US authorities charge Sudanese brothers linked to Anonymous Sudan DDoS operation
US authorities have indicted two Sudanese nationals for their involvement in Anonymous Sudan, a notorious group responsible for a widespread distributed-denial-of-service (DDoS) attack network. The two brothers, Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, were charged with conspiracy to damage protected computers, with Ahmed Salah facing additional charges for damaging protected computers. If convicted, Ahmed Salah could face a life sentence, while Alaa Salah faces up to five years in prison.
The group’s attacks, designed to cripple websites and networks, have caused millions in damages, including disrupting the emergency department at Cedars-Sinai Medical Center for eight hours, forcing the redirection of incoming patients.
North Korean APT37 exploited IE zero-day to deploy malware
A North Korea-backed threat actor has been observed exploiting a recently patched zero-day vulnerability in Microsoft Windows to spread malware. APT37 exploited a now patched zero-day flaw (CVE-2024-38178) that can be abused by a remote attacker for remote code execution via a specially crafted webpage in Microsoft Edge in Internet Explorer mode. The attackers first compromised the server of the Korean online advertising agency and injected malicious code in the server’s ad content script. The attack then exploited CVE-2024-38178 to trick victims into downloading malware on their desktops with the toast ad program installed.
A separate report from cybersecurity company Secureworks highlights a new tactic observed in IT worker schemes linked to the North Korean government. Typically, such a scheme involves North Korean nationals using stolen or falsified identities to obtain employment with Western companies, but now it comes with a new twist. In some instances, fraudulent workers stole data from the organization's network and demanded ransom payments from their former employers for not leaking the information.
Tor Project says Tor Browser users were not targeted specifically in Firefox zero-day attacks
Tor Project updated its earlier security advisory on a Mozilla Firefox zero-day vulnerability to clarify that “the Tor Project has no evidence that Tor Browser users were targeted specifically.” Previously, the blog post stated that “Mozilla is aware of this attack being used in the wild against Tor Browser users.”
The vulnerability, tracked as CVE-2024-9680, has been described as a use-after-free bug within the Animation timeline component. Exploitation of the flaw allows attackers to execute code in the content process by manipulating animation timelines. The flaw affects Firefox and Firefox Extended Support Release (ESR) products.
The Firefox flaw has since been patched with Tor Browser releases 13.5.7, 13.5.8 (for Android), and 14.0a9.
Suspected nation-state actor exploits critical Ivanti CSA flaws in an advanced attack
A sophisticated nation-state threat actor has been observed exploiting three vulnerabilities in Ivanti Cloud Service Appliance(CSA) to gain unauthorized access and carry out a range of malicious actions. The attackers targeted critical security flaws to infiltrate the victim's network. The flaws, tracked as CVE-2024-8190, CVE-2024-8963, and CVE-2024-9380, were abused to compromise the CSA, enumerate user credentials, and escalate privileges.
Critical Veeam flaw exploited in Fog and Akira ransomware attacks
Threat actors behind the Fog and Akira ransomware are exploiting a known vulnerability the Veeam backup and disaster recovery software to create an account and attempt to deploy ransomware. Tracked as CVE-2024-40711, the flaw is an input validation error that allows remote code execution.
Russian hackers are targeting Ukrainian conscripts and reservists with MeduzaStealer malware
Ukraine's Computer Emergency Response Team (CERT-UA) detected a Russia-linked hacking campaign targeting Ukrainian conscripts and reservists. The attackers used a Telegram bot to lure victims into downloading a malicious app on their devices, falsely advertised as a way to update their data with the government to avoid visiting army draft offices. The app contained MeduzaStealer malware, which harvested personal data and browser credentials. Officials noted that the Telegram bot had previously been listed as an official support tool for a legitimate Ukrainian government app, making the phishing attempt more convincing.
Additionally, Ukraine’s CERT published a security advisory detailing activities of a suspected Russian threat actor it tracks as UAC-0050 that has been actively targeting Ukrainian organizations.
Initially focused on cyberespionage and information theft, the group has recently shifted toward psychological operations (PSYOPs) under the Fire Cells Group persona. The authorities say that Fire Cells Group is responsible for cyberattacks, bomb threats, contract killings, and property damage across Ukraine. UAC-0050 now primarily targets government entities, though it has expanded its reach, stealing money from private companies through hacking campaigns.
In related news, Cisco Talos said it has observed a new wave of cyberattacks targeting Ukrainian government and unidentified Polish entities. These attacks are attributed to a Russian-speaking group known as UAT-5647 aka “RomCom.” The latest attacks involve an updated version of the RomCom malware, “SingleCamper,” which loads from the registry into memory and uses a loopback address for communication with its loader. The Talos team notes that UAT-5647 has expanded its toolkit to include four malware families: RustClaw and MeltingClaw (downloaders), DustyHammock (a RUST-based backdoor), and ShadyHammock (a C++-based backdoor).
China-linked IcePeony APT targets India, Vietnam, and other Asian countries
A recent report from NaoSec looks into a new China-nexus state-backed threat actor tracked as ‘IcePeony,’ focused on government agencies, academic institutions, and political organizations in countries such as India, Mauritius, and Vietnam. The group typically uses SQL Injection for initial access to public web servers, followed by compromise via webshells and backdoors, as well as a custom IIS malware called “IceCache”.
Iranian hackers target critical infrastructure, selling network access data on cybercriminal forums
Since October 2023, Iranian cyber threat actors have ramped up attacks on critical infrastructure organizations, gaining unauthorized access and selling stolen credentials and network data on cybercrime forums, according to a joint advisory authored by security agencies from the US, Canada, and Australia.
The advisory details how Iranian hackers, acting as initial access brokers, use brute-force tactics, including password spraying and multifactor authentication (MFA) "push bombing," to breach networks and collect valuable data. Push bombing is a method where attackers repeatedly send MFA requests to users, overwhelming them with notifications until they either approve one by accident or out of frustration, allowing the attackers access.
On the same note, Microsoft said it observed an increase in cyber activity linked to nation-state actors collaborating with cybercriminals over the past year, targeting critical sectors including military, aerospace, and defense. According to Microsoft’s report on digital threats, Russian state-backed hacker groups have been outsourcing cyberespionage tasks to cybercriminal groups, particularly those targeting Ukraine. North Korea, known for its financially motivated cyberattacks, is now also deploying ransomware as part of its operations.
Iranian APT34 ramps up attacks on UAE and Gulf Region with new tactics
The Iranian state-sponsored hacking group APT34, also known as OilRig, has intensified its cyber operations with a series of sophisticated attacks targeting government entities and critical infrastructure in the United Arab Emirates and the wider Gulf region. The new campaigns involve novel backdoors and the exploitation of both web server vulnerabilities and a recent Windows flaw, according to researchers from Trend Micro. In its latest campaign, OilRig, which Trend Micro tracks as Earth Simnavaz, targeted Microsoft Exchange servers, exploiting the Windows privilege escalation flaw (CVE-2024-30088) to steal credentials and exfiltrate sensitive data.
Telekopye scam network expands to target tourists via hotel booking scam
An online scam network has expanded its operations to target users of popular accommodation booking platforms like Booking.com and Airbnb. The cybercriminals are utilizing a sophisticated Telegram-based toolkit known as Telekopye to defraud unsuspecting users.
The new scam scheme involves fraudsters contacting users who have recently made reservations and tricking them into believing there is an issue with their payment. Victims receive a message through in-platform communication channels, complete with a link to a malicious webpage that mimics the booking platform.
The web pages appear authentic as they contain prefilled information from the victim's actual bookings, including check-in/check-out dates, pricing, and the accommodation’s location. This information is likely obtained through compromised accounts of legitimate hotels and accommodation providers, which scammers access using stolen credentials purchased on cybercriminal forums.
Pokémon developer confirms a cyberattack and data leak
Japanese video game developer Game Freak, known for its work on the Pokémon franchise, confirmed it suffered a cyberattack, resulting in a data breach that exposed sensitive information. According to the company’s statement, the attackers gained unauthorized access to Game Freak’s servers and stole the personal data belonging to over 2,600 current and former employees, including names and email addresses. While the company confirmed the theft of employee data, it did not clarify whether any unreleased projects or future game details were leaked.
Microsoft deprecates PPTP and L2TP VPN protocols in Windows Server
Microsoft has officially announced the deprecation of the Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) from its Windows Server Routing and Remote Access (RRAS) services. The company recommends that organizations move to the SSTP and IKEv2 protocols, both of which provide enhanced security and performance over their legacy counterparts.
Meta removes disinformation network targeting voters in Moldova ahead of election
Meta Platforms said it had dismantled a network of group accounts targeting Russian-speaking Moldovans ahead of the country's October 20 presidential election. The removed network had been promoting criticism of pro-European President Maia Sandu, who is seeking a second term in office and pro-EU politicians while supporting pro-Russia parties in Moldova. The campaign also targeted Moldova’s close relations with neighboring Romania. The investigation revealed that the operation was centered on about a dozen fictitious, Russian-language news brands posing as independent outlets. The brands had a presence across several platforms, including Meta-owned Facebook and Instagram, as well as Telegram, OK.ru (Odnoklassniki), and TikTok.
The network originated from Russia and Moldova, especially from the Transnistria region—a breakaway territory in Moldova with strong pro-Russian sentiment, according to Meta.
The US offers a $10M bounty on Russian propaganda network Rybar
The US has placed a $10 million bounty on Russian media network Rybar and key staff members for allegedly trying to influence the upcoming US presidential election. Rybar (aka Rybar, Rybar OOO, and Project Rybar) has been accused of using social media, including Telegram and suspended X accounts, to stoke division, promote pro-Russian and pro-Republican sentiments, and stir partisan and racial discord. The network is reportedly funded by Russian defense contractor Rostec and is linked to propaganda campaigns aimed at advancing Russian political and military interests. The US State Department seeks information on Rybar and nine of its top figures:
-
Vladimir Sergeyevich Berkutov, who worked on the TEXASvsUSA campaign
-
Aleksandr Klimovich Kan, the head of Rybar's video department
-
Tatyana Petrovna Kosterova, the head of Rybar's foreign language resources unit
-
Olga Sergeyevna Kuznetsova, Rybar regional manager
-
Maksim Vitalyevich Matveyev “Matveev,” designer and lead of content team
-
Aleksandr Igorevich Minin, chief of content on TEXASvsUSA
-
Valentina Valeryevna Minina, who worked on TEXASvsUSA
-
Mikhail Sergeyevich Zvinchuk, director at Rybar
-
Valeriya Vladimirovna Zvinchuk, creative director at Rybar
Notorious hacker known as USDoD arrested in Brazil
Brazil's Federal Police have arrested a notorious hacker known as USDoD, allegedly behind multiple high-profile cyberattacks, including breaches affecting the FBI and Airbus. USDoD is suspected of selling and disclosing sensitive data, including a breach in December 2022 of the FBI's InfraGard platform, which exposed personal information of 80,000 members involved in critical US infrastructure. In another attack, USDoD leaked details of 3,200 Airbus vendors. The hacker also accessed 2.9 billion private records from US-based data broker National Public Data, causing the company to file for bankruptcy.
The news follows the announcement from the Finnish authorities about the takedown of the dark web drug marketplace Sipulitie and its servers and contents. Sipulitie, active since 2023, was used for anonymous drug sales and other criminal activities. Authorities believe the same individual who ran Sipulimarket, which was busted in 2020, was behind Sipulitie. The authorities also shut down Tsätti, a chat-based drug sale site that had been operational since 2022 believed to be operated by the same individual.
SEC hacker arrested by the FBI
Eric Council, a 25-year-old Alabama man, was arrested for allegedly hacking the US Securities and Exchange Commission's (SEC) X (formerly Twitter) account in January 2024, as part of a scheme to manipulate bitcoin prices. Council, using aliases such as “Ronin,” “Easymunny,” and “AGiantSchnauzer,” conspired with others to take unauthorized control of the SEC’s account via a SIM swap attack. On January 9, a fake post was shared from the account falsely claiming the SEC had approved bitcoin exchange-traded funds (ETFs), leading to a temporary spike in bitcoin’s value by over $1,000 per coin. The SEC quickly regained control, disavowed the post, and after the correction, bitcoin's price dropped by over $2,000.
5,100 arrested in illegal football gambling crackdown led by Interpol
In a large-scale international operation called SOGA X, over 5,100 arrests were made, and authorities recovered more than $59 million in illegal proceeds from illicit football gambling. The operation, led by Interpol and 28 countries between June and July 2024, targeted illegal online football betting during the UEFA 2024 European Championship. Criminal organizations behind these activities exploited vulnerable individuals, leading to the rescue of over 650 human trafficking victims. Authorities dismantled gambling syndicates involved in human trafficking, cyber scams, and financial crimes in the Philippines, Vietnam, Thailand, and Greece.