Spyware makers and APT hackers are behind rise in zero-day exploits, Google says

Google's Threat Analysis Group (TAG) and Google subsidiary Mandiant released a report highlighting the proliferation of zero-day vulnerabilities exploited in cyberattacks throughout 2023. The findings show a significant surge in these exploits compared to previous years, with a notable association with spyware vendors and state-backed cyber espionage groups. According to the report, 97 zero-day vulnerabilities were exploited in-the-wild in 2023, marking an increase of over 50% compared to the previous year (62 vulnerabilities), although this figure falls short of the record set in 2021 (106 flaws).

CISA and FBI urge manufacturers to eliminate SQL injection flaws

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint alert urging executives of technology manufacturing companies to conduct formal reviews of their organizations' software and promptly implement mitigations aimed at eliminating SQL injection (SQLi) security vulnerabilities before shipping products to consumers.

CISA warns of actively exploited MS SharePoint bug

CISA has added a vulnerability in Microsoft Sharepoint Server (CVE-2023-24955) to its Known Exploited Vulnerabilities (KEV) catalog, indicating that the flaw is being exploited in the wild. CVE-2023-24955 is a code injection flaw that allows an authenticated attacker with Site Owner privileges to execute arbitrary code.

Cisco warns of password spray attacks on remote access VPN services

Cisco released recommendations along with Indicators of Compromise (IoCs) to help organizations secure their systems against password spray attacks aimed at Remote Access VPN (RAVPN) services.

PyPI suspends new user registration due to malware campaign

The administrators of the Python Package Index (PyPI) repository halted new user registrations in response to a surge of malicious projects uploaded as part of a typosquatting campaign. The issue was resolved on March 28, 2024. According to the software supply chain security firm Checkmarx, the perpetrators, who remain unidentified, inundated the repository with typosquatting versions of popular packages, specifically targeting developers.

The US charges seven hackers linked to Chinese APT31 cyberespionage group

The US authorities charged seven alleged members of a China-linked state-sponsored group tracked as APT31, Zirconium and Judgment Panda, for their involvement in a long-standing cyber espionage campaign targeting individuals and entities both within and outside the United States.

Since at least 2010, the defendants and their associates have targeted a wide range of individuals and organizations, including political dissidents, government officials, political candidates, campaign personnel, and American companies. Their tactics involved sophisticated hacking techniques, including zero-day exploits, which allowed them to gain and maintain access to victim computer networks.

Additionally, the Police of Finland (Poliisi) has formally accused APT31 for orchestrating a cyber attack targeting the country's Parliament in 2020.

Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

Two Chinese advanced persistent threat (APT) groups have been observed targeting entities and member countries associated with the Association of Southeast Asian Nations (ASEAN). The first group, Stately Taurus, has launched cyberattacks on organizations in Myanmar, the Philippines, Japan, and Singapore, primarily utilizing phishing emails to infiltrate systems and delivering two distinct malware packages. The second APT group, also of Chinese origin, has similarly targeted government entities in Southeast Asian countries such as Cambodia, Laos, and Singapore.

Russian hackers target German politicians with new Wineloader backdoor

German political parties have been targeted in a recent attack by a threat actor tracked as APT29, Cozy Bear, or Midnight Blizzard, associated with Russia’s Foreign Intelligence Service (SVR). This is the first time the group has been observed targeting political parties. The phishing campaign, observed in late February, leveraged German-language lure content (also a new tactic in APT29’s modus operandi) and its well-known first-stage payload Rootsaw (aka EnvyScout) used to deliver a new backdoor variant called ‘Wineloader.’

A sophisticated malware campaign is targeting end-of-life routers and IoT devices

The Black Lotus Labs team at Lumen Technologies has uncovered a widespread and multi-year cyber campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and Internet of Things (IoT) devices. The campaign is associated with an updated version of the notorious malware called “TheMoon,” previously thought to have been neutralized. A recent campaign detected in early March 2024, targeted over 6,000 ASUS routers in less than 72 hours, the researchers said. The malware primarily targets EoL devices, exploiting known vulnerabilities in firmware or employing brute-force attacks.

’Darcula’ iMessage and RCS smishing attacks target USPS and global postal services

Security researchers have discovered a Chinese-language Phishing-as-a-Service platform called 'Darcula' used on more than 20,000 phishing domains that provide cyber criminals with easy access to branded phishing campaigns.

What sets Darcula apart is its use of modern tools like JavaScript, React, Docker, and Harbor, typically seen in high-tech startups, instead of the conventional PHP. Moreover, the platform's choice of iMessage and RCS for text message delivery enables it to circumvent SMS firewalls effectively. The Darcula platform has been used for numerous high-profile phishing attacks over the last year, including messages received on both Apple and Android devices in the UK, as well as package scams impersonating United States Postal Service (USPS).

Cyber spies strike Indian government and energy sectors

A sophisticated threat actor has been targeting Indian government entities and the energy sector as part of a recent cyber espionage campaign. Dubbed “Operation FlightNight,” the campaign was first observed on March 7, 2024. The operation employed a modified version of the open-source information stealer, HackBrowserData. According to the researchers, the framework has been updated with new functionalities, such as communication via Slack channels and document exfiltration.

Major software supply chain attack affecting Top.gg and GitHub accounts

The Checkmarx Research team has uncovered a sophisticated attack campaign that affected several individual developers as well as the GitHub account associated with Top.gg, a Discord bot discovery site. The campaign employed multiple Tactics, Techniques, and Procedures (TTPs), including account takeovers facilitated by stolen browser cookies, the injection of malicious code via verified commits, the establishment of a custom Python mirror, and the dissemination of tainted packages through the PyPi registry.

A large-scale StrelaStealer campaign impacts over 100 orgs across Europe and the US

A new wave of phishing attacks delivering the StrelaStealer information stealing malware has been detected that is said to have impacted more than 100 organizations across the EU and US. The attacks involve spam emails with attachments that eventually launch the StrelaStealer’s DLL payload. StrelaStealer malware steals email login data from well-known email clients and sends them back to the attacker’s command-and-control (C2) server. Using this information, the threat actors behind the campaign could gain access to the victim's email accounts and perpetrate further attacks.

Suspicious NuGet package steals data from industrial systems

Cybersecurity firm ReversingLabs has flagged a suspicious package on the open-source package manager NuGet. The package, named SqzrFramework480, appears to be targeting developers working with technology associated with BOZHON Precision Industry Technology., Ltd., a China-based firm specializing in industrial- and digital equipment manufacturing. The SqzrFramework480.dll contained a combination of features, including taking screenshots, sending ping packets, opening sockets, and transmitting data over them.

While each functionality individually might not raise immediate suspicion, the combination of these functions may point to malicious actions. The theory is that the grabbed screenshots may be sent to a remote server via the open socket, with ping packets serving as a heartbeat check for the exfiltration server.

New ZenHammer attack targets AMD Zen CPUs

Cybersecurity researchers at ETH Zurich have unveiled a novel variant of the RowHammer DRAM attack known as ZenHammer. Unlike previous versions, ZenHammer can be used to target AMD Zen 2 and Zen 3 systems, even those with mitigation measures like Target Row Refresh (TRR) in place. Additionally, this technique marks the first instance of triggering RowHammer bit flips on DDR5 devices.

ShadowRay campaign exploits a Ray vulnerability for cryptomining

A vulnerability (CVE-2023-48022) in Anyscale Ray, an open-source AI platform, is being exploited by threat actors for unauthorized cryptocurrency mining. Dubbed “ShadowRay,” the campaign has been active since September 2023, affecting sectors like education, cryptocurrency, biopharma and more.

US offers $10 million bounty for info on Alphv/Blackcat hackers

The US Department of State has announced a reward of up to $10 million for information leading to the identification or location of individuals involved in the Alphv/Blackcat ransomware operation.

KuCoin and its founders charged with violation of AML rules

KuCoin, a major cryptocurrency exchange, along with its founders Chun Gan and Ke Tang, has been indicted for operating an unlicensed money transmitting business and violating the Bank Secrecy Act. KuCoin is accused of failing to maintain adequate anti-money laundering programs, procedures for verifying customer identities, and filing suspicious activity reports. KuCoin's lax measures allegedly allowed the exchange to be used for laundering criminal proceeds, including from darknet markets, ransomware and other illicit schemes. Since its establishment in 2017, KuCoin has reportedly processed over $5 billion in suspicious funds, attracting customers seeking anonymity.

Romanian and Spanish police bust an international scam ring

The Romanian Police (Politia Romana) and the Spanish National Police (Policía Nacional) in coordination with Europol took down an international scam syndicate involved in Business Email Compromise (BEC) fraud and orchestrating fake advertisements for inexpensive holiday rentals. Authorities estimate that the number of victims affected by these schemes could surpass one thousand. The profits accrued by the organization are believed to total millions of euros.

US sanctions 3 crypto exchanges for helping Russian firms evade restrictions

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has imposed sanctions on thirteen entities and two individuals that helped Russian companies to circumvent international restrictions imposed on Russia for its ongoing aggression against Ukraine. The sanctions primarily target entities operating within the financial services and technology domains, with a focus on those involved in virtual assets that facilitate evasion of US sanctions.

New GoFetch CPU attack leaks secret encryption keys

A security weakness has been discovered in Apple's M-series chips, potentially putting sensitive data at risk. The vulnerability enables attackers to extract secret encryption keys used in cryptographic operations, posing a significant threat to user privacy and security.

Dubbed “GoFetch,” the method involves a microarchitectural side-channel attack, leveraging a feature known as data memory-dependent prefetcher (DMP) present in the latest Apple processors. This attack targets constant-time cryptographic implementations, allowing malicious actors to capture sensitive data from the CPU cache.

Free VPN apps on Google Play turned Android devices into residential proxies

Over two dozen apps available on Google Play have been found to contain a malicious software development kit (SDK) that converts Android devices into unwitting residential proxies. HUMAN's Satori threat intelligence team said it has spotted 28 applications on Google Play that turned Android devices into proxy servers, with 17 of them masquerading as free VPN software.

The threat actor behind this scheme, tracked as PROXYLIB, profits by selling access to the residential proxy network to third parties. Satori analysts revealed that the offending apps were using an SDK provided by LumiApps, containing “Proxylib,” a Golang library designed for proxying purposes.