π What’s going on in the cyber world today?
Windows Search, Noodle RAT, Linux, PhantomLoader, SSLoad Malware, Phishing Toolkit, PWA Login Forms, CISA, Phone Scammers, ALDI, Card Skimming, Toronto School Board, Life360, Hacker, Tile Tracker, Moreton Bay, Data Leak, Ukrainian Cyber Strikes, Russian Airports, Cybersecurity Professionals, Weekend Workload, Scattered Spider, RansomHub, GitHub, Bug Bounty Payouts, Passkeys, AWS, MFA Expansion, Kyiv Police, Russian Ransomware
Listen to the full podcast
π¨Β Cyber Alerts
A new phishing campaign exploits the Windows search protocol (search-ms URI) to push batch files hosted on remote servers, delivering malware to unsuspecting users. This protocol allows applications to open Windows Explorer to perform searches using specific parameters. Attackers can abuse this functionality to direct Windows Search to query file shares on remote hosts, making it appear as though the files are locally hosted.
Noodle RAT, a newly discovered cross-platform malware, has been used by Chinese-speaking threat actors for years. Initially mistaken for variants of Gh0st RAT and Rekoobe, Noodle RAT is actually a distinct and sophisticated threat. Trend Micro’s analysis reveals it has been active since at least 2016, targeting both espionage and cybercrime activities.
SSLoad, delivered via PhantomLoader, infiltrates systems through phishing emails, pushing additional malware types. The malware employs self-modifying techniques to evade detection, highlighting its complexity and adaptability. Detected since April 2024, it gathers reconnaissance and deploys further payloads through various delivery methods.
A new phishing toolkit enables the creation of PWAs displaying corporate login forms to steal credentials. Integrated with OS features like app icons and notifications, PWAs offer enhanced engagement, potentially making phishing attempts more successful. While convincing users to install PWAs may require effort, threat actors could exploit this technique, leveraging the familiarity of login prompts within PWAs to deceive targets.
The Cybersecurity and Infrastructure Security Agency (CISA) warns of fraudulent calls impersonating agency staff, aiming to extract money or sensitive information. Recipients are advised not to engage, note the caller’s number, and report the incident immediately to CISA or law enforcement. Such scams contribute to the rising trend of phone-based impersonation fraud, with significant financial losses reported nationwide.
π₯ Cyber Incidents
ALDI cautions customers of a data breach affecting shoppers at five stores, including three in Southern California. Card skimming devices placed by a third party compromised credit card information used at affected terminals. ALDI swiftly removed the devices, secured payment systems, and reported the incident to law enforcement and credit card companies. The breach may have exposed cardholder names, numbers, expiration dates, pins, and security codes.
The Toronto District School Board (TDSB) grapples with a ransomware attempt on its testing environment. This large Canadian institution manages 582 schools serving 235,000 students. While TDSB systems remain operational, officials have enlisted cybersecurity experts to assess the incident and ensure data protection.
A recent security breach targeted the systems behind Tile device trackers, resulting in the theft of sensitive customer data. The hacker accessed a tool designed for responding to law enforcement requests about Tile trackers, enabling them to collect names, addresses, emails, and phone numbers. Although the stolen information did not include precise Tile location data, the breach raises significant privacy concerns for affected users.
Personal details of Australian residents, including complaints, were accidentally disclosed on the council’s website. Piper Lalonde, a local resident, uncovered the breach, revealing her own and others’ private information. Despite reporting the issue to the council, concerns remain about the lack of notification to affected individuals.
HUR’s cyberattacks caused flight delays and diversions at Russian airports, impacting Sochi, Bodrum, and Moscow flights. Ukrainian intelligence also seized control of servers, displaying a message of solidarity before disabling them. These strikes mark ongoing tensions between Ukrainian cyber experts and Russian institutions.
π’ Cyber News
A Bitdefender report reveals that over 70% of cybersecurity professionals often work weekends due to security concerns, leading to job dissatisfaction. Across the UK, Germany, and the US, a significant portion of respondents are considering job changes, reflecting widespread burnout. With over half reporting recent data breaches and rising concerns about AI threats and cloud security, professionals seek proactive measures to bolster defenses.
The Scattered Spider cybercrime group joins RansomHub, leading to concerns over escalated ransomware operations, as analyzed by GuidePoint Security. Scattered Spider’s affiliation shift follows the collapse of previous groups, altering the landscape of Ransomware-as-a-Service (RaaS) models, heightening competition among threat actors for affiliates. Known for sophisticated social engineering tactics, Scattered Spider poses challenges in combating its data theft and ransomware campaigns, emphasizing the importance of user education and robust identity verification processes in cybersecurity defense.
Milestone GitHub’s bug bounty program has surpassed $4 million in payouts since its inception a decade ago, with the highest single reward of $75,000 being granted for a critical vulnerability discovered in 2023. This flaw allowed unauthorized access to production container environment variables, prompting GitHub to take swift action to mitigate the risk.
AWS introduces FIDO2 passkeys for MFA, urging ‘root’ users to enable MFA by July 2024. Passkeys offer robust protection against phishing and man-in-the-middle attacks, supporting various device architectures. Mandatory MFA starts with root accounts, gradually expanding to enhance AWS security.
Kyiv police identified a 28-year-old man suspected of aiding major Russian ransomware groups in concealing their malware. Allegedly collaborating with Conti and LockBit, he provided cryptor technology to hide ransomware payloads from detection. Law enforcement searches in Kharkiv and Kyiv followed a request from Dutch authorities, seizing electronic devices and handwritten notes, though it’s uncertain if the suspect has been apprehended.
Copyright Β© 2024 CyberMaterial. All Rights Reserved.
