2024-01-22 13:39 (EST) - Two attempted ransomware attacks on Huntress customers devices were thwarted, despite being initiated via the legitimate remote access software, TeamViewer. The suspected ransomware was based on the leaked builder for LockBit 3.0. Evidence suggests the same threat actor was responsible for both assaults. The perpetrator could have obtained the necessary access credentials from an Initial Access Broker (IAB), following information theft. This highlights TeamViewers vulnerability, which, despite its security mechanisms, is an attractive target due to widespread use and simplicity.

2024-01-22 13:39 (EST) - Following a surge in cyberattacks in 2023, cyber-insurance claims multiplied, signalling a potential rise in premiums within 12 to 24 months. This comes after a brief decrease in premium costs in 2023, which tied with a lower frequency of ransomware-related claims. Cyber-insurance prices have historically followed the threat landscape trends, so companies should brace for higher costs as cyber threats continue to evolve. Despite the potential premium increase, the cyber-insurance industry continues to grow, indicating its deepening importance in business risk management.

2024-01-22 13:38 (EST) - Microsoft revealed a breach of their corporate emails by a Russian hacking unit tied to the countrys External Intelligence Service (SVR). The intrusion, detected on January 12, involved a password spray attack compromising non-production test tenant accounts and exfiltrating some emails and documents. Notably, client data appears unaffected, with no vulnerabilities in Microsofts products or services caused the attack. Its the second significant attack on Microsoft in six months, with the SVR hacking unit also linked to the 2020 SolarWinds cyberattack.

2024-01-22 13:37 (EST) - North Korean hackers, primarily from a unit known as ScarCruft, have been targeting media organizations and prominent experts on North Korea for intelligence. The operations involved sending phishing emails to install the RokRAT backdoor, while also preparing for a possible campaign against cybersecurity researchers. The hackers aims likely involve uncovering non-public cyber threat intelligence and defense approaches to aid their operations. Evidence suggests a consistent effort in gathering strategic intelligence and possibly masquerading as cybersecurity professionals.

2024-01-22 13:37 (EST) - Russian espionage group “Cold River,” linked to Kremlin, has started using its custom backdoor malware “SPICA” since September last year, Googles Threat Analysis Group revealed. SPICA allows cyber-attacks to control targeted systems and exchange files, though currently its usage is limited and targeted. Cold River is known for operations supporting Russian interests, previously targeting U.S., U.K., NATO, and Ukraine. The group continues improving its evasion techniques, once targeting U.S. nuclear labs and Brexit supporters.

2024-01-22 13:36 (EST) - Experts told Congress that the Cyber Safety Review Board (CSRB), a body charged with investigating major cybersecurity incidents, lacks independence and authority. Created to mirror the National Transportation Safety Board, the CSRB is viewed as being too reliant on the corporations it is supposed to review. Critics emphasized the need for the board to be more independent, unencumbered by industry influence, to investigate cybersecurity incidents effectively. This entails proper reforms geared towards empowering and reshaping the CSRB.

2024-01-22 13:36 (EST) - The President’s Council of Advisors on Science and Technology approved recommendations to bolster cyber-physical resilience of critical infrastructures, amidst the ongoing digital transformation. These include defining minimum operating capabilities, intensifying R&D, strengthening government resilience capacity, and enhancing industry accountability. The report, created by a working group represented by a chief officer from Microsoft and Google Cloud, highlights the risk of system-wide failures due to cyber-attacks or mechanical missteps. Further details will be available by mid February.

2024-01-22 13:35 (EST) - LeftoverLocals is a newly discovered vulnerability affecting GPUs from AMD, Apple, Qualcomm, and Imagination Technologies, enabling data recovery from local memory space. Particularly problematic for large language models and machine learning processes, this flaw permits an attacker to read values left in the GPUs local memory. Remediation is underway with some vendors already providing fixes. Researchers suggest implementing an automatic local memory clearance as a possible mitigation strategy.

2024-01-22 13:34 (EST) - Russian-backed hacking group, ColdRiver, is reportedly using backdoor malware named Spica, disguised as a PDF decryptor tool, to infiltrate devices. The malware communicates via JSON over websockets, facilitating multiple malicious activities like running shell commands and stealing browser cookies. Google, warning of this threat, has added all related domains and files to its Safe Browsing service. ColdRiver, linked to Russias Federal Security Service, has been active since 2015, specializing in spear-phishing attacks.

2024-01-22 13:34 (EST) - Russian state-sponsored hacking group, Nobelium, breached some of Microsofts corporate email accounts, including leaders and cybersecurity personnel, and stole data. Striking in November 2023, the attackers exploited a poorly configured, non-production test account using a brute force password attack, highlighting the absence of two-factor or multi-factor authentication. The breach, unrelated to product vulnerabilities, is being probed by Microsoft, while the impact on operations is deemed non-material.

2024-01-22 13:33 (EST) - Iranian state hackers, a subset of APT35 group, are reportedly conducting spearphishing attacks on prestigious research organizations and universities across Europe and the U.S, deploying a new backdoor malware. Targeting employees dealing with Middle Eastern affairs, the group utilizes compromised accounts to send inconspicuous phishing emails. Through AES CBC encryption and Base64 encoding, the MediaPl malware can secretly communicate with command-and-control servers, posing as Windows Media Player. Another malware, MischiefTut, allows the hackers to maneuver commands on targeted systems while transferring output to attacker-controlled servers.

2024-01-22 13:33 (EST) - VF Corporation, owner of popular brands like Vans and The North Face, experienced a ransomware attack in December, compromising the personal data of an estimated 35.5 million customers. Critically, no financial information or Social Security numbers were impacted. The breach resulted in operational disruptions including order cancellations and shipment delays. VF Corp continues to work through minor operational issues and is cooperating with federal law enforcement in investigating the incidents full impact. Details about the compromised data remain undisclosed.

2024-01-22 13:32 (EST) - Mortgage lender loanDepot had a ransomware attack which compromised the personal data of about 16.6 million people, disabling several of their system portals. Despite restoring loan origination and other service systems, the firm hasnt disclosed the specifics of the accessed information. Customers who fell victim to the breach should guard against phishing and identity theft attempts, as loanDepot stores sensitive financial data. This follows another cyberattack in August 2022, where customer data was exposed.

2024-01-22 13:32 (EST) - The UNC3886 Chinese group leveraged an unpatched vulnerability (CVE-2023-34048) in VMwares vCenter Server in late 2021 to initially invade systems. Post-invasion, credentials were compromised to plant VirtualPita and VirtualPie backdoors on ESXi hosts. They escalated privileges and extracted data from guest VMs by subsequently exploiting a vulnerability in VMware Tools. The primarily targeted sectors include defense, telco, or tech, within the U.S. and the APJ region, where EDR capabilities are inadequate.

2024-01-22 13:31 (EST) - An undisclosed cybercrime syndicate, Bigpanzi, has been reportedly making profits by infecting Android TV and eCos set-top boxes globally since 2015. Operating a large-scale botnet with an estimated 170,000 daily active bots, Bigpanzi infects devices through firmware updates or manipulated apps. The infections are monetized by altering the devices into illegitimate media streaming or DDoS attack platforms. Xlabs reports that pandoraspear and pcdn are the primary malware tools used by Bigpanzi in their operations.

2024-01-22 13:30 (EST) - Calvià City Council in Majorca has been targeted by a ransomware attack, significantly impacting municipal services. In response, a crisis committee has been formed to assess damage and formulate recovery plans. The majority of administrative services have been temporarily suspended, though emergency document submission can be executed via the State Administration portal. The ransom demand is approximately $11M, however, the council has refused to pay. Investigation of the perpetrators and recovery of systems is ongoing.

2024-01-22 13:30 (EST) - A freelance IT analyst, investigating software issues for a client, ended up discovering a massive data privacy issue involving nearly 700,000 customers data on a vendors server. Despite responsibly disconnecting and alerting the vendor, the analyst was reported to law enforcement and subsequently fined €3,000 for unauthorized access by a German court. The analyst criticized the courts outdated views, notes an intention to appeal, potentially setting up a precedent-setting case.

2024-01-22 13:29 (EST) - Finnish IT service provider Tietoevry encountered a ransomware attack from the Akira gang, primarily affecting their cloud hosting customers in a Swedish data center. Immediate isolation of the impacted platform ensured other areas of the firms infrastructure remained unaffected. Service restoration is ongoing, but customers are still affected due to server rehabilitation. In 2023, 12 Akira ransomware attacks were reported, often exploiting weakly secured or unpatched Cisco VPNs. This recent attack follows warnings from the Finnish government about Akiras rising activity.

2024-01-22 13:29 (EST) - Security researchers have noted attempts to exploit the CVE-2023-22527 remote code execution flaw affecting older versions of Atlassian Confluence servers. The critical severity flaw allows unpatched Confluence servers to be manipulated by unauthorized remote attackers. Fixes are available for versions 8.5.4 and later. Threat monitoring has recorded over 39,000 exploits from over 600 unique IPs, primarily Russian. Administrators are urged to update Confluence servers to the latest version and potentially compromised instances must be thoroughly scrutinized.

2024-01-22 13:28 (EST) - Cybersecurity agencies warn of Androxgh0st malware threat actors building a botnet to steal cloud credentials and deliver further malicious payloads. The botnet, discovered in 2022, targets vulnerable websites and exploits remote code execution vulnerabilities. It is capable of stealing high-profile credentials and abusing the email transfer protocol to conduct spam campaigns. Among mitigation measures recommended are updating operating systems, software, and firmware, enhancing URI default configurations, and scanning server file systems for unrecognized PHP files.