TeamViewer discloses a security breach

Remote access software company TeamViewer said it suffered a security breach on 26 June 2024 that affected its corporate IT environment. In a short blog post on its website, the firm said it immediately took response measures and that “there is no evidence to suggest that the product environment or customer data is affected.” While the company didn’t provide any details regarding the hack, a post from a cybersecurity researcher on Mastodon claims that the TeamViewer remote access and support platform was compromised by an APT group.

Russian hackers behind Microsoft breach accessed more customer emails than originally revealed

Microsoft said that a Russian state-backed hacker group, tracked as Midnight Blizzard, which breached its internal systems in January, accessed more customer emails than previously disclosed. The company is now informing additional customers affected by the threat actor and providing detailed information to those already notified about the types of information accessed.

Recently patched MOVEit Transfer bug exploited within hours after public disclosure

Threat actors are attempting to exploit a recently patched vulnerability in Progress Software’s MOVEit Transfer and MOVEit Cloud-managed file transfer solutions. Tracked as CVE-2024-5806, the flaw is an improper authentication issue in the SFTP module in guestaccess.aspx. A remote non-authenticated attacker can send a specially crafted HTTP POST request to bypass authentication process and gain unauthorized access to the system. The vulnerability impacts MOVEit Transfer from 2023.0.0 before 2023.0.11, from 2023.1.0 before 2023.1.6, from 2024.0.0 before 2024.0.2.

Chinese hackers target critical infrastructure with ransomware

Chinese cyberespionage groups, particularly ChamelGang (aka CamoFei), have been using ransomware to complicate attack attribution, divert defenders, or gain financial profit alongside data theft. According to a report by SentinelLabs and Recorded Future, ChamelGang has employed the CatB ransomware strain in high-profile attacks worldwide, targeting government organizations and critical infrastructure between 2021 and 2023.

The group uses advanced techniques for initial access, reconnaissance, lateral movement, and data exfiltration. Notable attacks include a November 2022 breach of the Brazilian Presidency, compromising 192 computers, and a late 2022 attack on India's AIIMS, severely disrupting healthcare services.

Android devices targeted with Rafel RAT disguised as popular apps

Multiple threat actors, including cyber espionage groups, are using an open-source Android remote administration tool (RAT) called Rafel RAT in malicious campaigns targeting Android devises. The RAT is being spread under the guise of popular apps like Instagram, WhatsApp, various e-commerce platforms, and antivirus software.

China-linked RedJuliett caught spying on multiple Taiwanese orgs

A suspected Chinese state-sponsored cyber-espionage group, tracked as ‘RedJuliett,’ has been targeting government, academic, technology, and diplomatic entities in Taiwan since at least November 2023. RedJuliett has exploited known vulnerabilities in network edge devices, such as firewalls, virtual private networks (VPNs), and load balancers, to gain initial access to their targets. RedJuliett is believed to operate from Fuzhou, China.

China-linked SneakyChef espionage group targets government agencies with SugarGh0st malware

Cisco’s Talos threat intelligence team has highlighted an ongoing cyber espionage campaign orchestrated by a newly discovered threat actor, dubbed “SneakyChef,” utilizing the SugarGh0st malware. The campaign, first detected as early as August 2023, has expanded its reach beyond its initial targets of South Korea and Uzbekistan to now include a broader array of countries across Europe, the Middle East, Africa (EMEA), and Asia.

As the initial vector for the malware's infection chains, the SneakyChef group employs sophisticated lures in the form of scanned documents purportedly from government agencies, predominantly from ministries of foreign affairs or embassies.

Russia-linked UAC-0184 targeting Ukraine with XWorm RAT

Researchers have detailed a recent campaign by the Russia-linked threat actor group UAC-0184 targeting Ukraine with the XWorm remote access trojan (RAT). The infection process involves DLL sideloading and the use of the Shadowloader tool to execute the XWorm RAT as the final payload.

EU sanctions Russian hackers for cyberattacks against Ukraine

The European Council has approved additional restrictive measures against six individuals involved in cyberattacks affecting critical infrastructure, state functions, and the storage or processing of classified information in EU member states.

The new listings include two members of the ‘Callisto’ (aka Seaborgium, Coldriver,” Star Blizzard, Gossamer Bear, ReUse Team, Dancing Salome, and BlueCharlie) cyberespionage group, as well as two people linked to the ‘Armageddon’ (aka Gamaredon and UAC-0010) hacker group. In addition, two developers behind the malware strains ‘Conti’ and ‘Trickbot’, have been sanctioned. Both are involved in the ‘Wizard Spider’ group, known for conducting ransomware campaigns across various sectors, including essential services like health and banking.

Separately, the US authorities have charged Amin Timovich Stigal, a 22-year-old Russian citizen, with orchestrating a sophisticated destructive cyber campaign targeting Ukrainian government systems ahead of Russia’s invasion of Ukraine in 2022.

According to court documents, Stigal and his co-conspirators from the Main Intelligence Directorate of the General Staff (GRU) of the Russian Federation used the services of a US-based company to distribute the WhisperGate data-wiping malware to dozens of Ukrainian government entities' computer systems.

Four members of FIN9 cybercrime group charged for hacking American companies

The US authorities have charged four Vietnamese nationals for their involvement in a series of computer intrusions that collectively caused over $71 million in losses to US companies. From at least May 2018 through October 2021, the defendants allegedly hacked into the computer networks of several companies across the United States, stealing or attempting to steal non-public information, employee benefits, and funds.

South Korean telco reportedly infected 600k users with malware

A major South Korean telecom provider, KT Corporation, has reportedly infected over 600,000 users with malware due to their use of torrent services. The issue began in May 2020 when users of Webhard, a Korean cloud service provider, reported unexplained errors linked to its Grid Program, which relies on BitTorrent peer-to-peer file sharing. The company discovered that its Grid Program was compromised and that the malware originated from KT's data center.

Following the investigation, the authorities charged 13 individuals, including KT employees and subcontractors. KT admitted to planting the malware, claiming it was necessary to control Webhard's allegedly malicious program. The dispute between Webhard and KT centered around network usage fees and strain on KT's network, with a court ruling in favor of KT. However, instead of blocking IP addresses, KT infected individual users with malware.

Phantom secrets expose major corporations

New research by cybersecurity firm Aqua Security revealed that secrets (credentials, API tokens, and passkeys) in repositories remains accessible even after being deleted or overwritten.

The Aqua Nautilus research team scanned over 50,000 repositories from the top 100 organizations on GitHub, finding active secrets from both open-source and enterprise entities, including Cisco and Mozilla. The exposed secrets included API tokens for Cisco Meraki and Mozilla.

Skeleton Key technique allows to bypass safety measures in AI models

Microsoft has detailed Skeleton Key, a technique that bypasses the safety measures in AI models designed to prevent generative chatbots from producing harmful content. This method employs a multi-turn strategy, causing the model to disregard its guardrails. Once bypassed, the model can’t differentiate between malicious or unauthorized requests and legitimate ones. However, this attack only affects the model's response generation and does not compromise the AI system's broader security, such as user data access, system control, or data exfiltration, Microsoft explained.

Reportedly first recorded instance of GPS jamming disrupts transatlantic flight

A commercial transatlantic flight experienced significant disruptions due to GPS jamming, marking the first known instance of such an incident on this route. A flight from Madrid to Toronto was forced to operate in a “degraded mode” because a higher-altitude flight had been affected by GPS interference.

At present, the cause of the GPS disturbances has not yet been identified. The Institute for the Study of War, a think tank that monitors global conflicts, previously reported that it observed high levels of GPS jamming over Poland and the Baltic region since late 2023. Some analysts and experts have attributed these incidents to Russian electronic warfare (EW) activity from the Kaliningrad area and near St. Petersburg, Russia.

'Mirai-like' botnet targets end-of-life Zyxel NAS devices

The Shadowserver Foundation has warned of a surge in cyberattacks targeting end-of-life Zyxel NAS devices, exploiting recently disclosed vulnerabilities. The organization said that its monitoring systems identified multiple remote command execution attempts orchestrated by a “Mirai-like botnet.”

These attacks come just weeks after three high-severity Zyxel NAS vulnerabilities were publicly disclosed. Shadowserver said that the flaw under attacks is CVE-2024-29973, an OS command injection flaw that allows remote command execution. The vulnerability affects Zyxel NAS326 and NAS542 devices.

UNSTABLE and Condi botnets abusing cloud services to distribute malware

Fortinet’s FortiGuard Labs has detected an increase in botnet activities leveraging cloud services to enhance their malicious capabilities. Botnets like UNSTABLE and Condi are utilizing cloud storage and computing services to distribute malware payloads and updates across a wide range of devices.

The researchers have observed botnet operators exploiting multiple vulnerabilities to target various devices, including JAWS webservers, Dasan GPON home routers, Huawei HG532 routers, TP-Link Archer AX21 routers, and Ivanti Connect Secure. These exploits are being used to amplify attacks and expand the botnet's reach.

P2PInfect botnet targets misconfigured Redis servers with ransomware and crypto miners

The peer-to-peer malware botnet P2PInfect has been targeting misconfigured Redis servers with ransomware and cryptocurrency miners. P2PInfect spreads by exploiting Redis servers and their replication feature, turning victim systems into follower nodes of an attacker-controlled server. This allows the threat actor to execute arbitrary commands on the compromised systems.

Malware analysis platform Any.Run suffers a phishing attack

The company behind the online malware analysis service Any.Run has disclosed it has recently faced a phishing attack part of a business email compromise (BEC) campaign. The incident took place on June 18, 2024, when all staff members received a phishing email from an internal employee's account. The email, sent to the employee's entire contact list, led to a malicious page featuring a JavaScript script disguised as a Microsoft sign-in form.

As it turned out, the an employee’s account had been compromised and was being used by an unauthorized entity to execute a post-breach business email compromise (BEC) campaign

Novel GrimResource attack exploits MSC files and Windows XSS flaw

A new command execution method has been discovered that leverages specially crafted MSC (Microsoft Saved Console) files and an unpatched Windows XSS vulnerability to breach networks via the Microsoft Management Console (MMC). Named 'GrimResource' by researchers at Elastic Security Labs, the new technique involves the exploitation of an old cross-site scripting (XSS) flaw in the apds.dll library. GrimResource allows attackers to execute arbitrary code in Microsoft Management Console (mmc.exe) with minimal security warnings.

$257M seized in global police crackdown against online scams

A global police operation across 61 countries has resulted in the seizure of 6,745 bank accounts and assets worth $257 million linked to online scam networks. Interpol-coordinated ‘Operation First Light 2024’ targeted various scams, including phishing, investment fraud, fake online shopping sites, and romance scams, leading to the arrest of 3,950 suspects and identifying 14,643 other potential suspects worldwide.

Authorities intercepted approximately $135 million in fiat currency and $2 million in cryptocurrency. Additionally, over $120 million worth of assets such as real estate, high-end vehicles, expensive jewelry, and other valuable items were confiscated.