Phishing campaign targets Google Ads users with fake Google ads
Malwarebytes researchers observed a phishing campaign using fraudulent Google search ads to promote phishing sites that steal advertisers’ credentials for the Google Ads platform. The hackers likely aim to resell stolen advertiser accounts on blackhat forums, while also keeping some to themselves to execute future attacks. The researchers identified two main groups running the scheme, with the first one consisting of Portuguese speakers likely operating out of Brazil, while the second group uses advertiser accounts from Hong Kong and is possibly based in China. Another campaign advertising the Google Authenticator app was also identified that uses fake CAPTCHA lures and a heavily obfuscated phishing page. The threat actors behind the campaign are likely Eastern European.
OceanLotus uses malicious Cobalt Strike plugin to target Chinese cybersecurity personnel
ThreatBook researchers linked the recent reports of a backdoored Cobalt Strike exploit plugin to the Southeast Asian advanced persistent threat actor, OceanLotus. The malicious version was published on GitHub in October 2024 to target Chinese cybersecurity professionals. The researchers also identified similar samples used in attacks since mid-September 2024. The attackers embedded a malicious SUO file into a Visual Studio project to evade detection. Upon compiling the Visual Studio project, the trojan automatically executes, after which it is overwritten and deleted, to further evade detection. The DLL hollowing technique, commonly used by OceanLotus, is used to deliver the malware, while the note-taking platform Notion is used for C2 communication.
RedCurl uses new RedLoader backdoor to target organisations in Canada
Huntress researchers observed a campaign, attributed to the advanced persistent threat actor RedCurl, targeting organisations in Canada from at least November 2023 to late 2024 as part of its espionage efforts. The campaign saw the deployment of a new malware, dubbed RedLoader, that has basic backdoor capabilities. RedLoader uses dynamic DLL resolution, string encryption, and junk C2 addresses for obfuscation. Some changes in its techniques and infection chain were observed compared to previous reported cases. This includes the use of living-off-the-land binaries like Pcalua in scheduled tasks for malware and script execution, data exfiltration with 7zip, and utilizing the RPivot tool to set up reverse proxy tunnels via Python scripts. RedCurl was also observed using many different batch files, alongside PowerShell and Python script to execute its attacks.
Double-Tap campaign targeting Kazakhstan linked to UAC-0063
Sekoia researchers identified multiple legitimate Office documents from the Ministry of Foreign Affairs being used as part of an ongoing UAC-0063 cyberespionage campaign. The campaign targets Central Asia, including Kazakhstan and its diplomatic and economic relations with Asian and Western countries. It involves a new infection chain, dubbed Double-Tap, to deliver HATVIBE and CHERRYSPY malware. The infection chain involves previously unknown malicious code within the delivered documents, with a malicious macro aimed at creating another malicious document. The second document is automatically opened in a hidden Word instance and drops and executes a malicious HTA file with HATVIBE embedded. The observed infection chain shares similarities with previous Zebrocy infection chains, including the use of VBA scripts to drop a backdoor. The researchers asses with medium confidence that UAC-0063 is related to the Russian threat actor, APT28.
Fraudsters target Middle East with real estate scams
Group-IB researchers observed an increase in real estate scams in the Middle East exploiting online platforms to deceive victims into paying for fake properties. The scammers typically target specific groups such as expatriates or individuals relocating to new cities. The scheme begins with the fraudster finding a suitable advertisement on a platform, copying it, and publishing it under their name. Victims who view the ad contact the scammer via the platform’s messenger or via a third-party application, most commonly WhatsApp, where the scammer provides the victim with proof of their reliability, including a fake property agreement and a fake rental contract. The fraudster then receives the victim’s funds either via an electric wallet linked to their account on the rental registration platform, or through a direct transfer to a mule account.
Ransomware
Volume of blog posts by operators during the last week.
Cl0p Ransomware Group Releases List of Victims Compromised Using Cleo VulnerabilitySiembiot – Jan 16 2025RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate’s ArsenalDarktrace – Jan 14 2025Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-CHalcyon.ai – Jan 13 2025Slovakia Hit by Historic Cyber-Attack on Land RegistryInfosecurity Today – Jan 10 2025FunkSec – Alleged Top Ransomware Group Powered by AICheck Point Research – Jan 10 2025Hexalocker-v2-being-proliferated-by-Skuld-StealerCyble Blog – Jan 09 2025
Financial Services
US, Japan, South Korea Blame North Korean Hackers for $660M Crypto HeistsSecurityWeek RSS Feed – Jan 15 2025Allianz Life Insurance Company Data Breach Leaks Policyholder InformationJD Supra – Jan 10 2025Mexican Company Leaks Millions of Records from Unsecured BucketSC Magazine UK – Jan 10 2025Stealthy Credit Card Skimmer Targets WordPress Checkout Pages via Database InjectionSucuri Blog – Jan 09 2025Fake Solana packages target crypto devs, abuse Slack & ImgBB for data theftSonatype – Jan 08 2025
Geopolitics
Pro-Russia hackers NoName057 targets Italy again after Zelensky’s visit to the countrySecurity Affairs – Jan 12 2025US Treasury hack linked to Silk Typhoon Chinese state hackersBleeping Computer – Jan 09 2025Russian bots boosted NATO critic ahead of Croatian election, researchers sayPolitico.eu – Jan 09 2025Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection ChainThreat Reports – Insikt Group – Jan 09 2025Ukrainian Intel Strikes Russian Transport Service With Cyberattack on Budanov’s BirthdayKyivPost – Jan 04 2025
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2024-55591 | FortiProxy | 9.8 | 9.8 | |
| Related: Fortinet confirms zero-day flaw used in attacks against its firewalls | ||||
| CVE-2025-21333 | Windows | 7.8 | 7.5 | |
| Related: Microsoft Patch Tuesday updates for January 2025 fixed three actively exploited flaws | ||||
| CVE-2024-50603 | Controller | 10.0 | 9.4 | |
| Related: Wiz Research Identifies Exploitation in the Wild of Aviatrix Controller RCE (CVE-2024-50603) – Wiz | ||||
| CVE-2024-27397 | Kernel | 5.3 | 5.1 | |
| Related: Linux Kernel Privilege Escalation Vulnerability (CVE-2024-27397) Exploited: PoC Released | ||||
| CVE-2024-52875 | Kerio Control | 7.3 | 6.6 | |
| Related: GFI KerioControl Firewall Vulnerability Exploited in the Wild | ||||