Earth Krahang abuses government infrastructure in espionage campaign
Trend Micro researchers detailed an advanced persistent threat (APT) campaign that has been targeting government entities globally since early 2022, with a strong focus on Southeast Asia. The APT group, dubbed Earth Krahang, exploits public-facing servers and uses spear phishing emails to deliver two custom backdoors, dubbed RESHELL and XDealer, as well as CobaltStrike, PlugX, and ShadowPad.
Multiple ITG05 campaigns observed targeting various countries
From November 2023, IBM researchers observed multiple campaigns attributed to the Russian state-sponsored group, ITG05, that deliver the MASEPIE backdoor. The campaigns use lure documents that imitate legitimate government or non-government organisations from Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States.
New multi-stage attack campaign DEEP#GOSU likely associated with Kimsuky
Securonix researchers discovered a new attack campaign, named DEEP#GOSU, that is likely associated with the North Korean hacker group, Kimsuky. The campaign involves a new script-based attack chain that leverages multiple PowerShell and VBScript stagers to stealthily infect Windows systems with the open-source remote access trojan, TruRat.
UAC-0006 targeted Ukraine in multiple phishing campaign waves delivering SmokeLoader
Palo Alto Networks Unit 42 researchers, in collaboration with Ukraine’s State Cyber Protection Centre of the State Service of Special Communications and Information Protection, detailed the use of SmokeLoader by the financially motivated threat actor, UAC-0006. The group conducted 23 waves of email-based campaigns between May and November 2023 in an attempt to steal money from victims. The main targets of the attacks were financial institutions and government organisations in Ukraine.
Sign1 malware campaign injects JavaScript into WordPress HTML widgets
Since late 2023, Sucuri researchers observed a campaign leveraging JavaScript injections in WordPress custom HTML widgets, including the Custom CSS and JS Plugin, to deliver a new malware called Sign1. Multiple variants have been observed, with over 39,000 sites infected at the time of writing, and 2,500 infected with the most recent Sign1 variant. The malware injector is used to show unwanted adverts and redirect users to VexTrios domains.
Ransomware
Volume of blog posts by operators during the last week.
T-O-X-I-N-B-I-O – Ransomware Recruitment Efforts Following Law Enforcement DisruptionGuidePoint Security – Mar 20 2024Python Ciphering : Delving into Evil Ant’s Ransomware’s TacticsK7 Computing – Lab Blog – Mar 20 2024Research Shows IT and Construction Sectors Hardest Hit By RansomwareInfosecurity Today – Mar 19 2024CryptoWire with Decryption Key IncludedASEC Blog – AhnLab English – Mar 19 2024StopCrypt: Most widely distributed ransomware now evades detectionBleeping Computer – Mar 14 2024
Financial Services
Tax scammer goes after small business owners and self-employed peopleMalwarebytes Labs Blog – Mar 20 2024Ethereum’s CREATE2: A Double-Edged Sword in Blockchain SecurityCheck Point Research – Mar 18 2024SIM swappers hijacking phone numbers in eSIM attacksBleepingComputer – Mar 14 2024Dark Web Actors Overwhelmingly Target Card Data, Finance in Q4PhishLabs – Mar 14 2024North Korean Hackers Return to Tornado Cash Despite SanctionsElliptic Blog – Mar 14 2024
Geopolitics
Security Anonymous Sudan claims “massive cyber-attack” on US DoJCyber Daily – Mar 19 2024New AcidRain Linux Malware Variant “AcidPour” Found Targeting UkraineHackRead – Mar 18 2024Over 800 Russian cyber attacks on Ukraine’s state institutions and services since February 2022 – Prosecutor GeneralUkrayinska Pravda – Mar 18 2024British Minister of Defense aircraft encounters GPS jamming near KaliningradAeroTime.aero – Mar 15 2024Alabama Confirms DDoS Attack, Officials Silent on Hacker IdentityThe Cyber Express – Mar 14 2024
High Priority Vulnerabilities
Name | Software | Base Score |
Temp Score |
|
---|---|---|---|---|
CVE-2024-23334 | aiohttp | 7.5 | 7.5 | |
Related: Aiohttp flaw possibly exploited by ShadowSyndicate | ||||
CVE-2024-1597 | pgjdbc | 10.0 | – | |
Related: Atlassian Releases Fixes for Over 2 Dozen Flaws, Including Critical Bamboo Bug | ||||
CVE-2023-6241 | ARM | 7.8 | 7.8 | |
Related: PoC developed for Arm Mali GPU vulnerability | ||||
CVE-2023-22527 | Confluence Server | 9.8 | 9.8 | |
Related: Atlassian Confluence vulnerability exploited to deliver XMRig miner | ||||
CVE-2024-27198 | TeamCity | 9.8 | – | |
Related: TeamCity Vulnerability Exploits Lead to Jasmin Ransomware, Other Malware Types |