LockBit has claimed to have stolen 76 gigabytes worth of confidential data, including financial and IT records, certifications, and legal documents, in an attack on California’s Department of Finance. While officials aren’t divulging much information, the LockBit group gave the department until December 24 to meet its demands. Or else, it threatened to leak the department’s […]
WAF affected by Bypass Technique
Team82 research has found a generic bypass to industry-leading web application firewalls. This includes those used in Palo Alto Networks, Amazon Web Services, Cloudflare, F5, and Imperva. Researchers found that an SQL injection, or SQLi when launched alongside a JSON syntax, blinded most of these web application firewalls. Since cybercriminals can use this SQLi vulnerability “to […]
Phishing Attack leads to Remote Admin Access
Iranian cybercrime group, MuddyWater, used legitimate companies’ emails in phishing attacks, Deep Instinct reported in their recent blog, New MuddyWater Threat: Old Kitten; New Tricks. The attackers tried to install malicious remote administration software on recipients’ systems by sending spam links as HTML attachments—a tactic to evade email security solutions. Since 2017, the group has targeted […]
Malicious Excel Add in
Cisco Talos reports advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow. Since Microsoft has started rolling out versions of Office applications which will block execution of any VBA macros by default, attackers have turned to abusing Add-ins. In terms of the file […]
Malicious PyPL module Poses as Security SDK
A malicious Python package is posing as a software development kit (SDK) for the security firm SentinelOne, researchers at ReversingLabs discovered. The package, SentinelOne has no connection to the noted threat detection firm of the same name and was first uploaded to PyPI, the Python Package Index, on Dec 11, 2022. It has been updated […]
Android Malware Infects 300,000 Facebook users
Android malware dubbed Schoolyard Bully Trojan has infected and extracted information from over 300,000 devices in 71 countries since 2018, the mobile security firm Zimperium zLabs reported. The apps were marketed as educational on Google Play Store and primarily targeted Facebook users in Vietnam. The report cautions that the apps, though now removed from the Google Play […]
Deconstructing Azov: Sophisticated Wiper
Azov first came to the attention of the information security community as a payload of the SmokeLoader botnet, commonly found in fake pirated software and crack sites. One thing that sets Azov apart from your garden-variety ransomware is its modification of certain 64-bit executables to execute its own code. The modification of executables is done […]
Google ADs pointing to malware
Fake sites for popular software have been seen pushing IcedID malware (also known as Bokbot). Search Engine Optimization (SEO) is a technique that websites use to increase their visibility for search engines like Google. Cyber criminals occasionally use SEO to direct search traffic to malicious advertisement links. These ads redirect users to fake software sites […]
Meta-Phish: Phishing via Facebook
Trustwave SpiderLabs previously released two blogs about Facebook and Instagram phishing. The common denominator between these two articles is the use of phony notifications which lure victims into thinking that they have allegedly committed a violation of terms. The victim must then make an appeal through a crafted phishing page to avoid losing access to […]
Cuba ransomware analysis by TredMicro
Trend Micro has observed a resurgence of Cuba ransomware activity in March and April 2022. It included a new variant that contained updates to the binary – particularly its downloader – that is believed to enhance efficiency, minimize unwanted system behavior, and even provide technical support to victims in case of negotiations. Cuba ransomware has […]
Supply Chain Attack with Different PyPl Methods
In the beginning of November several malicious python packages distributing the W4SP malware were found in the Python Package Index (PyPI) open source repository. These packages contain malicious code, hidden inside init.py or setup.py scripts, which downloads a stage 2 payload from a remote location. Stage 2 payload is W4SP stealer capable of stealing a wide […]
Recent TrueBot infections
Since August 2022, Talos has seen an increase in infections of Truebot (aka Silence.Downloader) malware. Truebot was first identified in 2017 and researchers have linked it to a threat actor that is responsible for several high-impact attacks on financial institutions in several countries around the world. Recently, the attackers have shifted from using malicious emails […]
Russian Gangs Obtain 50 Million Passwords
Group-IB, a cybersecurity company, has issued a press release reporting that 34 Russian cybercrime gangs have compromised 50-million accounts through a stealer-as-a-service scam. The scammers have stolen user passwords from sites like Steam and Roblox, and payment information and credentials from Amazon, PayPal, and cryptocurrency wallets. In total, the cybercriminals compromised over 890,000 devices in over 111 countries. Aside from looting passwords, […]
142 Scammers arrested for stealing $120 million.
Europol, in a joint operation with other international agencies, took down the iSpoof website which stole over $120 million in international scamming operations, an official press release by Europol said. The website provided criminals with technology to impersonate sources from governments and banks, including Barclays, Santander, NatWest, and Nationwide. Later on, the police authorities confirmed that the number of […]
GoTo/LogMeIn Security Breach
GoTo, (formerly LogMeIn), has issued a formal security breach notification through its blog, indicating that cybercriminals have gained access to its development environment and cloud storage facilities. LastPass, a subsidiary of GoTo, has also issued a similar update to customers. However, no passwords have been stolen and little or no sensitive data has been leaked, […]
A New Wave Of Ransomware Campaigns: AXLocker, Octocrypt
Ransomware operators have a new tool, named AXLocker, which can encrypt several file types and make them completely unusable. Additionally, the ransomware steals Discord tokens from the victim’s machine and sends them to a separate Discord server ran by the threat actors (TAs) . Finally, the AXLocker ransomware shows a pop-up window that contains a […]
ViperSoftX: Hiding and Stealing
ViperSoftX is a multi-stage stealer that exhibits interesting hiding capabilities. Other than stealing cryptocurrencies, it also spreads the VenomSoftX browser extension, which performs man-in-the-browser attacks. One of the payloads ViperSoftX distributes is a specific information stealer in the form of a browser extension for Chromium-based browsers. Due to its standalone capabilities and uniqueness, we decided […]
Actor Profile: DEV-0243 – from FakeUpdates to Ransomware
Executive summary The threat actor that Microsoft tracks as DEV-0243, which overlaps with activity tracked by the cyber intelligence industry as EvilCorp , is a Russia-based cybercriminal group that’s been active since June 2014. It was also notorious for one of its earliest malware campaigns – the Dridex banking trojan. DEV-0243 is also one of the first […]
Chinese threat actor targets South East Asia
Mandiant Managed Defense recently identified cyber espionage activity that heavily leverages USB devices as an initial infection vector and concentrates on the Philippines. Mandiant tracks this activity as UNC4191 and assess it has a China nexus. UNC4191 operations have affected a range of public and private sector entities primarily in Southeast Asia and extending to […]
Aurora a trending infostealer Malware
Since September 2022, Aurora malware is advertised as an infostealer and several traffers teams announced they added it to their malware toolset. Furthermore, SEKOIA.IO observed an increase in the number of Aurora samples distributed in the wild, as well as C2 servers. First advertised on Russian-speaking underground forums in April 2022, Aurora is a multi-purpose […]