Apple fixes three WebKit zero-days

Apple has released security updates to address multiple vulnerabilities affecting iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser, including three zero-day flaws said to have been exploited in the wild.

All three zero-days (CVE-2023-32409, CVE-2023-32373, and CVE-2023-28204) reside within the WebKit browser engine and allow to remotely execute code on the system, or gain access to potentially sensitive information.

Currently, there’s no additional details available on the nature of the attacks exploiting the zero-day vulnerabilities, or identity of the threat actors exploiting the bugs.

KeePass flaw enables master password theft

A flaw in the widely used open-source password manager tool KeePass could allow retrieval of the master password in cleartext from a memory dump, even when a workspace is locked or no longer running.

Tracked as CVE-2023-32784, the issue affects the KeePass 2.X branch for Windows, Linux, and macOS. There’s no patch available for this vulnerability as of yet, however, a proof-of-concept (PoC) exploit has already been released on GitHub.

The US govt charges alleged Russian hacker with attacks on critical infrastructure, police departments

The US Department of Justice charged Mikhail Pavlovich Matveev, a Russian national and resident believed to be involved with the infamous Hive, LockBit and Babuk ransomware gangs. Matveev and other members of the LockBit, Babuk, and Hive ransomware gangs have attacked at least 2,800 victims globally, and demanded payments of around $400 million. Total victim ransom payments amount to as much as $200 million

In addition, the US State Department has offered a reward of up to $10 million for information that leads to Matveev’s capture or conviction.

Spanish police disrupt online scam selling immigration appointments

Spanish police arrested 69 people suspected of their involvement in a cybercriminal gang that used a bot network to sell immigration appointments.

The group allegedly hacked Spain’s online booking system and used automated software to bypass system’s security measures designed to identify bots, and obtain “practically all” of the appointments throughout the country. The criminals then resold reservations (that are normally free) to foreigners seeking asylum or residency for a price ranging from €30 to €200.

Ukraine’s police bust bank fraud ring that stole over $400K

National police of Ukraine arrested 56 people for their involvement in a massive fraud ring that stole roughly UAH15 million (over $400,000) from bank accounts of more than 10,000 victims via phishing.

Dark web carding site BidenCash is now offering access to breached SSH servers

The BidenCash carding forum has expanded its services and is now also offering access to compromised SSH servers to buyers for as low as $2. According to threat intel company CloudSEK, BidenCash listed over 850 SSH servers with varying architecture, CPU configurations, and countries, among other things. The prices for these servers range from $2 to $10.

Founder of Skynet Market pleads guilty

Michael D. Mihalo (aka ggmccloud1), the founder of the dark web credit card marketplace Skynet Market, pleaded guilty in the US court. Between February 2016 and October 2019, Mihalo and his accomplices sold the stolen financial information, primarily the credit and debit card numbers and associated information, of tens of thousands of victims, earning at least $1 million in cryptocurrency.

In addition to Skynet, Mihalo also sold stolen financial information on the now-defunct AlphaBay, Hansa, and Wall Stree Market dark web marketplaces.

Lemon Group cybercrime gang pre-infected over 8.9M Android devices worldwide

A large cybercrime enterprise dubbed “Lemon Group” is said to have pre-installed malware known as 'Guerilla' on almost 9 million Android-based smartphones, watches, TVs, and TV boxes.

The syndicate uses the infected devices as tools for stealing and selling SMS messages and one-time passwords (OTPs), serving up unwanted ads, setting up online messaging and social media accounts, and other purposes.

Trend Micro found that the group has infected Android devices (mostly inexpensive) in 180 countries, with more than 55% of the victims located in Asia, nearly 17% in North America and about 10% in Africa.

Bl00dy ransomware gang strikes education sector with PaperCut attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that the Bl00dy ransomware gang is using a recently patched PaperCut vulnerability in attacks targeting organizations in the education sector.

Tracked as CVE-2023–27350, the flaw allows a remote hacker to bypass authentication process and execute arbitrary code with SYSTEM privileges. The issue affects PaperCut MF and NG versions 8.0 and later. It was addressed by the vendor in March 2023 with the release of PaperCut MF and PaperCut NG versions 20.1.7, 21.2.11, and 22.0.9.

New RA Group ransomware gang uses leaked Babuk source code, swiftly expands operations

A new ransomware group called “RA Group” has been spotted, which, despite being a newcomer on the ransomware scene, has already listed four victims on its data leak site, including three organizations in the US and one in South Korea across several business verticals, including manufacturing, wealth management, insurance providers and pharmaceuticals.

RA Group is the latest ransomware outfit to use the Babuk ransomware source code leaked in September 2021 on a Russian-language cybercrime forum. Like other ransomware gangs, the threat actor launches double extortion attacks and operates a data leak site in which they threaten to publish the data stolen from victims who fail to contact them within a specified time or do not meet their ransom demands.

BianLian ransomware group shifts to extortion only attacks

The US Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) released a joint security advisory detailing the tactics, techniques, and procedures (TTPs) of the BianLian ransomware operation.

Electronics maker Lacroix shuts down three factories after cyberattack

Global consumer electronic equipment manufacturer Lacroix temporarily closed three factories after it “intercepted” a cyberattack over the weekend. The company said that it blocked an attack on its French (Beaupréau), German (Willich) and Tunisian (Zriba) sites during the night of May 12 to May 13.

While Lacroix did not reveal the exact nature of the incident, it admitted that “some local infrastructures have been encrypted” and “an analysis is also being carried out to identify any exfiltrated data.”

One of the largest Coca-Cola bottlers reportedly hit with BlackBasta ransomware

A Russia-linked BlackBasta ransomware group has added Viking Coca-Cola, one of the largest Coca-Cola bottlers in the US, to the list of victims on its data leak website, suggesting that they breached the company and stole data. Samples of data provided in the post contain passports, confidential details, credit card info, and employee info. Viking Coca-Cola has yet to confirm the attack.

Personal data of nearly 6M patients impacted in PharMerica breach

US health giant PharMerica, a popular nationwide pharmacy services provider, disclosed a massive data breach affecting 5.8 million patients. The breach came to light on March 14, 2023, when PharMerica and its parent company, BrightSpring Health services, discovered suspicious activity on their computer network.

An investigation showed that an unknown threat actor compromised PharMerica’s systems and stole certain personal and limited medical information, including names, dates of birth, Social Security numbers, medication lists and health insurance data.

While the company didn’t specify who was behind the incident, news media reported that the Money Message ransomware gang had added PharMerica and BrightSpring Health Services to their victim list in late March. The group claimed to have stolen 4.7 TB of data from the company, including at least 1.6 million unique records of personal information.

Discord discloses data breach following customer support provider compromise

VoIP and instant messaging social platform Discord notified its users about unauthorized access to a third-party customer service agent’s support ticket queue.

The company explained that the breach may have affected users’ email addresses, the contents of customer service messages and any attachments sent between the user and Discord.

Chinese hackers infect TP-Link routers with custom malware implant

A new China-linked state-sponsored threat actor dubbed “Camaro Dragon” is said to have been responsible for a series of targeted attacks against TP-Link routers belonging to European foreign affairs entities.

The campaign was discovered while analyzing attacks on officials in multiple European countries that Check Point has been tracking since January 2023. During analysis of files and infrastructure associated with the campaign, the researchers found a trove of files and payloads, including two TP-Link router firmware images modified to add several malicious components to the original firmware, including a custom MIPS32 ELF implant dubbed “Horse Shell” used for persistence and lateral movement.

Horse Shell comes with a variety of functions, including the ability to run shell commands on the infected router, upload and download files to and from the device, and relay communication between different clients (SOCKS tunneling).

Lancefly APT targets government, aviation sector with custom backdoor

South- and Southeast Asia-based organizations in government, aviation, education, and telecommunication sectors have been targeted in ongoing attacks orchestrated by a threat actor dubbed “Lancefly” possibly connected to China.

The observed campaign involved the group’s custom tool named “Merdoor,” a fully-featured backdoor that appears to have been developed in 2018. The Merdoor backdoor is capable of installing itself as a service, keylogging, listening on a local port for commands, and using a variety of methods to communicate with its command and control (C&C) server (HTTP, HTTPS, DNS, UDP, TCP).

Intrusion Truth exposes China-linked APT31

A group of anonymous researchers known as “Intrusion Truth” specializing in doxxing of Chinese state-backed hackers published a new series of articles [1,2,3,4,5,6] linking Wuhan-based cybersecurity firms and schools to China’s Ministry of State Security. The investigation appears to expose hackers working for a Chinese cyber-espionage group APT31, known for its attacks on government entities, international financial organizations, and aerospace and defense organizations.