Middle East banking customers targeted in fake refund scam
Group-IB researchers observed a scam impersonating government officials and using remote access software to target banking customers in the Middle East and steal credit card information and one-time password (OTP) codes. The scam specifically targets individuals who have lodged complaints via a government portal and are hoping to receive refunds. Prior to the installation of the remote access software, victims who submit a complaint are infected with a stealer program. The fraudsters pose as government representatives and contact victims under the guise of assisting with their complaints, allowing them to trick the victims into installing an official complaint application and a remote access app. Victims are then asked to share their remote access code and upload a photo of their credit card to the complaints app, allowing the scammers to view the victims’ screen and steal their credit card details. Text notifications containing OTPs that appear on the victims’ screen are also intercepted by the scammers and used to complete fraudulent purchases.
Phishing campaign impersonates US Social Security Administration to deliver ConnectWise RAT
Cofense researchers observed a phishing campaign spoofing the United States Social Security Administration to deliver the ConnectWise remote access trojan (RAT). The campaign was first observed on September 16th, 2024, though the emails have since evolved to feature more deceptive email spoofing techniques, evasion tactics, and credential phishing attempts. The campaign reached peak volume on November 11th and 12th, 2024, a week after the day of the US presidential election. The emails contain embedded links that only redirect to the ConnectWise RAT payload once, while subsequent attempts to access the link redirect victims to a legitimate Social Security Administration website. After installing the RAT, victims are instructed to fill out a credential phishing form, allowing the threat actor to steal personal and financial information, bypass multi-factor authentication checks, and perform reconnaissance.
Fake CrowdStrike recruitment application leads to installation of XMRig
On January 7th, 2024, CrowdStrike researchers discovered a phishing campaign exploiting its recruitment branding to lure victims into downloading a fake employee CRM application, which serves as a downloader for the XMRig cryptocurrency miner. The phishing email claims to be part of the recruitment process and contains a link to a malicious website offering download options for both Windows and macOS. Regardless of the option selected by the victim, a Windows executable in Rust is downloaded, which functions as a downloader for XMRig. The executable displays a message claiming that there was an error during the installation process, which then leads to the download of a text file, used to download a ZIP file containing a copy of XMRig from GitHub.
Fake Mossad intelligence reports used to deliver XWorm to victims in the Middle East
Broadcom researchers detailed an ongoing campaign targeting users in the Middle East with supposed leaked Mossad intelligence reports. The documents aim to deliver the remote access trojan, XWorm, which is capable of achieving remote desktop access, keylogging, persistence, and data exfiltration. Stolen information is sent to a Telegram bot using a specific BotToken and ChatID. The infection chain starts with a RAR archive containing a JavaScript and a batch file, both disguised as legitimate documents. Upon execution, the files fetch a malicious JPG, which triggers PowerShell for further actions. Several legitimate processes are terminated to prevent detection, while registry entries for the current user are modified to maintain persistence.
PhishWP WordPress plugin used to steal personal and financial details
SlashNext researchers warned of a malicious WordPress plugin that can turn legitimate sites into phishing pages. The plugin, dubbed PhishWP, creates fake payment pages that impersonate trusted services, such as Stripe. The fake pages are used to steal sensitive information such as credit card numbers, personal data, and browser metadata. The attack begins with attackers either breaking into a trusted WordPress site or creating a fake one. To increase the effectiveness of phishing campaigns, PhishWP uses customisable checkout pages, 3DS code harvesting, browser profiling, auto-response emails, multi-language support, and obfuscation techniques.
Ransomware
Volume of blog posts by operators during the last week.
PowerSchool hack exposes student, teacher data from K-12 districtsBleeping Computer – Jan 08 2025Security Rhysida claims cyber attack on Montreal North, sets $1.64m ransomCyber Daily – Jan 07 2025Funksec Launches V1.5 RaaS to Expand Ransomware ArsenalTechNadu – Jan 06 2025French govt contractor Atos denies Space Bears ransomware attack claimsBleeping Computer – Jan 03 2025New York Hospital Says Ransomware Attack Data Breach Impacts 670,000SecurityWeek RSS Feed – Jan 03 2025
Financial Services
Scammers Drain $500m from Crypto Wallets in a YearInfosecurity Today – Jan 06 2025NDPC warns banks, others against data breachesNigerian Tribune – Jan 06 2025Bank of America Notifies Loan Customers of Data Breach Involving Unauthorized Access to Third-Party SystemJD Supra – Jan 06 2025Cerberus Unchained: The Multi-Stage Trojan Banking Campaign Targeting Android DevicesSOCRadar – Jan 03 2025Do Kwon Extradited to the United States from Montenegro to Face Charges Relating to Fraud Resulting in $40B in LossesUnited States Department of Justice – Jan 02 2025
Geopolitics
Japanese Police claim China ran five-year cyberattack campaign targeting local orgsTheRegister.com – Jan 09 2025Russian ISP confirms Ukrainian hackers “destroyed” its networkBleeping Computer – Jan 08 2025EAGERBEE, with updated and novel components, targets the Middle EastKaspersky Lab – Jan 06 2025Chinese cyberattacks on Taiwan government averaged 2.4 mln a day in 2024, report saysReuters – Jan 06 2025U.S. uncovers hacking campaign targeting Guam’s critical infrastructure — suspected Chinese Volt Typhoon hacks could disrupt the defense of TaiwanTom’s Hardware – Jan 05 2025
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2025-0282 | Neurons for ZTA gateways | 9.0 | 7.7 | |
| Related: Ivanti Connect Secure VPN Targeted in New Zero-Day Exploitation | ||||
| CVE-2024-49113 | Windows | 7.5 | 6.5 | |
| Related: Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit | ||||
| CVE-2020-2883 | WebLogic Server | 9.8 | 9.4 | |
| Related: CISA Flags Critical Flaws in Mitel and Oracle Systems Amid Active Exploitation | ||||
| CVE-2024-48457 | Wifi Router MW5360 | 7.5 | 4.2 | |
| Related: Thousands of Netis routers contain critical flaws that allow for remote code execution | ||||
| CVE-2024-12856 | F3x36 | 7.2 | 7.2 | |
| Related: Gayfemboy: A Botnet Deliver Through a Four-Faith Industrial Router 0-day Exploit. | ||||