Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.
First time seeing this? Please subscribe.
The latest in cybersecurity: OnlyFans, DcRAT, Android Spyware, Espionage, Diicot Cybercrime, ASUS, ChatGPT, Dark Web, US Agencies, Clop ransomware, Cybercrime.
A recent malware campaign is leveraging the popularity of OnlyFans, a subscription-based adult content platform, to distribute a remote access trojan known as DcRAT. Threat actors are using fake OnlyFans content and adult lures to trick victims into executing a VBScript loader, which installs the malware on their devices. Once infected, the DcRAT trojan enables the attackers to steal sensitive data and credentials, as well as potentially deploy ransomware. This highlights the importance of exercising caution when downloading files from untrustworthy sources, particularly those promising free access to premium content.
A hacking group known as “DoNot” or APT-C-35 has been identified by Cyfirma as the culprits behind a recent intelligence collection operation using malicious Android apps on Google Play. These apps, nSure Chat and iKHfaa VPN, were designed to gather location data and contact lists from targeted devices. DoNot, previously linked to an Indian cybersecurity firm, has been active since 2018, targeting high-profile organizations in Southeast Asia. By leveraging social messaging platforms like WhatsApp and Telegram, the threat actors direct victims to download seemingly innocent apps from Google Play, allowing them to deceive users and carry out their spying activities.
Cybersecurity experts from Palo Alto Networks have uncovered a sophisticated and persistent cyber espionage campaign targeting governmental entities in the Middle East and Africa. The campaign, known as CL-STA-0043, aims to steal highly confidential and sensitive information related to politics, military activities, and foreign affairs ministries. The attackers employ advanced techniques, including credential theft, Exchange email exfiltration, and the exploitation of vulnerable on-premises Internet Information Services (IIS) and Microsoft Exchange servers. This campaign demonstrates the capabilities of a highly skilled nation-state threat actor.
Researchers uncover new payloads and the emergence of the Diicot cybercrime group, also known as “Mexals,” known for their cryptojacking campaigns. Evidence suggests that the group has now deployed the Cayosin botnet with DDoS capabilities, targeting routers running OpenWrt. The group exhibits unique tactics, such as the use of the Shell Script Compiler and a custom version of the UPX packer, while relying heavily on Discord for command and control.
ASUS has released new firmware with cumulative security updates for multiple router models, addressing nine vulnerabilities, including high and critical ones. The critical flaws, CVE-2022-26376 and CVE-2018-1160, pose risks of denial-of-service states, code execution, and arbitrary code execution on unpatched devices. ASUS warns customers to update their routers or restrict WAN access to prevent potential intrusions, emphasizing the importance of periodic equipment and security procedure audits for better protection. Impacted models include GT6, RT-AX86U, TUF-AX5400, and others. Immediate patching and strong password practices are strongly advised by the company to mitigate risks and prevent botnet attacks.
Northeastern State University has confirmed that data from the university was posted on the dark web following a cyberattack in May. The university’s IT team discovered the incident on May 26, and external security experts have confirmed the data breach. The compromised data includes personal identification information such as driver’s licenses, passports, and social security numbers. NSU is working with law enforcement and cybersecurity experts to assess the extent of the breach and take necessary steps for data retrieval, while advising the campus community to monitor their personal data and report any suspicious activities.
The U.S. Agriculture Department is conducting an investigation into a potential data breach linked to a larger hack targeting government agencies. It appears that the breach involves a contractor and affects a limited number of employees. The government has assured that those affected will be contacted and offered assistance. The disclosure of the broader hack, which also targeted the Office of Personnel Management and two Department of Energy organizations, has raised suspicions of Russian cyber criminals’ involvement.
In response to the recent cyber attack on HWL Ebsworth, a law firm engaged by NAB for legal services, the bank assures that the vast majority of its customers will not be impacted. NAB’s systems remain secure and unaffected by the attack. The bank is collaborating with HWL Ebsworth to gather more information about the incident.
The European Investment Bank (EIB) has fallen victim to a cyber attack believed to be orchestrated by Russian hackers, following recent threats to destabilize the Western financial system. The attack has affected the availability of some EIB websites, raising concerns about potential disruptions. Russian-speaking hackers, claiming to be from the Killnet gang, had previously issued threats against Western financial institutions for their support of Ukraine.
Over 101,100 OpenAI ChatGPT account credentials have been compromised and are being sold on illicit dark web marketplaces, with India alone accounting for 12,632 stolen credentials. The discovery of these credentials within information stealer logs reveals the alarming extent of the breach. The report from cybersecurity firm Group-IB highlights that the Asia-Pacific region has experienced the highest concentration of ChatGPT credentials being offered for sale, raising concerns about the security of sensitive information.
The US State Department’s Rewards for Justice program has announced a $10 million bounty for anyone providing information on the Cl0p ransomware gang or other malicious cyber actors targeting US critical infrastructure. The move comes after the gang exploited a flaw in the MOVEit Transfer software and boasted about breaching numerous companies. The gang, also known as TA505, Lace Tempest, Dungeon Spider, and FIN11, has a long history in the ransomware landscape and operates under the Ransomware-as-a-Service model, employing double-extortion tactics.
In a heart-wrenching tale of betrayal, a recently divorced mother-of-three shares her devastating experience of falling victim to a Tinder scammer who duped her into investing her entire 401(K) savings into bogus cryptocurrency schemes. Rebecca Holloway, a freelance marketing executive and former Wall Street worker, was targeted by a fraudster posing as a French entrepreneur named ‘Fred’ who exploited her vulnerability and trust. This incident sheds light on the alarming rise of the ‘pig butchering’ scam, where victims are deceived through fake romantic relationships and subsequently swindled through fraudulent investment advice.
The United Kingdom has announced a significant increase in funding for its Ukraine Cyber Program, aimed at countering Russian cyberattacks on critical infrastructure in Ukraine. The funding expansion will provide remote incident response support, deliver hardware and software, and enhance forensic capabilities for Ukrainian cyber experts. Prime Minister Rishi Sunak emphasized the need to protect Ukraine’s cyber infrastructure and vital services from Russia’s relentless cyber onslaughts. The UK’s increased investment will strengthen Ukraine’s cyber defenses and enable the country to better detect and neutralize malware threats.
The special cell of Delhi Police, in collaboration with the FBI, successfully dismantled an international cyber crime syndicate, resulting in the arrest of four individuals across India. The accused were involved in defrauding American citizens of more than $20 million by posing as DEA agents and operating call centers in Uganda and India. The mastermind, Vatsal Mehta, and his accomplice, Parth Armarkar, ran the fraudulent operations, while Deepak Arora and Prashant Kumar were also apprehended for their involvement.
The Port Arthur Historic Site Management Authority (PAHSMA) clarified that records related to the 1996 Port Arthur massacre were not part of the information inadvertently published on the Libraries Tasmania website. The incident, caused by human error and not a cyber attack, involved the accidental live posting of approximately 560 records from the site on the Tasmanian Archives’ website. While most of the records were unrelated to the massacre or general visitors, one record containing personal data of ghost tour guides, including birth dates, addresses, and phone numbers, was accessed 36 times and downloaded six times.