Kimsuky exploits weak DMARC policies in spear phishing attacks
A joint advisory from the United States Federal Bureau of Investigation, Department of State, and National Security Agency warns of attempted spear phishing attacks by the North Korean threat actor, Kimsuky. The group exploits improperly configured DNS Domain-based Message Authentication, Reporting and Conformance (DMARC) record policies as part of its social engineering efforts, spoofing emails to make them appear to come from a legitimate domain’s email exchange. Kimsuky’s spear phishing campaigns impersonate legitimate journalists, academics, and other experts in East Asian affairs that have credible links to North Korean policy circles.
New Mal.Metrica redirect scam uses fake human verification prompts
Sucuri researchers identified a new Mal.Metrica redirect scam on websites compromised via CVE-2024-2848 in the WordPress theme, ‘Responsive’. The scam involves fake human verification prompts that use an image overlay to trick users into clicking on a link to a malicious domain. The domain initiates further redirects to various scam sites that aim to harvest personal information or download malicious software. The Mal.Metrica campaign has been active since 2023, exploiting vulnerabilities across multiple popular WordPress plugins. At the time of writing, the researchers have detected 17,449 compromised websites.
Two Matanbuchus Loader malspam campaigns identified
Intrinsec researchers analysed two malspam campaigns deploying the Matanbuchus Loader in March 2024. The campaigns used two bulletproof hosting services, Chang Way Technologies and Proton66 OOO, for its C2 hosting infrastructure. The first campaign, which started on March 7th, 2024, involves an email with an attached Excel document containing an image lure, leading to Matanbuchus being launched by a living-off-the-land binary. The second campaign, first identified by Palo Alto Networks Unit 42 researchers on March 26th, 2024, involves the abuse of Google ads to push a malicious website pretending to be a United States bank.
Spyware products used to target human rights groups in Indonesia
Amnesty International discovered the sale and deployment of invasive spyware and other surveillance technologies in Indonesia between 2017 and 2023. The spyware has been used to target human rights defenders, journalists and other members of civil society worldwide. Among the identified surveillance suppliers are Q Cyber Technologies, the Intellexa consortium, Saito Tech, FinFisher, Raedarius M8 Sdn Bhd, and Wintego Systems. The software was sold to various Indonesian state agencies and corporations, including the Indonesian National Police.
APT28 phishing campaign targets Polish government
On May 8th, 2024, Poland’s Computer Emergency Response Team discovered an email phishing campaign linked to Russian state-backed hacker group, APT28, targeting Polish government institutions. The attack flow used during the campaign was identical to the Headlace malware backdoor delivery system previously used by APT28. The infection chain begins with emails containing redirect links to popular web addresses known in the IT industry that were designed to trick victims into clicking on a ZIP file of photos.
Ransomware
Volume of blog posts by operators during the last week.
LockBit leader unmasked and sanctionedNational Crime Agency – News – May 07 2024Play Ransomware Group Claims Responsibility for Disrupting Kansas City Scout SystemThe Cyber Express – May 07 2024City of Wichita shuts down IT network after ransomware attackBleepingComputer.com – May 06 2024Blackbasta gang claimed responsibility for Synlab Italia attackSecurity Affairs – May 04 2024CL0P Lists McKinley Packing, Pilot, and Pinnacle Engineering as Latest VictimsThe Cyber Express – May 02 2024
Financial Services
Hacker Duo Allegedly Strikes HSBC, Barclays in CyberattacksThe Cyber Express – May 08 2024Hackers Behind MGM Attack Targeting Financial Sector in New CampaignBloomberg – May 08 2024Financial cyberthreats in 2023Kaspersky Lab – May 06 2024Finland warns of Android malware attacks breaching bank accountsBleepingComputer.com – May 05 2024Hackers target Ukrainian bank with DDoS attack.The Kyiv Independent – May 02 2024
Geopolitics
MoD data breach: China suspected of UK armed forces payroll hackBBC – May 07 2024Ukraine impacted by escalating Russian financially motivated intrusionsSC Magazine US – May 06 2024Moldova Faces a Wave of DDoS Attacks | NETSCOUTNETSCOUT Blog – May 06 2024Microsoft Outlook Flaw Exploited by Russia’s APT28 to Hack Czech, German EntitiesThe Hacker News – May 04 2024Military intelligence carries out cyberattack in Russia’s Tatarstan.The Kyiv Independent – May 03 2024
High Priority Vulnerabilities
Name | Software | Base Score |
Temp Score |
|
---|---|---|---|---|
CVE-2024-3661 | DHCP | 7.6 | 6.3 | |
Related: Attackers may be using TunnelVision to snoop on users’ VPN traffic (CVE-2024-3661) | ||||
CVE-2023-49606 | Tinyproxy | 9.8 | 9.5 | |
Related: Talos discloses multiple zero-day vulnerabilities, two of which could lead to code execution | ||||
CVE-2015-2051 | DIR-645 | 9.8 | 9.4 | |
Related: New “Goldoon” Botnet Targeting D-Link Devices | ||||
CVE-2024-2876 | Icegram Express Plugin | 9.8 | 7.1 | |
Related: Hackers exploit LiteSpeed Cache flaw to create WordPress admins | ||||
CVE-2024-21887 | Policy Secure | 9.1 | 9.1 | |
Related: Protecting Networks from Opportunistic Ivanti Pulse Secure Vulnerability Exploitation |