👉 What’s the latest in the cyber world today?
Python Malware Targets Docker API, Ducktail Stealer Strikes India, Ethereum Function Exploited, Hunters International Emerges, IronWind Cyber Espionage Campaign, Juniper Exploit Chain Targets Federal Networks, Wallet Hit in $27M USDT Hack, Coin Cloud Bitcoin ATM Firm Compromise, Business Continuity Tool for Cyber Resilience, LockBit Leaks 43GB of Sensitive Boeing Data, U.S. Authorities Recover Over $1 Million in Cyber Attack, Ransomware-as-a-Service Operator RansomedVC Announces Closure, China Proposes Enhanced Cybersecurity Checks for Auditors.
Security researchers have uncovered a new cybersecurity threat targeting publicly exposed instances of the Docker Engine API. Exploiting misconfigurations, attackers deploy a malicious Docker container housing Python malware compiled as an ELF executable. This malware, acting as a Distributed Denial of Service bot agent, employs various attack methods, including SSL-based, UDP-based, and Slowloris-style attacks, posing a significant risk to misconfigured Docker Engine APIs.
Vietnamese threat actors, previously linked to Ducktail stealer malware, targeted Indian marketing professionals from March to October 2023, aiming to hijack Facebook business accounts. This campaign distinguishes itself by using Delphi as the programming language, a shift from the usual .NET applications. Exploiting Facebook ads, the attackers aim to seize control of victims’ accounts, placing unauthorized ads for financial gain.
Malicious actors are exploiting Ethereum’s ‘Create2’ function to sidestep wallet security alerts and execute a significant cryptocurrency theft, stealing $60 million from 99,000 individuals in six months. Web3 anti-scam specialists at ‘Scam Sniffer’ detected in-the-wild exploitation of Create2, leading to losses of up to $1.6 million for a single victim. The abuse involves generating fresh contract addresses, bypassing security alerts, and employing tactics like ‘address poisoning’ to deceive users into sending assets to threat actors, posing a substantial risk to Ethereum’s cryptocurrency ecosystem.
A new ransomware group, Hunters International, has emerged, inheriting the source code and infrastructure from the dismantled Hive operation. Bitdefender’s report suggests that Hive’s leadership strategically transferred their assets to Hunters International after the takedown earlier this year. While similarities between the two groups have been noted, the new threat actors claim to have purchased the source code from Hive’s developers, focusing more on data exfiltration than encryption, making them appear as a data extortion group.
A Middle Eastern advanced persistent threat group, TA402, also known as Molerats or Gaza Cyber Gang, has been identified in new phishing campaigns aimed at government entities in the region. The cyber espionage activities involve the use of a sophisticated initial access downloader named IronWind. Despite ongoing conflicts, TA402 has demonstrated resilience, employing innovative methods such as geofencing and intricate infection chains to target government entities in the Middle East and North Africa, showcasing their persistent and sophisticated cyber operations.
The Cybersecurity and Infrastructure Security Agency has issued a stern warning to federal agencies, urging them to secure Juniper devices promptly against an actively exploited pre-auth remote code execution exploit chain. Juniper has confirmed successful exploitation of vulnerabilities in its J-Web interface, and CISA’s Known Exploited Vulnerabilities Catalog now designates them as “frequent attack vectors for malicious cyber actors,” posing significant risks.
A hacker successfully siphoned $27 million in Tether (USDT) from a wallet connected to Binance’s deployer, converting the loot to Ethereum and later bridging the funds to Bitcoin via the THORChain bridge. The victim’s compromised wallet had previously received Ether from the Binance deployer in 2019. Binance, while acknowledging the authorized withdrawal, emphasized that the DeFi wallet receiving the funds was compromised, and the security team is actively investigating the incident.
An unidentified hacking group asserts that it has compromised Coin Cloud, a Bitcoin ATM operator that declared bankruptcy earlier this year. The group claims to have accessed sensitive personal information, including 70,000 customer selfies, Social Security numbers, names, addresses, dates of birth, occupations, phone numbers, and more, affecting around 300,000 customers.
Huber Heights, Ohio, is grappling with the aftermath of a ransomware attack, disrupting various city departments, including utilities, tax, zoning, engineering, finance, human resources, and economic development. While emergency services remain unaffected, residents are urged to expect disruptions in services, particularly billing systems for utilities and taxes, which may be impacted for at least a week.
Amid escalating cyber threats, Moneris, a prominent Canadian payment processor, recently announced its successful prevention of a ransomware attack. The attempt by the Medusa ransomware gang triggered a swift response from Moneris’ cybersecurity team, which detected and neutralized the threat, preventing any compromise of critical data. While the Medusa gang had demanded a $6 million ransom, Moneris confirmed that no such request was made.
In a joint effort, the Australian Signals Directorate’s Australian Cyber Security Centre and the Cybersecurity and Infrastructure Security Agency have unveiled “Business Continuity in a Box.” This innovative tool, developed by ACSC with contributions from CISA, empowers organizations to swiftly and securely restore critical business functions in the aftermath of a cyber incident. Comprising Continuity of Communications and Continuity of Applications, the tool focuses on maintaining communication and establishing essential interim applications during compromised data or system integrity. This initiative aligns with CISA’s commitment to enhancing national cybersecurity by providing businesses with accessible resources and tools, supporting Critical Infrastructure Security and Resilience Month.
LockBit, a notorious ransomware gang, has followed through on its threat to publish stolen data from aerospace giant Boeing after the company refused to pay the ransom. The leaked data, totaling over 43GB, includes backups for various systems, configuration backups for IT management software, and logs for monitoring and auditing tools. While Boeing has confirmed the cyberattack, details about the breach and how the hackers gained access to its network remain undisclosed.
Federal officials have successfully seized just over $1.1 million linked to a cyber attack that defrauded the New Haven Board of Education of nearly $6 million earlier this year. The U.S. Attorney’s office and the FBI filed a civil asset forfeiture complaint seeking to return the funds, totaling about $1,187,677, to the City of New Haven. The cyber scam involved a fake email address mimicking a contracted school bus company, resulting in a $5.9 million payment mistakenly made by a board management member.
RansomedVC, a recent player in the ransomware-as-a-service landscape, has declared its shutdown and intends to auction off parts of its infrastructure. Operating for just a few months, the group has targeted over 40 organizations in Europe, demanding ransoms up to $1 million. While the motive for the shutdown initially remained unclear, subsequent posts suggested that potential arrests of six individuals associated with RansomedVC may have led to the decision, leading to the immediate dismissal of all 98 affiliates.
China’s finance ministry is suggesting additional cybersecurity checks for auditors involved in work related to national security, according to a draft proposal released on Friday. The measures also outline protocols for handling data related to Chinese firms and apply specifically to auditors engaged by domestic companies or conducting cross-border work.
Copyright © 2023 CyberMaterial. All Rights Reserved.