Four cuffed for helping cybercriminals bypass Interpol’s Red Notice system
A major multinational operation by Interpol, the FBI, and authorities in France and the UK has led to the arrest of four individuals in Moldova. These suspects are implicated in a scheme to circumvent Interpol's Red Notice system, which alerts global authorities to locate and detain wanted individuals pending extradition. The investigation, led by the UK's National Crime Agency, uncovered a corrupt network in Moldova that provided sensitive information to cybercriminals with ties to Russia, Ukraine, and Belarus. The operation revealed two main schemes: bribing officials to block or delete Red Notices and informing cybercriminals about safe travel routes to avoid capture.
TikTok hack targeting brands and celebrity accounts
Short video app TikTok has been the target of a cyberattack that compromised several high-profile brand and celebrity accounts, including official accounts of news network CNN, Paris Hilton, and Sony. The malware, delivered through direct messages (DMs) within the TikTok app, does not require any downloads, clicks, responses, or any other user actions beyond simply opening a message.
Ukrainian government, military targeted with DarkCrystal RAT
The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of targeted cyberattacks aimed at Ukrainian government officials, military personnel, and defense industry representatives. The attacks involve the use of the DarkCrystal Remote Access Trojan (RAT), which is being distributed through the Signal messenger app. The attackers are using contacts from the victim's own list or members of mutual groups to send the malware, to increase the credibility and trustworthiness of the messages. The malicious communication typically includes an archive file, a password, and instructions urging the recipient to open the file on a computer.
In a separate alert, CERT-UA has warned of a new campaign dubbed “SickSync,” by the UAC-0020 (Vermin) threat actor (linked to the Luhansk People's Republic region occupied by Russia since March 2014), targeting the Ukrainian defense forces. The attack uses the SPECTR malware first discovered in 2019, and abuses the legitimate software SyncThing to extract stolen documents, files, passwords, and other information from the computer.
Additionally, Fortinet FortiGuard Labs detailed a new and sophisticated cyber attack targeting endpoints in Ukraine that deploys Cobalt Strike and seizes control of compromised hosts.
Russia escalates disinformation campaigns targeting France and 2024 Paris Olympics
Russia is ramping up disinformation campaigns against France, President Emmanuel Macron, the International Olympic Committee (IOC), and the event itself. According to the Microsoft Threat Analysis Center (MTAC), these operations combine traditional tactics with advanced artificial intelligence (AI), aiming to denigrate the IOC's reputation and create fears of violence at the Games.
Chinese cyberespionage op is targeting Southeast Asian governments
Sophos's threat hunting team has uncovered an extensive Chinese state-sponsored cyberespionage campaign, dubbed “Operation Crimson Palace,” targeting a high-profile government organization in Southeast Asia. The campaign leveraged previously unreported malware, now tracked as CCoreDoor (also discovered by BitDefender) and PocoProxy, as well as an updated variant of the Eagerbee malware capable of blackholing communications to antivirus vendor domains.
New UTG-Q-008 APT targets Chinese research and educational institutes
A new Advanced Persistent Threat (APT) group, tracked as UTG-Q-008, has been targeting research and educational institutes in China. The threat actor employs a sophisticated botnet composed entirely of Linux systems to conceal its operations, with multiple springboard nodes located within China's internet space. It was found that UTG-Q-008 sometimes deploys a cryptominer on systems equipped with powerful NVIDIA RTX graphics cards.
North Korea-linked Andariel deploys a new Dora RAT in attacks on South Korea
The North Korea-linked threat actor known as Andariel has been observed deploying a new Golang-based backdoor, dubbed Dora RAT, to target educational institutions, manufacturing firms, and construction businesses in South Korea. The attacks were primarily carried out by exploiting a vulnerable Apache Tomcat server to distribute the malware. The targeted systems were running a 2013 version of Apache Tomcat, which is known to be susceptible to multiple vulnerabilities.
Threat actors abusing known commercial packers to deliver malware
The CheckPoint threat research team said that over the past few months they observed a spike in the abuse of the popular packers such as BoxedApp Packer, BxILMerge, and the BoxedApp SDK. The investigation revealed that the most abused BoxedApp products were BoxedApp Packer and BxILMerge built on top of the BoxedApp SDK. The list of the most deployed, attributed malware families includes remote access trojans (RATs), stealers, and ransomware, such as QuasarRAT, NanoCore, NjRAT, Neshta, AsyncRAT, XWorm, LodaRAT, RevengeRAT, AgentTesla, LockBit, RedLine, Remcos, ZXShell, and Ramnit.
Hackers exploit old ThinkPHP vulns to deploy Dama web shell
Chinese threat actors have been exploiting vulnerabilities in ThinkPHP applications, specifically CVE-2018-20062 and CVE-2019-9082, to install a persistent web shell named Dama. The campaign began targeting a small number of organizations in October 2023 and has recently become more widespread.
Hackers steal $305M from DMM Bitcoin in eighth largest crypto theft in history
Japanese cryptocurrency exchange DMM Bitcoin has confirmed that it had been the victim of a hack resulting in the theft of 4,502.9 bitcoin, equivalent to approximately $305 million. Crypto security firm Elliptic reported that the threat actors have already split the stolen Bitcoin into multiple new wallets, complicating efforts to trace and recover the funds.
Hugging Face reveals breach of Spaces platform
AI platform Hugging Face known for its extensive repository of community-created AI applications, said that its Spaces platform experienced a security breach, resulting in unauthorized access to authentication secrets of its members. The secrets include authentication tokens that allow users to interact with various features and services.
Ransomware attack forces London hospitals to cancel services
A number of hospitals in London were forced to cancel operations and divert emergency patients following a ransomware attack on a critical supplier. The incident has impacted Guy’s and St Thomas’, King’s College Hospital NHS Foundation Trusts, and primary care services across South East London. The disruption was a result of a ransomware attack on Synnovis, a third-party provider of essential pathology services. A Russian cyber gang known as Qilin is believed to be behind a ransomware attack.
Separately, the FBI revealed it obtained over 7,000 LockBit decryption keys and can help victims restore their data.
Law enforcement authorities reveal identities of 8 people linked to major malware loaders
Law enforcement authorities in Europe have disclosed the identities of eight individuals allegedly linked to several high-profile malware loader families hit as part of “Operation Endgame.” The suspects are accused of being key players in the distribution and administration of notorious malware loaders including Bumblebee, IcedID, Pikabot, Smokeloader, SystemBC, and Trickbot.
Additionally, Dutch and Ukrainian authorities have apprehended a 28-year-old man from Kyiv, Ukraine, for infecting the computer networks of a company in the Netherlands with the Conti ransomware. The arrest was made in April 2024 as part of Operation Endgame.
New Fog ransomware targets US education sector via breached VPN
A new ransomware operation called "Fog" has targeted the U.S. education sector since early May 2024. Using compromised VPN credentials, Fog breaches the networks of educational organizations. Discovered by Arctic Wolf Labs, this ransomware has not yet established an extortion portal and has not been observed stealing data.
GitLocker attack targets GitHub repos
A new wave of Gitloker attacks is targeting GitHub repositories, wiping their contents and leaving a ransom note. Attackers use stolen credentials to gain access to accounts, delete repository contents, and replace them with a README.me file containing instructions to contact them via Telegram. They claim to have created a backup of the compromised data and demand communication on Telegram for further steps. The attack appears to be ongoing since February 2024.
New Muhstik campaign targets critical Apache RocketMQ flaw
Aqua Nautilus has discovered a new campaign of Muhstik DDoS botnet targeting message queuing service applications, specifically focusing on the Apache RocketMQ platform. The attackers exploited a known vulnerability, CVE-2023-33246, to download and install Muhstik malware on compromised instances. The flaw allows remote and unauthenticated attackers to execute code remotely by manipulating the RocketMQ protocol content or using the update configuration function. Muhstik has a history of leveraging known security flaws in web applications for its propagation.