X-Industry

Cybersecurity researchers at Deep Instinct Lab have revealed a new series of cyberattacks by ‘UAC-0099,’ specifically targeting Ukrainians.  These attacks employ common tactics, such as using fabricated court summons to entice targets into executing malicious files.

The group’s activities were initially revealed in May 2023 through the Ukrainian CERT advisory ‘#6710,’ and Deep Instinct has now provided exclusive insights into their latest attack.

According to a blog post from the company, on Dec

A Microsoft representative announced on 28 December 2023 that it is again disabling the ms-appinstaller protocol handler by default following its abuse by multiple threat actors to distribute malware.  "The observed threat actor activity abuses the current implementation of the ms-app installer protocol handler as an access vector for malware that may lead to ransomware distribution," the Microsoft Threat Intelligence team said.  It further noted that several cybercriminals are offering a malwar

Cybersecurity researchers are warning about an increase in phishing attacks that are capable of draining cryptocurrency wallets.  These threats are unique in their approach, targeting a wide range of blockchain networks, from Ethereum and Binance Smart Chain to Polygon, Avalanche, and almost 20 other networks by using a crypto wallet-draining technique.  A prominent contributor to this troubling trend is a notorious phishing group called Angel Drainer, which advertises a "Scam-as-a-Service" offe

Mortgage servicing firm LoanCare https://myloancare.com has started informing more than 1.3 million individuals of a data breach impacting their personal information.  A subsidiary of Fidelity National Financial (FNF), LoanCare provides loan sub-servicing for mortgage loaners, including banks, credit unions, and mortgage firms.  The data breach resulted from a cyberattack on FNF’s internal systems, LoanCare says in a notification letter sent to the impacted individuals, a copy of which was submi

A new malware loader is being used by threat actors to deliver a wide range of information stealers such as Lumma Stealer (aka LummaC2), Vidar, RecordBreaker (aka Raccoon Stealer V2), and Rescoms.  This malware is a loader with three types of components: a downloader that downloads an encrypted payload, a loader that runs the payload from internal resources, and another loader that runs the payload from an external file on the disk.  Telemetry data gathered by investigators shows that detections

The malware loader PikaBot is being distributed as part of a malvertising campaign targeting users searching for legitimate software like AnyDesk.  PikaBot was previously only distributed via malspam campaigns, similar to QakBot, and emerged as one of the preferred payloads for a threat actor known as TA577.  The malware family, which first appeared in early 2023, consists of a loader and a core module that allows it to operate as a backdoor and a distributor for other payloads.

See:  https://re

A look back - All has not been quiet on the malicious cybersecurity front over the past 12 months.  Innovation, cyberattacks and cyberespionage, and data breaches, malicious or inadvertent, have remained a constant.  At the same time, defenders have scored notable victories, including in Ukraine as well as by disrupting some big-name ransomware players.[1]  GovInforSecurity provides 12 notable incidents and trends of 2023 and their implications for the bigger cybersecurity picture:

Clop's MOVEit

A new phishing campaign is leveraging decoy Microsoft Word documents as bait to deliver a backdoor written in the Nim programming language.  Malware written in uncommon programming languages puts the security community at a disadvantage as researchers and reverse engineers' unfamiliarity can hamper their investigation.  Nim-based malware has been a rarity in the threat landscape, although that has been slowly changing in recent years as attackers continue to either develop custom tools from scra

Microsoft representatives have warned that adversaries use OAuth applications as an automation tool to deploy virtual machines (VMs) for cryptocurrency mining and launch phishing attacks.  "Threat actors compromise user accounts to create, modify, and grant high privileges to OAuth applications that they can misuse to hide malicious activity," the Microsoft Threat Intelligence team said in an analysis.  The misuse of OAuth also enables threat actors to maintain access to applications even if the

Cybersecurity researchers have identified 116 malicious packages on the Python Package Index (PyPI) repository designed to infect Windows and Linux systems with a custom backdoor. Sometimes, the final payload is a variant of the infamous W4SP Stealer, a simple clipboard monitor to steal cryptocurrency, or both, noted investigators.

The packages are estimated to have been downloaded over 10,000 times since May 2023.  The threat actors behind the activity have been observed using three techniques

BlackCat/ALPHV ransomware leaders claim they have restarted operations on the group's primary blog, despite the Department of Justice claim that it gained control of the site. Further, in retaliation for the law enforcement actions against the gang, they announced they have dropped a previous ban on cyberattacks against critical infrastructure.  BlackCat also claimed that, beyond "Unseizing" the sites, the decryption key being offered by the FBI is outdated and from an older blog, according to a

https://youtu.be/8QL0l7hcHgc A laser communications experiment flying aboard NASA’s Psyche mission has beamed back a video to Earth from nearly 19 million miles (31 million kilometers) away and the short clip stars a cat named Taters.  It is the first time NASA has streamed a video from deep space using a laser.  In the ultra-high definition video, the playful orange tabby cat chases, of all things, the elusive red dot from a laser pointer as it moves across a couch.  The cat video was transmitt

Cybersecurity researchers have discovered 18 malicious loan apps for Android on the Google Play Store that have been downloaded over 12 million times.  Despite their attractive appearance, these services are designed to defraud users by offering them high-interest-rate loans endorsed with deceitful descriptions, all while collecting their victims' personal and financial information to blackmail them and ultimately gain their funds.

The cybersecurity investigators are tracking these apps under Sp

Spokesmen from Microsoft https://www.microsoft.com are warning of an increase in malicious activity from an emerging threat cluster it is tracking as Storm-0539 for directing gift card fraud and theft via highly sophisticated email and SMS phishing attacks against retail entities during the holiday shopping season.  The goal of the attacks is to propagate booby-trapped links that direct victims to Adversary-in-the-Middle (AiTM) phishing pages that can harvest their credentials and session tokens

A known ransomware group claims to have breached the systems of Kraft Heinz, but the food company says it cannot verify the cybercriminals’ allegations.  The ransomware group named Snatch publicly named Kraft Heinz on its website on 14 December 2023, but the post appears to have been created on 16 August 2023, which indicates that the attack occurred months ago.

See:  https://redskyalliance.org/xindustry/snatch-ransomware

Snatch ransomware first appeared in 2018 and was formerly called Team Trun

Double-Extortion ransomware is a type of cyberattack in which the threat actors exfiltrate a victim’s sensitive data in addition to encrypting it, giving the attacker additional leverage to collect ransom payments.  A typical ransomware attack will only encrypt the target’s data.  The threat actors behind the Play ransomware are estimated to have impacted approximately 300 entities as of October 2023, according to a new joint cybersecurity advisory from Australia and the US.  "Play ransomware ac

Red Sky Alliance monthly queries our backend databases, identifying all new data containing Motor Vessel (MV) and Motor Tanker (MT) in the subject line of malicious emails.  Malicious actors use emails with Motor Vessel (MV) or Motor Tanker (MT) in the subject line as a lure to entice users in the maritime industry to open emails containing malicious attachments.  Red Sky Alliance is providing this list of Motor Vessels in which we directly observed the vessel being impersonated, with associated

In the face of unrelenting pressure from significant cyber incidents and regulatory action to mitigate them, enterprises are assessing whether they are doing enough to deal with cybersecurity.  Public companies are evaluating responses to new SEC rules calling for disclosures regarding cybersecurity strategy, risk management, and governance practices.  The SEC’s action against Solar Winds is setting off alarm bells throughout the cybersecurity community, causing CISOs to worry about personal lia

Meta recently released a new standalone AI image generator.  The tech is based on its Emu image synthesis and the way it all works might surprise you.  Consider this with Meta AI already built into the Meta apps like Messenger and Instagram.  It is now available in a browser window and is quite impressive.  The only catch is that users are the ones supplying the source images.[1]

Meta scrapes all of our social media feeds to the tune of about one billion images, according to Ars Technica.  The A

A new wave of phishing messages distributing the QakBot malware has been observed, more than three months after a law enforcement effort saw its infrastructure dismantled by infiltrating its Command-and-Control (C2) network.   Microsoft investigators who made the discovery, described it as a low-volume campaign that began on 11 December 2023, and targeted the hospitality industry.   Targets received a PDF from a user masquerading as an IRS employee," the investigators posted in a series of posts