A global IT system outage disrupts operations of banks, media outlets, and airlines worldwide

A global IT outage related to the interaction between Crowdstrike antivirus and Windows led to widespread disruptions in the operations of airports, banks, media outlets, and telecommunications operators around the world. Reports indicate problems in the US, Australia, New Zealand, the UK, Turkey, India, and Germany, Ukraine, and other countries.

Airports in Sydney, Scotland, and Berlin temporarily halted operations, flights of SpiceJet and Ryanair were canceled, the London Stock Exchange suspended its activities, and the British channel Sky News and the Australian Broadcasting Corporation were unable to broadcast. McDonald's Japan closed its stores nationwide.

Companies such as Amazon, Visa, Xbox, and Delta were also affected. Many Microsoft users encountered the “blue screen of death.” The failure was reportedly caused by an update from cybersecurity company Crowdstrike, which caused issues with its Falcon Sensor product in Windows. Crowdstrike said that the issue was a content deployment problem and that it has rolled back the changes and provided recommendations for affected users.

Workaround:

• Boot Windows in Safe Mode or Windows Recovery Environment.

• Navigate to the directory C:\Windows\System32\drivers\CrowdStrike

• Find the file named "C-00000291*.sys" and delete it.

• Restart the computer or server.

WazirX crypto exchange confirms security breach following $230M theft

One of India’s largest cryptocurrency exchanges, WazirX, has confirmed that it experienced a significant security breach resulting in the suspicious transfer of approximately $230 million in digital assets from its platform. Blockchain explorer Lookchain reported that the stolen assets included 5.43 billion SHIB tokens, over 15,200 Ethereum tokens, 20.5 million Matic tokens, 640 billion Pepe tokens, 5.79 million USDT, and 135 million Gala tokens. The assets were reportedly transferred out of WazirX's platform earlier in the day.

Critical Apache HugeGraph vulnerability exploited in the wild

Threat actors are actively exploiting a recently disclosed critical security flaw in Apache HugeGraph-Server, potentially leading to remote code execution attacks. The vulnerability, tracked as CVE-2024-27348, is an OS command injection issue within the Gremlin graph traversal language API that can be exploited via malicious request. The flaw affects all versions of Apache HugeGraph-Server prior to 1.3.0.

Additionally, cybersecurity experts report the in-the-wild exploitation of a critical vulnerability in the open source server for sharing geospatial data GeoServer (CVE-2024-36401). The flaw is a code injection vulnerability that allows a remote attacker to execute arbitrary code on the target system.

Also, Adobe has warned that a recent Adobe Commerce vulnerability (CVE-2024-34102) is being exploited “in very limited attacks targeting Adobe Commerce merchants.” The flaw is an XML External Entity injection issue that allows a remote attacker to compromise the affected application. On July 17, 2024, the company released a hotfix in addition to the security update release on June 11, 2024, and/or the isolated patch released on June 28, 2024.

Threat actors weaponize PoCs 22 minutes after public release

Proof of concept (PoC) exploits are being rapidly weaponized by threat actors, sometimes within just 22 minutes of their public release, recent research from Cloudflare revealed. Researchers observed primarily scanning activity, followed by command injections and exploitation attempts of vulnerabilities with publicly available PoCs. Notable CVEs under active exploitation include CVE-2023-50164 and CVE-2022-33891 (Apache), CVE-2023-29298, CVE-2023-38203 and CVE-2023-26360 (Adobe Coldfusion), CVE-2023-35082 (Ivanti MobileIron).

Ukrainian defense companies targeted in a new wave of attacks

CERT-UA has warned of a new series of cyberattacks targeting Ukrainian defense enterprises. The attackers are leveraging the theme of Unmanned Aerial Vehicles (UAVs) procurement to lure their victims. The campaign has been attributed to a threat actor CERT-UA tracks as UAC-0180. It involves the use of the GLUEEGG and DROPCLUE malware as well as a legitimate tool called ATERA to gain access to the victim machine.

Void Banshee targets Windows users via recently patched MHTML bug

An advanced persistent threat (APT) group known as Void Banshee has been observed exploiting a recently patched security vulnerability in the Microsoft MHTML browser engine to deliver the Atlantida info-stealer. Cybersecurity firm Trend Micro first observed the activity in mid-May 2024, involving the exploitation of CVE-2024-38112 as part of a multi-stage attack chain utilizing specially crafted internet shortcut (URL) files.

TAG-100 cyberspies target Citrix, F5, Cisco appliances in at least 10 countries

Recorded Future has uncovered a new Advanced Persistent Threat (APT) group, tracked as TAG-100, which has been targeting internet-facing appliances for cyberespionage operations. TAG-100 has compromised a wide array of networking equipment, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate. This campaign has affected organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania. The group's victims include diplomatic, trade, and private sector entities.

Iran-linked MuddyWater APT deployed new BugSleep backdoor in recent campaigns

The Iranian-backed hacking group MuddyWater has begun utilizing a new custom malware implant named BugSleep to execute commands and steal files from compromised systems.

The latest campaign, active since February 2024, involves sending large volumes of phishing emails from compromised accounts to a wide range of targets. The emails, often disguised as invitations to webinars or online courses, direct recipients to archives containing malicious payloads hosted on the Egnyte secure file-sharing platform. Some variants also include a custom malware loader designed to inject BugSleep into active processes of applications such as Microsoft Edge, Google Chrome, AnyDesk, Microsoft OneDrive, PowerShell, and Opera.

China-linked APT41 continues its hacking spree

Mandiant has observed a campaign by the China-linked state-sponsored group APT41, which has targeted and successfully compromised multiple organizations in the global shipping and logistics, media and entertainment, technology, and automotive sectors. The majority of these organizations operate in Italy, Spain, Taiwan, Thailand, Turkey, and the United Kingdom.

Since 2023, APT41 has infiltrated and maintained prolonged, unauthorized access to numerous networks, extracting sensitive data over an extended period. They utilized a combination of ANTSWORD and BLUEBEAM web shells to execute the DUSTPAN tool, which deployed the BEACON backdoor for command-and-control communication. APT41 then leveraged the DUSTTRAP malware for hands-on keyboard activity. The threat actor has also used publicly available tools, such as SQLULDR2 for copying data from databases and PINEGROVE to exfiltrate data to Microsoft OneDrive.

FIN7 cybercrime gang offers new EDR bypass tool on dark web

The Russia-linked FIN7 cybercrime group has been enhancing its operations with new tactics, techniques, and procedures (TTPs), including advanced Endpoint Detection and Response (EDR) bypasses and automated attacks. One of the most notable tools associated with these operations is AvNeutralizer (AuKill) designed to tamper with security solutions. It has been marketed in the criminal underground, where it has been adopted by multiple ransomware groups. The tool is now being advertised for prices ranging between $4,000 and $15,000 on various cybercrime forums.

Multiple crypto platforms hit by DNS hijacks after Squarespace migration

Multiple cryptocurrency platforms that host their domains on Squarespace have fallen victim to DNS hijacks, including The Celer Network, Compound Finance, Pendle Finance, and Unstoppable Domains who reported losing control of their official websites. The hijackers managed to redirect the domains to malicious servers equipped with wallet-draining phishing kits. It is believed that hackers exploited leaked or stolen credentials to access admin accounts and alter DNS records, effectively hijacking public websites and private email servers.

Revolver Rabbit threat actor registers over 500K domains using RDGAs

The Revolver Rabbit cybercriminal gang has registered over 500,000 domain names for info-stealer campaigns targeting both Windows and macOS systems. Discovered by researchers at Infoblox, the activity involves the use of Registered Domain Generation Algorithms (RDGAs) to acquire the domains, costing the gang over $1 million in registration fees. It is distributing the XLoader malware, a successor to Formbook, to steal sensitive information and execute malicious files.

Port Shadow technique can help attackers intercept and redirect VPN traffic

A new attack method, dubbed Port Shadow, has been discovered that enables attackers to perform man-in-the-middle (MitM) attacks. This security issue allows attackers to intercept and redirect traffic of other users connected to the same VPN server. The attack leverages the shared nature of VPN server ports, assigning each connection a specific port. By creating malicious packets from both the attacker's own VPN connection and a remote location they control, they can manipulate the traffic of other users on the same server. Essentially, attackers can “shadow” their data on a victim’s port, similar to attacks seen on shared WiFi networks.

Mobile ad fraud campaign using novel “evil twin” method to conceal activities

A sophisticated mobile advertising fraud campaign has been discovered that peaked at 10 billion bid requests per day. Dubbed “Konfety” (the Russian word for candy), the operation exploited a mobile advertising SDK called CaramelAds using a novel “evil twin” evasion method to conceal its activities. The threat actors created a stripped-down version of the CaramelAds SDK, devoid of GDPR consent requirements, to generate fraudulent ads through “evil twins.” These evil twins mimicked legitimate publisher accounts and were distributed through malvertising, click-baiting, and drive-by attacks.

US telecom giant AT&T confirms major data breach affecting 110M customers

The US telecommunications giant AT&T revealed a major data breach affecting almost all of its customers. Hackers accessed and copied the data from AT&T's workspace on a third-party cloud platform. The stolen data includes records of calls and texts of nearly all of AT&T's cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, and AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022, and October 31, 2022. Additionally, some of the stolen data includes more recent records from January 2, 2023, for a smaller number of customers.

Russian cyber giant Kaspersky closes US operations following government ban

Russian cybersecurity giant Kaspersky Lab will “gradually wind down” its US operations and lay off its US-based employees. This decision follows the Department of Commerce's recent ban on the firm selling its products in the United States, which Kaspersky cited as the primary reason for its withdrawal. Kaspersky's US operations will begin to wind down on July 20. Also, the company will be barred from rolling out new security updates to existing customers starting September 29.

Global crackdown on West African cybercrime leads to hundreds of arrests

Law enforcement agencies have dismantled multiple West African criminal networks, including the notorious Black Axe syndicate. Operation Jackal III, spanning from April 10 to July 3, has resulted in the arrest of approximately 300 individuals, the identification of over 400 additional suspects, and the blocking of more than 720 bank accounts. Assets worth $3 million have been seized as part of this extensive crackdown on online financial fraud and other illicit activities.

Two LockBit affiliates plead guilty

Ruslan Magomedovich Astamirov and Mikhail Vasiliev, pleaded guilty to participating in the LockBit ransomware group. Astamirov, a 21-year-old Russian national from the Chechen Republic, and Vasiliev, a 34-year-old dual Canadian and Russian national from Bradford, Ontario, were involved in deploying LockBit attacks against numerous victims in the United States and worldwide.

Astamirov faces up to 25 years in prison for conspiracy charges related to computer fraud, abuse, and wire fraud. Vasiliev faces up to 45 years for multiple charges, including intentional damage to a protected computer and conspiracy to commit wire fraud. Sentencing dates have not been set yet.

In other news, Russian authorities have allegedly arrested a Trickbot cybercrime member in Moscow identified as Fedor Andreev (aka Azot and Angelo). According to Russian media, he was arrested at the request of Interpol.

Criminal gang that targeted major Ukrainian industrial firms dismantled

Ukrainian cyber police have dismantled a criminal group responsible for stealing over 6 million UAH (~$150,000) from major industrial enterprises by infecting corporate networks with malware. This allowed them remote access to financial operations, enabling the diversion of funds to their own accounts. One member of the gang was kidnapped by his accomplices for refusing to transfer his share. Two key suspects have been arrested and charged with illegal imprisonment, kidnapping, and extortion, facing up to 12 years in prison and property confiscation if convicted.