Tag: cybercrime

Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks
News

Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks

Users of the enterprise file transfer program CrushFTP are being advised to update to the most recent version after a security weakness was found to be intentionally exploited in the wild. In an alert published on Friday, CrushFTP stated that "users can escape their VFS and download system files with CrushFTP v11 versions below 11.1." "This has been patched in v11.1.0." Nevertheless, users that are running their CrushFTP instances in a limited environment within a demilitarized zone (DMZ) are shielded from the attacks. It has been acknowledged that Simon Garrelou of Airbus CERT found and reported the vulnerability. It does not yet have a CVE assigned to it. It is believed that U.S. organizations have been the primary target of these hacks, and the intelligence collection activ...
GitHub comments abused to push malware via Microsoft repo URLs
News

GitHub comments abused to push malware via Microsoft repo URLs

Threat actors are using a GitHub bug, or perhaps a design choice, to spread malware via URLs linked to a Microsoft repository, giving the files the appearance of being reliable. Threat actors could utilize this "flaw" to generate very convincing lures using any public repository on GitHub, even though the majority of malware activity has been focused on Microsoft GitHub URLs. A new LUA malware loader was discovered by McAfee yesterday, and it was made available via what looked to be an authentic Microsoft GitHub repository for the "C++ Library Manager for Windows, Linux, and MacOS," or vcpkg. Although the malware installers' URLs, which are displayed below, unmistakably point to the Microsoft repository, we were unable to locate any mention of the files in the project's source co...
Malware dev lures child exploiters into honeytrap to extort them
Business

Malware dev lures child exploiters into honeytrap to extort them

Although you don't usually sympathize with cybercriminals, you don't feel sorry for the victims of a recent virus campaign that targets juvenile exploiters. Threat actors have been producing ransomware and malware since 2012, masquerading as government institutions and alerting affected Windows users to the possibility of accessing CSAM. The software incites victims to pay a "penalty" in order to stop law enforcement from seeing their personal information. In addition to using this extortion method, one of the earliest "modern" ransomware operations was named Anti-Child Porn Spam Protection, or ACCDFISA. Later versions of the program also encrypted data and locked Windows desktops. Other malware families, such the Reveton trojans, Urausy, and Harasom, soon followed, posing as law...
New RedLine Stealer Variant Disguised as Game Cheats Using Lua Bytecode for Stealth
News

New RedLine Stealer Variant Disguised as Game Cheats Using Lua Bytecode for Stealth

According to research from McAfee Labs, a new information thief has been discovered that uses Lua bytecode for further stealth and sophistication. Because the command-and-control (C2) server IP address has been previously linked to the virus, the cybersecurity company has determined that it is a variation of RedLine Stealer, a known malware. RedLine Stealer was first discovered in March 2020 and is usually distributed by email and malicious advertising campaigns. It can also be distributed through loader malware such as dotRunpeX and HijackLoader, as well as exploit kits. The readily available malware has the ability to collect data from online browsers, VPN programs, and cryptocurrency wallets. This data includes credit card numbers, autocomplete entries, saved login credentials...
Frontier Communications shuts down systems after cyberattack
News

Frontier Communications shuts down systems after cyberattack

Following a recent intrusion by a cybercrime gang that compromised parts of its IT systems, American telecom company Frontier Communications is currently working to restore service. Frontier is a top U.S. communications company that serves millions of customers and businesses in 25 states with gigabit Internet speeds via a fiber-optic network. In order to stop the threat actors from moving laterally via the network, the organization was obliged to partially shut down some systems after learning about the incident, which also caused significant operational disruptions. Frontier claims that PII data was still accessible to the attackers, although it could not specify if the data belonged to clients, staff members, or both. Frontier Communications Parent, Inc. disclosed in a fili...
OfflRouter Malware Evades Detection in Ukraine for Almost a Decade
News

OfflRouter Malware Evades Detection in Ukraine for Almost a Decade

A malware known as OfflRouter has persisted in infecting certain government networks in Ukraine since 2015. Based on an examination of more than 100 private documents infected with the VBA macro virus and published to the VirusTotal malware scanning portal since 2018, Cisco Talos revealed its conclusions. Since 2022, almost 20 of these documents have been uploaded. VBA code to drop and launch an executable called "ctrlpanel.exe" was found in the papers, according to security researcher Vanja Svajcer. The virus is still causing potentially sensitive papers to be uploaded to document repositories that are open to the public in Ukraine. One remarkable feature of OfflRouter is that it cannot be distributed over email; instead, it must be distributed through other channels, like docum...
FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor
News

FIN7 Cybercrime Group Targeting U.S. Auto Industry with Carbanak Backdoor

Anunak, also known as Carbanak, is a known backdoor that was delivered in a spear-phishing effort directed towards the U.S. automotive industry by the notorious cybercrime group known as FIN7. The BlackBerry research and intelligence team revealed in a recent article that "FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights." Living off the land binaries, scripts, and libraries (LOLBAS) were utilized to launch their well-known Anunak backdoor under the guise of a free IP scanning utility and establish an early foothold. Since 2012, FIN7—also known as Carbon Spider, Elbrus, Gold Niagara, ITG14, and Sangria Tempest—has established itself as a well-known, financially motivated cybercrime organization that has succes...
Hackers Target Middle East Governments with Evasive “CR4T” Backdoor
News

Hackers Target Middle East Governments with Evasive “CR4T” Backdoor

Middle Eastern governments have been singled out in an as-yet-undisclosed campaign to introduce a new backdoor known as CR4T. The activity was found in February 2024, according to Russian cybersecurity outfit Kaspersky, though there is evidence that suggest it may have been going on for at least a year earlier. DuneQuixote is the codename for the campaign. According to Kaspersky, the campaign's organizers employed realistic and well-thought-out evasion techniques in both network communications and the malware code to stop the gathering and analysis of its implants. The assault begins with a dropper, which may be found in two varieties: a standard dropper that can be used as an executable or DLL file, or it can be a corrupted installer file for Total Commander read more Hackers Ta...
Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware
News

Critical Atlassian Flaw Exploited to Deploy Linux Variant of Cerber Ransomware

Threat actors are using unpatched Atlassian servers as a means of distributing the Linux version of the Cerber ransomware, also known as C3RB3R. The attacks take use of a significant security flaw in the Atlassian Confluence Data Center and Server known as CVE-2023-22518 (CVSS score: 9.1), which enables an unauthorized attacker to reset Confluence and create an administrator account. With this access, a threat actor could gain complete control over the compromised systems, resulting in the loss of availability, confidentiality, and integrity. Financially driven cybercrime gangs have been seen misusing the newly formed admin account to install the Effluence web shell plugin and permit the execution of arbitrary commands on the host read more Critical Atlassian Flaw Exploited to De...