BogusBazaar network uses 22,500 fraudulent webshop domains
Security Research Labs researchers investigated the BogusBazaar fraud-as-a-service group which, as of April 2024, operates a network of approximately 22,500 domains hosting fraudulent webshops. The shops advertise deals for shoes and apparel and aim to steal the contact and credit card details of victims, as well as sell fake merchandise. Over 850,000 individuals have been victimised, primarily from Western Europe and the United States. Research indicates that a large part of the network operates from China.
New SideCopy campaign targeting university sector shows overlaps with Transparent Tribe
In early May 2024, Cyble researchers observed a recent campaign by the SideCopy advanced persistent threat (APT) group that targeted university students with Reverse RAT and Action RAT. The researchers noted that Transparent Tribe is generally known to target the sector, indicating a possible intersection between the two APTs, with SideCopy also previously defined as a subgroup within Transparent Tribe. The observed campaign appears to use spam emails as the initial infection vector, with hyperlinks leading to a site hosting a malicious archive file containing a LNK file.
Flaw in Foxit PDF Reader warning messages exploited by various threat actors
Check Point researchers identified multiple threat actors leveraging malicious PDF files to exploit a flaw in the warning messages of the Foxit PDF Reader. The exploitation occurs due to Foxit PDF Reader presenting its two consecutive security warnings with ‘OK’ as the default option, which could potentially lead users to ignore both. Various payloads were identified being delivered, including VenomRAT, Agent Tesla, Remcos, Xworm, and NjRAT. One of the most prominent campaigns, targeting Windows and Android devices, was attributed to DoNot Team. Foxit PDF Reader stated the issue will be resolved in version 2024 3.
Genians researchers recently observed the North Korean threat actor, Kimsuky, using Facebook to target individuals involved in North Korean human rights and security affairs. The attackers created Facebook profiles impersonating South Korean public officials, engaging with potential targets via friend requests and personal messages in order to share malicious links or documents with them. The attackers deployed malware in the form of Microsoft Management Console (MMC) files, configured to appear as Microsoft Word documents with icons and metadata mimicking legitimate files.
Lazarus Group campaign uses GitHub to target Blockchain and Web3 developers
Security researcher Dmitry Bestuzhev analysed a recent Lazarus Group campaign abusing GitHub to target Web3 and blockchain developers seeking employment opportunities. The goal of the campaign is to gain access to the victim’s system, blockchain projects, cryptocurrency data, and other sensitive information. The campaign has primarily targeted victims located in the United States and Pakistan, but the scope of the campaign likely extends beyond these countries.
Ransomware
Volume of blog posts by operators during the last week.
Threat actors misusing Quick Assist in social engineering attacks leading to ransomwareWindows Security blog – May 15 2024INC ransomware source code selling on hacking forums for $300,000Bleeping Computer – May 13 2024Security Brief: Millions of Messages Distribute LockBit Black RansomwareProofpoint US Blog – May 13 2024Mallox affiliate leverages PureCrypter in MS-SQL exploitation campaignsSekoia Blog – May 13 2024CISA and Partners Release Advisory on Black Basta RansomwareCISA Alerts – May 10 2024In The Shadow Of Venus: Trinity Ransomware’s Covert Ties Cyble Blog – May 10 2024
Financial Services
Santander reports customer, employee data breach in Spain, Chile, UruguayReuters – May 14 2024Ebury is alive but unseen: 400k Linux servers compromised for cryptocurrency theft and financial gainWeLiveSecurity – May 14 2024Australian lender Firstmac hacked by ransomware gangSC Magazine US – May 13 2024‘Got that boomer!’: How cyber-criminals steal one-time passcodes for SIM swap attacks and raiding bank accountsTechCrunch – May 13 2024North Korean Hackers Deploy New Golang Malware ‘Durian’ Against Crypto FirmsThe Hacker News – May 10 2024
Geopolitics
Tracking the Progression of Earth Hundun’s Cyberespionage Campaign in 2024Trend Micro Research News Perspectives – May 16 2024To the Moon and back(doors): Lunar landing in diplomatic missionsWeLiveSecurity – May 15 2024State-sponsored hackers suspected in cyberattack on British Columbia governmentSC Magazine US – May 14 2024Ukrainian, Latvian TV Hijacked to Broadcast Russian CelebrationsDark Reading – May 13 2024AI-Powered Russian Network Pushes Fake Political NewsInfosecurity Today – May 09 2024
High Priority Vulnerabilities
Name | Software | Base Score |
Temp Score |
|
---|---|---|---|---|
CVE-2024-30051 | Windows | 7.8 | 7.5 | |
Related: QakBot attacks with Windows zero-day (CVE-2024-30051) | ||||
CVE-2024-30040 | Windows | 8.8 | 8.4 | |
Related: Microsoft May 2024 Patch Tuesday fixes 3 zero-days, 61 flaws | ||||
CVE-2023-47610 | PLS62 | 9.8 | 8.1 | |
Related: Widely used Telit Cinterion modems open to SMS takeover attacks | ||||
CVE-2021-3129 | Ignition | 9.8 | 7.0 | |
Related: LLMjacking: Stolen Cloud Credentials Used in New AI Attack | ||||
CVE-2024-0799 | Unified Data Protection | 9.8 | 9.8 | |
Related: NHS England reports possible exploitation of Arcserve UDP vulnerabilities |