APT42 uses social engineering schemes to access victim cloud environments
Mandiant researchers analysed activity attributed to the Iranian state-sponsored cyber espionage group, APT42, who use social engineering schemes to gain access to victim networks, including cloud environments. APT42 primarily targets Western and Middle Eastern NGOs, media organisations, academia, legal services, and activists, aiming to covertly exfiltrate data of strategic interest to Iran. The researchers also identified two custom backdoors, dubbed NICECURL and TAMECAT, used by APT42 for initial access.
Increase in phishing campaigns targeting USPS using combosquatted domains
Akamai researchers observed an increase in phishing campaigns using combosquatted domain names to impersonate the United States Postal Service (USPS) between October 2023 and February 2024. Victims typically receive text messages, allegedly from USPS, containing a link that redirects them to a malicious domain. Threat actors either chose to spread traffic across many different domains or used a small number of domains that received more traffic, likely for obfuscation purposes.
Suspected North Korean DEV#POPPER campaign uses fake job interviews to deliver Python RAT
Securonix researchers analysed a new ongoing campaign, dubbed DEV#POPPER, targeting software developers using fake job interviews to deliver a Python remote access trojan (RAT). The campaign uses a multi-stage infection chain that deceives victims through progressive compromise, with victims sent a ZIP archive file from GitHub that contains a legitimate looking Node Package Manage (NPM) package used to deliver the Python RAT. Although the threat actors behind the campaign are unknown, North Korean hacking groups have been observed using similar fake job opportunity to target software developers in 2023.
SecretCalls malware delivered by SecretCrow voice phishing group
S2W researchers analysed a family of malicious apps, dubbed SecretCalls, used for voice phishing attacks in South Korea. The threat actor responsible, dubbed SecretCrow, distributes the apps through phishing sites impersonating law enforcement agencies or financial institutions, often employing various financial themes. The apps download a dropper, dubbed SecretCalls Loader, that deletes phishing detection apps and installs SecretCalls alongside performing emulator detection, class and function name obfuscation, DEX encryption, and DEX dynamic loading.
Cuttlefish malware used to target enterprise-grade SOHO routers
Lumen researchers analysed a new modular malware, dubbed Cuttlefish, that has been active since July 2023. The malware targets enterprise-grade small office/home office routers to harvest public cloud authentication data. Cuttlefish can perform both DNS and HTTP hijacking for connections to private IP addresses, as well as interacting with other devices on the local area network. The latest campaign ran from October 2023 through April 2024, with 99% of infections occurring in Turkey, mainly from two telecommunications providers.
Ransomware
Volume of blog posts by operators during the last week.
Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)ASEC Blog – AhnLab English – May 02 2024Ransomware Rising Despite Takedowns, Says Corvus ReportInfosecurity Today – Apr 30 2024Ransomware Group LockBit Claims Responsibility for Cannes Hospital CyberattackThe Cyber Express – Apr 30 2024From IcedID to Dagon Locker Ransomware in 29 DaysThe DFIR Report – Blog – Apr 29 2024Malware campaign attempts abuse of defender binariesSophos – Apr 26 2024Sifting through the spines: identifying (potential) Cactus ransomware victimsFox-IT International blog – Apr 25 2024
Financial Services
IRS warns of new spear-phishing tactics targeting CPAs and income tax professionalsMcDonald Hopkins Company LPA – Apr 30 2024SlowMist Uncovers North Korea’s Lazarus Group Deceptive DisguiseCryptoCompass – Apr 29 2024Beware: Novel Crypto Scam Exploits Ethereum Nodes, Leaves Users VulnerableCryptoNews.net – Apr 26 2024ICICI Bank blocks 17,000 credit cards after data breachHindu Business Line – Apr 26 2024Brokewell: A New Android Banking Trojan Targeting Users In GermanyCyble Blog – Apr 25 2024
Geopolitics
A Cunning Operator: Muddling Meerkat and China’s Great FirewallInfoblox Blog – Apr 29 2024Cyber-Partisans hacktivists claim to have breached Belarus KGBSecurity Affairs – Apr 29 2024Ukrainian Hackers Launch Cyberattacks on Subsidiary of Major Russian TelecomKyivPost – Apr 28 2024Head of Belgian Foreign Affairs Committee says she was hacked by ChinaReuters – Apr 25 2024Poll Vaulting: Cyber Threats to Global ElectionsGoogle Cloud – Apr 25 2024
High Priority Vulnerabilities
Name | Software | Base Score |
Temp Score |
|||
---|---|---|---|---|---|---|
CVE-2024-27956 | Automatic Plugin | 9.9 | – | |||
Related: SQL injection flaw in WordPress Automatic plugin actively exploited | ||||||
CVE-2023-7028 | Enterprise Edition | 7.5 | 7.5 | |||
Related: CISA Warns of Active Exploitation of Severe GitLab Password Reset Vulnerability | ||||||
CVE-2017-8570 | Office | 7.8 | – | |||
Related: Uncorking Old Wine: Zero-Day from 2017 + Cobalt Strike Loader in Unholy Alliance | ||||||
CVE-2018-0798 | Office | 8.8 | – | |||
Related: Agent Tesla Campaign Targets US Education and Government Sectors. | ||||||
CVE-2023-36025 | Windows | 8.8 | 8.4 | |||
Related: The Darkgate Menace: Leveraging Autohotkey & Attempt to Evade Smartscreen |