Microsoft warns that the Russian APT28 threat group exploits a Windows Print Spooler vulnerability to escalate privileges and steal credentials and data using a previously unknown hacking tool called GooseEgg. APT28 has been using this tool to exploit the CVE-2022-38028 vulnerability since at least June 2020 and possibly as early as April 2019. Redmond fixed the vulnerability reported by the U.S. National Security Agency during the Microsoft October 2022 Patch Tuesday but has yet to tag it as actively exploited in its advisory. The military hackers, part of Military Unit 26165 of Russia’s Main ..read more

UK police claim to have successfully infiltrated and disrupted a phishing-as-a-service (PhaaS) operation that made cybercriminals over £1m ($1.3m) from tens of thousands of victims. One of the world’s largest PhaaS platforms, LabHost offered all the tools fraudsters needed to launch sophisticated phishing and smishing (SMS phishing) campaigns. LabHost launched in 2021, was responsible for hosting as many as 40,000 phishing sites by 2024, with 2000 criminal users said to be paying a monthly subscription fee for its services, according to London’s Metropolitan Police, which led the law enforceme ..read more

Threat actors are actively exploiting critical vulnerabilities in OpenMetadata to gain unauthorized access to Kubernetes workloads and leverage them for cryptocurrency mining activity. OpenMetadata is an open-source metadata management platform that helps data engineers and scientists to catalog and discover data assets within their organization, including databases, tables, files, and services. The security vulnerabilities exploited in these attacks (CVE-2024-28255, CVE-2024-28847, CVE-2024-28253, CVE-2024-28848, and CVE-2024-28254) were patched one month ago in OpenMedata versions 1.2.4 and ..read more

Dutch chipmaker Nexperia confirmed that hackers breached its network in March 2024 after a ransomware gang leaked samples of the allegedly stolen data. Nexperia is a subsidiary of Chinese company Wingtech Technology that operates semiconductor fabrication plants in Germany and the UK, producing 100 billion units, including transistors, diodes, MOSFETs, and logic devices. The company disclosed that a data breach has forced it to shut down IT systems and launch an investigation to determine the scope of impact. They promptly took action and disconnected the affected systems from the internet to ..read more

An active Android malware campaign dubbed eXotic Visit was found targeting users in South Asia, particularly those in India and Pakistan, with malware distributed via dedicated websites and Google Play Store. According to the Slovak cybersecurity firm, the activity which has been ongoing since November 2021, is not linked to any known threat group. It’s tracking the group behind the operation under the name Virtual Invaders. ESET security researcher Lukáš Štefanko stated that the downloaded apps provide legitimate functionality, but also include code from the open-source Android XploitSPY RAT ..read more

Attackers are now actively targeting over 92,000 end-of-life D-Link Network Attached Storage (NAS) devices exposed online and unpatched against a critical remote code execution (RCE) zero-day flaw. The security vulnerability (CVE-2024-3273) is the result of a backdoor facilitated through a hardcoded account (username “messagebus” with an empty password) and a command injection issue via the “system” parameter. Threat actors are now exploiting these two security flaws to deploy a variant of the Mirai malware (skid.x86). Mirai variants are usually designed to add infected devices to a botnet tha ..read more

A new malware called Latrodectus has been discovered by security researchers which has been distributed as part of email phishing campaigns since at least late November 2023. Researchers from Proofpoint and Team Cymru said in a joint analysis that the Latrodectus is an up-and-coming downloader with various sandbox evasion functionality. It is designed to retrieve payloads and execute arbitrary commands. There is evidence to suggest that the malware is likely written by the same threat actors behind the IcedID malware, with the downloader put to use by initial access brokers (IABs) to facilitat ..read more

Jackson County in Missouri, United States, reported significant disruptions within its IT systems and has confirmed that a ransomware attack was responsible for the disruptions. The disturbances have led to the declaration of a state of emergency caused by operational inconsistencies across digital infrastructure, with specific systems rendered inoperative while others remained functional. The impacted services include tax payments and online property, marriage licenses and inmate searches. Consequently, the Assessment, Collection and Recorder of Deeds offices across all County locations will ..read more

AT&T confirmed that it has been impacted by a data breach affecting 73 million current and former customers after initially denying the leaked data originated from them. AT&T has repeatedly denied for the past two weeks that a massive trove of leaked customer data originated from them or that their systems had been breached. AT&T stated that based on its preliminary analysis, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders. In 2021, a threat actor known as Shi ..read more

A new phishing-as-a-service (PhaaS) named ‘Darcula’ uses 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries. Darcula has been used against various services and organizations, from postal, financial, government, taxation departments, to telcos, airlines, utility, offering fraudsters over 200 templates to choose from. Darcula was first documented last summer by security researcher Oshri Kalfon but Netcraft analysts report that the platform is becoming more popular now, and was recently used in several high-profile cases wherein the smish ..read more