APT29 targets German political parties using WINELOADER
In February 2024, Mandiant researchers observed the Russian state-backed threat actor, APT29, targeting German political parties with the WINELOADER backdoor. The malware is delivered via phishing emails disguised as invites to a supposed dinner reception hosted by the Christian Democratic Union. The phishing emails contain a link to a ZIP archive containing a ROOTSAW dropper hosted on a compromised website, used to deliver WINELOADER.
New StrelaStealer variant used in large-scale campaign
In January 2024, Palo Alto Networks Unit 42 researchers identified a series of StrelaStealer campaigns impacting over 100 organisations across the European Union and the United States, including high tech, finance, and manufacturing organisations. The campaign involves an updated variant of StrelaStealer, used to steal email login data, being delivered via spam emails.
TA450 uses embedded links in PDFs to deliver AteraAgent to targets in Israel
Proofpoint researchers observed a phishing campaign by Iranian threat actor TA450 targeting Israeli employees at global manufacturing, technology, and information security companies using pay-related social engineering lures. The campaign started on March 7th, 2024, and continued through the week of March 11th, 2024. It aims to deliver the AteraAgent remote administration software to victims.
New TheMoon botnet activity linked to Faceless proxy service
Lumen Technologies researchers discovered an updated version of the TheMoon malware targeting small office and home office routers and IoT devices worldwide. The new variant infected over 40,000 bots from 88 countries between January and February 2024. It has also been linked to a March 2024 campaign associated with the Faceless proxy service that targeted over 6,000 ASUS routers in less than 72 hours.
New Tycoon 2FA phishing kit version enhances obfuscation and anti-detection capabilities
Starting February 12th, 2024, Sekoia researchers identified an updated version of the Tycoon 2FA adversary-in-the-middle (AiTM) phishing kit being distributed in the wild under a phishing-as-a-service model. Tycoon 2FA primarily aims to harvest Microsoft 365 session cookies to bypass multi-factor authentication during subsequent authentication. Since August 2023, the researchers observed over 1,200 domain names used within Tycoon 2FA phishing infrastructure.
Ransomware
Volume of blog posts by operators during the last week.
Gilmer County Government services impacted by ransomware incidentAccessWDUN – Mar 27 2024Ransomware group demands $700,000 from Tarrant Appraisal DistrictKERA News – Mar 26 2024The impact of compromised backups on ransomware outcomesSophos – Mar 26 2024Agenda Ransomware Propagates to vCenters and ESXi via Custom PowerShell ScriptTrend Micro Simply Security – Mar 26 2024Beware of New ‘HelloFire’ Ransomware Actor Mimic as a PentesterGBHackers On Security – Mar 25 2024
Financial Services
Vietnam Securities Broker Suffered Cyberattack That Suspended TradingDark Reading – Mar 27 2024Breaking Boundaries: Mispadu’s Infiltration Beyond LATAMMorphisec – Blog – Mar 26 2024Shopify plugins leaked data from nearly 2K stores – CyberNews[.]comCyberNews – Mar 26 2024Agent Tesla’s New Ride: The Rise of a Novel LoaderSpiderLabs Blog – Mar 26 2024British citizen found guilty in $6b Bitcoin fraud scheme BTCManager – Mar 20 2024
Geopolitics
ASEAN Entities in the Spotlight: Chinese APT Group TargetingUnit 42 – Palo Alto Networks Blog – Mar 26 2024U.S., U.K. accuse China of cyberespionage that hit millionsCBC – Mar 26 2024Japan police warn of fraudulent N[.]Korean IT workers’ tacticsNHK World – Mar 26 2024Russian military intelligence may have deployed wiper against multiple Ukrainian ISPsCyberscoop – News – Mar 21 2024New details on TinyTurla’s post-compromise activity reveal full kill chainTalos Intelligence Blog – Mar 21 2024
High Priority Vulnerabilities
Name | Software | Base Score |
Temp Score |
|
---|---|---|---|---|
CVE-2023-48022 | Anyscale Ray | 9.8 | – | |
Related: Critical ShadowRay vulnerability in open-source AI framework Ray actively exploited | ||||
CVE-2023-48788 | FortiClientEMS | 9.8 | – | |
Related: PoC released for recently patched FortiClient EMS flaw | ||||
CVE-2023-46747 | BIG-IP | 9.8 | – | |
Related: UNC5174 exploits F5 BIG-IP and ScreenConnect flaws for initial access | ||||
CVE-2023-36424 | Windows | 7.8 | 6.8 | |
Related: PoC developed for Windows Common Log File System Driver vulnerability | ||||
CVE-2024-21762 | FortiOS | 9.8 | 9.4 | |
Related: Exploit for Fortinet FortiOS and FortiProxy flaw advertised for sale |