Linux instances targeted with Cerber ransomware SC Magazine US – Apr 17 2024Netskope Threat Coverage: Evil Ant RansomwareNetskope – Threat Labs – Apr 16 2024Ransomware gang starts leaking alleged stolen Change Healthcare dataBleepingComputer – Apr 15 2024GOLD IONIC Deploys INC RansomwareSecure Works – Apr 15 2024Using the LockBit builder to generate targeted ransomwareKaspersky Lab – Apr 15 2024
Financial Services
New Android malware ‘Mamont’ poses as Google Chrome to steal banking detailsIndian Express – Apr 18 2024SoumniBot: the new Android banker’s unique techniquesKaspersky Lab – Apr 17 2024Credit Card Skimmer Hidden in Fake Facebook Pixel TrackerSucuri Blog – Apr 11 2024Massive China-Linked ID Theft Phishing Campaign Hits Asian Finance IndustryCyberint – Apr 11 2024FatalRAT’s New Prey: Cryptocurrency Users In The CrosshairsCyble Blog – Apr 11 2024
Geopolitics
Russian US election interference targets support for Ukraine after slow startMicrosoft On the Issues Blog – Apr 17 2024Russia is trying to sabotage European railways, Czech minister saidSecurity Affairs – Apr 16 2024Iran-Backed Hackers Blast Out Threatening Texts to IsraelisDark Reading – Apr 15 2024Destructive ICS Malware ‘Fuxnet’ Used by Ukraine Against Russian InfrastructureSecurityWeek RSS Feed – Apr 15 2024CISA Directs Federal Agencies to Immediately Mitigate Significant Risk From Russian State-Sponsored Cyber ThreatCISA.com – Apr 11 2024
High Priority Vulnerabilities
Name | Software | Base Score | Temp Score | |||
---|---|---|---|---|---|---|
CVE-2024-3400 | PAN-OS | 10 | 7.7 | |||
Related: Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 | ||||||
CVE-2023-1389 | Archer AX21 | 9.8 | 9.4 | |||
Related: Botnets Continue Exploiting CVE-2023-1389 for Wide-Scale Spread | ||||||
CVE-2024-3272 | DNS-340L | 9.8 | 9 | |||
Related: Exploitation of Unpatched D-Link NAS Device Vulnerabilities Soars | ||||||
CVE-2024-1874 | PHP | 7.3 | 7 | |||
Related: BatBadBut vulnerability impacts further programming languages | ||||||
CVE-2024-28255 | OpenMetadata | 9.8 | – | |||
Related: Attackers exploiting new critical OpenMetadata vulnerabilities on Kubernetes clusters |