Recent PaperCut server attacks linked to Cl0p, Lockbit ransomware

Microsoft has linked recent PaperCut server attacks to Clop and Lockbit ransomware gangs. Last week, PaperCut warned that threat actors are exploiting two recently fixed vulnerabilities (CVE-2023–27350 and CVE-2023–27351) in print management software PaperCut in attacks targeting unpatched servers.

According to Microsoft, CVE-2023-27350 and CVE-2023-27351 have been used by a threat actor it tracks as Lace Tempest (overlaps with FIN11 and TA505) in attacks delivering Clop ransomware.

DEX Merlin suffers $1.8 million security breach

Merlin, an Ethereum-based decentralized exchange (DEX) using zkSync layer-2 protocol, suffered a security incident, which saw roughly $1.8 million in funds lost during a public sale of its mage (MAGE) tokens.

The attackers bridged USDC tokens worth $850,000 from zkSync to Ethereum. Additionally, the hacker sent $133,800 USDC to MEXC Global and $31,000 USDC to Binance.

Google takes legal action against CryptBot malware distributors

Google has filed a lawsuit against several major distributors of the CryptBot info stealing malware believed to be based in Pakistan and operating a worldwide criminal enterprise. Google estimates that CryptBot has infected approximately 670,000 computers in the past year alone, primarily targeting users of Google Chrome.

To hamper the spread of CryptBot, the court granted Google a temporary restraining order that allows the company to take down current and future domains that are tied to the distribution of CryptBot.

38 Android Minecraft clones contained HiddenAds adware

Researchers at McAffee discovered 38 Minecraft lookalikes on Google Play that infected users with the HiddenAds adware that stealthily downloads ads and can run malicious services without the user opening the app. The offending apps were downloaded more than 35 million times.

New ‘Atomic macOS Stealer’ malware is being sold on Telegram for $1000

A new macOS malware called Atomic macOS Stealer ('AMOS') is being offered for sale on a private Telegram channel for a subscription of $1000 per month.

The malware is specifically designed to target macOS and can steal sensitive information from the victim’s machine. It can steal various types of information from the victim’s machine, including keychain passwords, complete system information, files from the desktop and documents folder, and even the macOS password. The stealer is designed to target multiple browsers and can extract auto-fills, passwords, cookies, wallets, and credit card information. Specifically, AMOS can target cryptowallets such as Electrum, Binance, Exodus, Atomic, and Coinomi.

North Korean hackers target Mac devices with RustBucket malware

North Korea-linked BlueNoroff hackers, believed to be a subgroup of the Lazarus cybercrime cluster, have been observed targeting Apple Mac devices with a new macOS malware family called “RustBucket.”

RustBucket is a three-stage malware masquerading as a PDF viewer designed to target Apple macOS users.

Bumblebee malware distributed via fake installers for Zoom, ChatGPT and other popular software

A stealthy malware loader known as Bumblebee is being distributed via trojanized installers for popular software such as Zoom, Cisco AnyConnect, ChatGPT, and Citrix Workspace.

Bumblebee is a relatively new threat that seems to act as a sophisticated downloader bypassing most virtualization checks by implementing its own unique capabilities. Bumblebee has been observed deploying various malicious tools like Cobalt Strike, shellcode, Sliver, and Meterpreter.

The malware has been used by at least three cybercriminal groups associated with ransomware actors. Gangs using Bumblebee have in the past used the BazarLoader and IcedID loaders – linked to high-profile ransomware groups Conti and Diavol.

3CX supply chain hack also impacted critical infrastructure orgs in the US and Europe

The North Korean 3CX software supply chain attack known as the X_Trader affected two critical infrastructure organizations in the energy sector in the US and Europe, as well as two other organizations involved in financial trading, Broadcom’s Symantec said.

As per a previous report from cybersecurity firm Mandiant, the cause of the March 3CX breach was trojanized X_Trader platform developed by Trading Technologies, a company that provides software for professional traders.

Ukraine's police arrested a man for selling data of 300M people

Ukrainian cyber police arrested a 36-year-old man from the western city of Netishyn suspected of selling personal data of 300 million people from Ukraine and Europe on private channels on Telegram. The suspect is said to have sold the stolen data for a price between $500 and $2000.

FIN7 cybercrime group targets Veeam backup servers

FIN7 cybercrime group has been observed attacking Veeam backup servers using the recently patched CVE-2023-27532 RCE vulnerability. First attacks were detected in late March 2023, just a few days after a proof-of-concept (PoC) code for this vulnerability was made publicly available.

Chinese APTs

Security researchers from ESET, the AhnLab Security Emergency Response Center, and Palo Alto Networks’ Unit 42 released three separate reports describing malware campaigns carried out by China-aligned state-backed hacker groups.

ESET’s report details a cyber-espionage campaign linked to the advanced persistent threat (APT) group Evasive Panda (aka Bronze Highland and Daggerfly) targeting a nonprofit organization in China with the custom MgBot malware designed to spy on its victims and collect data from their devices. The backdoor was delivered to victims via the QQ messaging software developed by Chinese tech giant Tencent. At present, it’s unclear how the hackers were able to use legitimate updates to deliver the malware.

AhnLab has shared technical details of a new campaign by a China-aligned threat actor known as the Tonto Team involving the use of a file related to anti-malware products to ultimately execute their malicious attacks.

Unit 42 researchers said they discovered a new variant of PingPull malware used by the Chinese nation-state group dubbed Alloy Taurus designed to target Linux systems.

First spotted in June 2022, PingPull is a remote access trojan that uses the Internet Control Message Protocol (ICMP) for command-and-control (C2) communications. The Linux version implements similar functionalities as the Windows variant, allowing it to carry out file operations and run arbitrary commands.

Suspected Russian hackers target entities in Tajikistan

Swiss cybersecurity company Prodaft has a report out on a cyber-espionage campaign dubbed Paperbug carried out by a suspected Russian threat actor known as Nomadic Octopus (aka DustSquad). The group targets include high-ranking government officials, telecommunication services, and public service infrastructures. Compromised devices also included OT devices, besides your typical computers, servers, and mobile devices.

Iranian hackers target Israel with updated PowerLess backdoor

A new Iranian-aligned threat actor dubbed Educated Manticore has been using new tactics and tools, including an updated version of PowerLess backdoor, in attacks targeting entities in Israel.

The deployment of the backdoor is a multi-stage process, which involves lure (Iraq development resources.iso as well as the documents within it), initial loader, downloader, PowerLess loader, and PowerLess PowerShell payload.

New SLP flaw allows to launch massive 2,200x DoS amplification attacks

A high-risk vulnerability in the Service Location Protocol (SLP), an outdated Internet protocol, could lead to massive DoS amplification attacks with a maximum amplification factor of over 2200x, security researchers from cyber risk firm Bitsight and IT security company Curesec warned.

Tracked as CVE-2023-29552, the vulnerability allows a remote attacker to send small requests to a server with a spoofed source IP address that corresponds to the victim's IP address and perform reflective DoS amplification attack.

The researchers discovered more than 54,000 SLP-instances online, including VMware ESXi Hypervisor, Konica Minolta printers, Planex routers, IBM Integrated Management Module (IMM), SMC IPMI, and others.

Mirai botnet updates its arsenal with TP-Link Archer WiFi router bug

Threat actors behind the Mirai botnet are actively exploiting a recently patched TP-Link Archer WiFi router vulnerability. Tracked as CVE-2023-1389, the flaw is an unauthenticated command injection flaw in the local API of the web management interface of the TP-Link Archer AX21 router that allows a remote attacker to execute arbitrary commands on the target system by passing specially crafted data to the application.

TP-Link addressed the vulnerability in March 2023 in a new firmware update.

First exploitation attempts have been observed starting April 11, 2023 mostly targeting devices in Eastern Europe, with infections rapidly spreading worldwide.

Ransomware actors are using AuKill tool to disable security defenses

Ransomware groups are leveraging a new defense evasion tool that abuses an out-of-date Microsoft Windows driver to disable endpoint detection and response (EDR) processes before dropping malware onto systems.

The tool, dubbed “AuKill” by researchers at Sophos, has been observed in at least three ransomware incidents since the start of the year. In January and February, attackers deployed Medusa Locker ransomware after using the tool; in February, an attacker used AuKill before deploying Lockbit ransomware.

Kubernetes RBAC abused to create backdoors and run crypto miners

Cybersecurity researchers at Aqua Security discovered the first-ever evidence that attackers are exploiting Kubernetes (K8s) Role-Based Access Control (RBAC) in the wild to create backdoors.

The research team has spotted a large-scale cryptocurrency mining campaign they dubbed ‘RBAC Buster’ that targeted at least 60 Kubernetes clusters by deploying DaemonSets to hijack and steal resources from the victims' clusters.

US sanctions North Korean, Chinese nationals linked to Lazarus APT

The US authorities imposed sanctions on three men in China - two OTC traders Wu Huihui and Cheng Hung Man, and a representative of North Korea's Korea Kwangson Banking Corp Sim Hyon Sop - said to have been involved in laundering cryptocurrency stolen by North Korean government hackers to support Kim's regime.

Wu Huihui and Cheng Hung Man facilitated the conversion of virtual currency stolen by Lazarus Group. In his position with KKBC, Sim coordinated millions of dollars in financial transfers for the DPRK and was allegedly involved in laundering funds generated by North Korean IT workers who obtained illegal employment in the tech and crypto industry.