Five Russian GRU hackers and one civilian charged for attacks ahainst Ukraine and NATO countries

The US authoritiies have charged six Russian individuals, including five GRU officers and one civilian, for cyberattacks targeting Ukraine before Russia's invasion. The defendants, linked to Unit 29155 of the GRU, conspired to hack, exfiltrate, and destroy data from Ukrainian government systems, using the Whispergate malware disguised as ransomware. WhisperGate was actually a cyberweapon designed to completely destroy the target computer and related data in advance of the Russian invasion of Ukraine. The attacks aimed to undermine public confidence in Ukraine’s digital infrastructure. The indictment also revealed attacks on 26 NATO countries supporting Ukraine, with key targets including Ukraine's Ministry of Internal Affairs, Ministry of Energy, and other government entities.

Additionally, the US State Department is offering a reward of up to $10 million for tips on any of the hackers’ locations or their malicious cyberactivity.

Separately, CISA, FBI and NSA have released a security advisory detailing malicious cyber campaigns by the GRU Unit 29155 threat actors.

Also, the US authorities seized 32 domains linked to a Russian government-directed foreign influence campaign known as “Doppelganger,” and designated 10 individuals involved in the campaign. Additionally, two Russian nationals—31-year-old Kostiantyn Kalashnikov and 27-year-old Elena Afanasyeva, allegedly employed by the Russian state media outlet RT (formerly Russia Today), were charged with conspiracy to violate the Foreign Agents Registration Act and conspiracy to commit money laundering. The pair allegedly covertly funded a Tennessee-based content creation business to the tune of $10 million. At present, both remain at large.

Apache, Cisco, Zyxel patch high-risk flaws, Google fixes Android zero-day

A new high-severity vulnerability (CVE-2024-45195) in the Apache OFBiz ERP system has been addressed, which could allow unauthenticated remote code execution on Linux and Windows systems. The flaw, affecting versions prior to 18.12.16, bypasses previously addressed issues (CVE-2024-32113, CVE-2024-36104, and CVE-2024-38856). CVE-2024-32113 and CVE-2024-38856 are actively exploited, with the former used to deploy the Mirai botnet.

Cisco also patched two flaws (CVE-2024-20439, CVE-2024-20440) in its Smart Licensing Utility, and Google released a fix for a privilege escalation bug (CVE-2024-32896) in Android, actively exploited in the wild. Additionally, Zyxel patched an OS command injection flaw (CVE-2024-7261) affecting certain routers and access points.

Meanwhile, D-Link said it will not fix four remote code execution (RCE) vulnerabilities (CVE-2024-41622, CVE-2024-44340, CVE-2024-44341, CVE-2024-44342) impacting all hardware and firmware versions of its DIR-846W router because the products are no longer supported.

North Korean hackers exploit Chromium zero-day to deploy FudModule rootkit

A North Korean threat actor has been observed exploiting a recently disclosed zero-day vulnerability in the Chromium browser, tracked as CVE-2024-7971, to gain remote code execution (RCE). The activity is believed to be part of a broader campaign targeting the cryptocurrency sector for financial gain. CVE-2024-7971 is a type confusion vulnerability in the V8 JavaScript and WebAssembly engine, affecting Chromium versions prior to 128.0.6613.84. Exploiting this vulnerability allows attackers to gain RCE in the sandboxed Chromium renderer process, potentially compromising user systems.

China-linked Earth Lusca has been observed using new KTLVdoor malware

The Chinese-speaking threat actor Earth Lusca has been linked to a new malware named “KTLVdoor” used in an attack on an unnamed trading company in China. Written in Golang, the backdoor can target both Windows and Linux systems. KTLVdoor disguises itself as system utilities, enabling tasks like file manipulation, command execution, and remote port scanning. Trend Micro researchers identified over 50 command-and-control (C&C) servers hosted by Alibaba in China, some associated with Earth Lusca. However, the infrastructure may be shared with other Chinese-speaking threat actors, the researchers noted.

Threat actors target Ukrainian military via fake Griselda app and Google Drive links

CERT-UA and MILCERT analyzed two cyberattacks aimed at Ukrainian military personnel. The attacks involved the dissemination of messages via Signal, containing links to download APK files delivering the information-stealing malware that were disguised as military systems Griselda and the surveillance system called “Eyes.”

North Korea intensifies cyber attacks on crypto industry, FBI warns

North Korea has ramped up its aggressive cyber operations targeting the global cryptocurrency industry, according to a recent security alert from the US Federal Bureau of Investigation (FBI). North Korean state-sponsored hackers are employing complex and highly tailored social engineering techniques to infiltrate decentralized finance (DeFi) platforms, cryptocurrency exchanges, and related businesses with the aim of stealing large quantities of digital assets.

Recent reports indicate that North Korean hackers have been focusing their efforts on companies associated with cryptocurrency exchange-traded funds (ETFs). Over the past several months, they have conducted extensive research on potential targets, hinting at possible future attacks against firms managing or trading in these financial products.

Threat actors using novel Voldemort backdoor in global cyberespionage campaign

Researchers at Proofpoint have uncovered a suspected Advanced Persistent Threat (APT) group using a custom backdoor named ‘Voldemort’ in a global cyberespionage campaign. This previously unknown group has targeted organizations across multiple sectors, employing sophisticated phishing tactics. The campaign has impacted over 70 organizations worldwide, including those in critical sectors such as aerospace, finance, healthcare, government, and telecommunications. The attackers have primarily used phishing emails to infiltrate victim organizations, impersonating tax authorities from Europe, Asia, and the United States. The threat actors leveraged malicious LNK and ZIP files to deliver the Voldemort backdoor, a custom-built malware written in C.

Threat actors are using MacroPack Red Team framework to deploy Brute Ratel, Havoc and PhantomCore

Cisco Talos researchers have spotted a series of malicious Microsoft Office documents uploaded to VirusTotal between May and July 2024, which were generated using a known Red Team tool called MacroPack. Talos' analysis of the documents revealed several malicious payloads, including Havoc, Brute Ratel, and a new variant of the PhantomCore remote access trojan (RAT). Havoc and Brute Ratel are post-exploitation frameworks typically used by Red Teams, but they have also been abused by threat actors. PhantomCore, which was recently linked to Ukrainian hacktivist group Head Mare, has been used for cyber espionage targeting Russian government entities.

New Cicada ransomware targets VMware ESXi servers, impersonates Cicada 3301 group

A new ransomware-as-a-service (RaaS) operation known as Cicada3301 has emerged on the threat landscape, targeting VMware ESXi servers worldwide. Cicada3301 employs a double-extortion tactic, breaching corporate networks, stealing sensitive data, and then encrypting devices.

Discovered overlaps between Cicada3301 and the ALPHV/BlackCat ransomware suggest that Cicada3301 may be a rebrand or a fork of ALPHV. Both ransomware variants share several technical characteristics, including being written in Rust, using the ChaCha20 encryption algorithm, and employing identical commands for virtual machine shutdowns and snapshot wiping. The two also share similar command interfaces, file naming conventions, and ransom note decryption methods.

RansomHub ransomware encrypted at least 210 victims worldwide

The US government has issued a warning after identifying over 210 victims of the RansomHub ransomware group, a sophisticated ransomware-as-a-service (RaaS) operation. The group has been active since February 2024, targeting a wide range of sectors critical to national security and public welfare. RansomHub, previously known as Cyclops and Knight, is believed to be collaborating with affiliates from other prominent ransomware groups such as LockBit and ALPHV.

BlackByte ransomware group adds VMware ESXi exploit to its arsenal

The BlackByte ransomware group, believed to be a spin-off from the infamous Conti group, has added a new exploit to its arsenal. Researchers at Cisco Talos Incident Response (IR) have observed the group exploiting a recently disclosed VMware ESXi vulnerability to gain control over virtual machines and escalate privileges within compromised environments.

The vulnerability, tracked as CVE-2024-37085, is an authentication bypass flaw in VMware ESXi that allows attackers to gain full administrative access to hypervisors. The group has been observed using it to escalate privileges after gaining initial access to a target environment.

New ManticoraLoader MaaS helps cybercriminals steal data

Cybersecurity researchers have shared details about a new Malware-as-a-Service (MaaS) platform called ManticoraLoader, developed and distributed by DeadXInject, a threat group behind the AresLoader malware. ManticoraLoader, a sophisticated malware loader written in C, is designed to be compatible with Windows 7 and later versions, including Windows Server. According to the researchers at Cyble, ManticoraLoader features advanced obfuscation techniques and an array of information-gathering capabilities, including a module specifically engineered to collect extensive information from infected devices.

Revival Hijack supply chain attack targets apps distributed via PyPI

A new software supply chain attack, dubbed ‘Revival Hijack,’ is targeting Python applications distributed via the Python Package Index (PyPI), according to JFrog researchers. The attack could potentially affect 22,000 existing Python packages, leading to millions of infected downloads. The exploit takes advantage of a security gap when projects are deleted from PyPI, allowing attackers to upload malicious packages under the same name. Victims unknowingly update what they believe are safe packages, especially when using automated CI/CD pipelines. Tests revealed that compromised packages had been downloaded 200,000 times in three months.

Three admins of OTP interception service OTP Agency plead guilty

Three men have pleaded guilty to running a website that enabled criminals to circumvent banking anti-fraud checks. The website, OTP[.]Agency, was operated by Callum Picari, Vijayasidhurshan Vijayanathan, and Aza Siddeeque. The trio were found to have facilitated criminal activities by allowing users to bypass multi-factor authentication (MFA) on major banking platforms, including HSBC, Monzo, and Lloyds. The Otp[.]agency service was a web-based bot designed to trick users into providing their OTP tokens. Criminals could subscribe to various service tiers on the website. A basic package, costing £30 (~$40) per week, enabled users to bypass MFA security measures, making it easier to carry out fraudulent transactions. Meanwhile, an elite plan, priced at £380 (~499) per week, granted access to verification sites for Visa and Mastercard.

SSU dismantles two bot farms linked to Russian disinformation efforts

The Security Service of Ukraine (SSU) and the National Police havedismantled two bot farms, which were linked to Russian intelligence cyberoperations. The law enforcement authorities identified and arrested IT specialists believed to be the bot farms operators. The suspect created and sold fake online accounts to Russian intelligence services, which then utilized to conduct disinformation campaigns under the guise of Ukrainian citizens.

Cybercriminal pleads guilty to hacking, credit card trafficking and money laundering

Vitalii Antonenko, 32, pleaded guilty to charges of hacking, trafficking stolen payment card data, and money laundering. Antonenko and his co-conspirators targeted vulnerable networks using SQL injection attacks to steal payment card data and personal information, which they sold on criminal marketplaces. Arrested in 2019 at JFK Airport, Antonenko was later indicted in 2020. The conspiracy's victims included a hospitality business and a scientific research institution in Massachusetts. He faces up to 25 years in prison, hefty fines, restitution, and forfeiture. Sentencing is set for December 10, 2024.

Germany arrests 10 suspected leaders of New World Order online harassment group

The Frankfurt am Main Public Prosecutor's Office and the Federal Criminal Police Office (BKA) arrested ten suspects believed to be ringleaders of a criminal organization known as ‘New World Order’ responsible for various online crimes such as cyberbullying, cyberstalking, and doxing.

The group reportedly used several malicious techniques, including "mask games," in which they harassed victims by insulting, threatening, and doxing them—revealing personal information obtained through spoofed identities. Additionally, the group engaged in "swatting," a tactic where emergency services, such as the police or fire department, are called to the victim’s home under false pretenses, often while the victim is live-streaming, to humiliate them.

Ukrainian police dismantle a bank fraud scheme

Ukrainian police have uncovered a fraud scheme targeting citizens' bank accounts. The criminals set up a call center in the organizer's home, posing as bank employees and calling individuals. They acquired customer databases from the dark web. The cybercriminal group, consisting of eight members, was led by a 31-year-old who involved friends and relatives in the illegal activities. The group stole confidential banking details and convinced victims to install remote access apps, allowing them to withdraw money from online banking apps. Over 4 million UAH was stolen. The suspects face up to eight years in prison.

Nigerian brothers sentenced to 17 years in prison in a sextortion case that led to the victim’s death

Two brothers from Nigeria were handed a 17-year prison sentence for their involvement in a sextortion scheme that targeted a 17-year-old high school student and led to his suicide. In March 2022, Samuel and Samson Ogoshi, 24 and 21, used social media to coerce Jordan DeMay into sending nude photos of himself and then blackmailed him with the images.

The scammers used a hacked Instagram account to pose as an American teenage girl and persuade DeMay to send the explicit content to them. The Ogoshi brothers is said to have targeted more than 100 victims in the US via social media, including 11 minors.