• Microsoft says a new threat actor started targeting critical infrastructure
• The group is linked to Silk Typhoon
• It engages in spear phishing and vulnerability exploits

Storm-0227, a Chinese state-sponsored advanced persistent threat (APT) actor started targeting critical infrastructure organizations, as well as government entities, in the United States.

This is according to Sherrod DeGrippo, director of threat intelligence strategy at Microsoft.

Speaking to The Register recently, DeGrippo said that the group abuses software vulnerabilities and engages in spear phishing attacks to gain access to people’s devices.

Commodity malware

Once they get the access, they deploy different Remote Access Trojans (RAT) and other malware to obtain login credentials for services such as Microsoft 365. They also steal sensitive documents and whatever else they can get their hands on. The goal of the campaign is cyber-espionage.

An interesting thing about Storm-0227 is that it uses off-the-shelf malware which, a few years ago, would come as quite the shock: “Even national-aligned threat actors … are pulling commodity malware out of that trading ecosystem and using it for remote access," she told the publication. Half a decade ago "that was sort of a shocking thing to see a nation-sponsored, espionage-focused threat actor group really leveraging off the shelf malware," she added. "Today we see it very frequently."

There was no word on the number of victims, but DeGrippo described the group as an “embodiment of persistence”.

"China continues to focus on these kinds of targets," she said. "They're pulling out files that are of espionage value, communications that are contextual espionage value to those files, and looking at US interests."

Storm-0227 seems to overlap, at least in part, with Silk Typhoon, it was further said. There is a whole list of “typhoon” threat actors, all on the payroll of the Chinese government, and all apparently tasked with spying on western governments, critical infrastructure firms, and other areas of interest (military, aerospace, and similar).

That includes Volt Typhoon, Salt Typhoon, Flax Typhoon, and Brass Typhoon. Salt Typhoon was recently linked to a number of high-profile breaches, including at least four major US telecom operators.

Via The Register

You might also like

• Chinese hackers reportedly infiltrate several major US internet firms
• Here's a list of the best antivirus
• These are the best endpoint protection tools right now

• Security researchers found two new malware variants, an infostealer and a loader
• The developers seem to be the same group that's behind more_eggs
• The infostealer can grab passwords, cookies, and more

Venom Spider, a threat actor behind the infamous More_eggs malware, is expanding its malware-as-a-service (MaaS) operation. This is according to a new report from cybersecurity researchers Zscaler ThreatLabz, who recently found two new malware families linked to the same developer.

In a detailed report published earlier this week, the researchers said that Venom Spider (also known as Golden Chickens) built an infostealer called RevC2, and a loader named Venom Loader.

The infostealer can grab people’s login credentials, and cookies from Chromium-powered browsers (Chrome, Edge, Brave, and others). It can run shell commands, grab screenshots, and proxy traffic using SOCKS5. Finally, it can run commands as a different user, as well. The loader, on the other hand, is customized for each victim, and uses their computer’s name to encode the payload, it was said.

VenomLNK

The researchers first observed the new malware being used in August this year, and have been tracking it ever since. They don’t know exactly how the malware is distributed to the victims, but suspect it all starts with VenomLNK. This is an initial access tool that the researchers observed being used to deploy both of the above-mentioned malware, while at the same time, showing a decoy PNG image to the victim.

This is not the first time VenomLNK was seen in the wild, as the experts said it was used to deploy More_eggs lite before.

More_eggs is a JavaScript-based loader used to infiltrate systems by downloading and executing additional malicious payloads, typically after gaining an initial foothold through phishing emails or malicious links.

The malware is notorious for its stealthy behavior, as it leverages legitimate processes and tools to evade detection. Attackers often deploy more_eggs to install ransomware, steal sensitive data, or provide remote access to compromised systems.

More_eggs has been around for at least three years, possibly for longer.

Via The Hacker News

You might also like

• Uh oh, malicious Windows shortcuts are making a return
• Here's a list of the best antivirus
• These are the best endpoint protection tools right now

• A yearly certification should be mandatory for US telcos, FCC Chair said
• The initiative should help businesses tackle rising attacks
• China denies any involvement

It should be mandatory for American telecommunications organizations to every year submit a certification, confirming they have a solid cyber-incident response plan set up.

This is a proposal set forth by US Federal Communications Commission Chairwoman Jessica Rosenworcel, in response to recent news that Chinese state-sponsored threat groups have entrenched themselves deeply into US telecom providers, possibly snooping in on important communications for years.

Earlier this year, multiple cybersecurity organizations, and then government agencies too, reported that Chinese threat actors named Salt Typhoon infiltrated some US telecommunications giants and were pulling valuable data.

Immediate effect

Later, a number of organizations confirmed the findings, including T-Mobile, Verizon, Lumen Technologies, and AT&T. The campaign seems to be global, affecting “dozens” of private and public sector firms around the world.

"While the Commission's counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future," Rosenworcel said in a statement.

Reuters cited Rosenworcel saying the proposal was being circulated to other commissioners in her agency. If adopted, it would take effect immediately, it was added.

The victims are now working diligently on ousting the spies in an ongoing effort, with no concrete deadline set up.

At the same time, the Chinese government remains silent. In the past, it has denied these allegations on numerous occasions, even accusing the US of being the world’s cyber-bully at one point. A few months ago, it released a report in which it claimed that Volt Typhoon, another hacking collective, was actually a CIA asset.

The document asserts that China consulted over 50 cybersecurity experts, who collectively determined both the US and Microsoft do not have enough evidence to implicate China’s involvement with Volt Typhoon. However, the names of the experts are not included in the document.

Via Reuters

You might also like

• US Government says Salt Typhoon still lurks on telecoms networks, shares some top tips to stay protected
• Here's a list of the best antivirus
• These are the best endpoint protection tools right now

• Businesses are being sent billions of spam emails
• Of these emails, 427 million contained malicious content
• Phishing attacks are the primary attack vector

New research from HornetSecurity has shown that a third of all emails received by businesses this year were spam, amounting to over 20 billion over the course of the year. Of these, over 427 million contained malicious content (2.3%).

Unsurprisingly, phishing is top of the list of most prevalent cyberattacks in 2024, and was responsible for a third of all attacks. Malicious URLS came in a close second, making up 22.7%.

Malicious links often direct victims to fake login pages, enticing them to enter personal or even payment information. Although nearly every type of malicious file saw a decrease in comparison to 2023, HTML files (20.4%), PDFs (19.2%), and Archive files (17.6%) were still the top three vectors used.

Phishing is king

Cybercriminals have been using social engineering attacks for many years, but the evolution of AI tools has led to a significant rise in attacks in recent years, with some businesses receiving 36 phishing emails per day.

AI is not only making attacks more common, but also more sophisticated, with new tactics often able to bypass security measures, with Q2 of 2024 seeing a 52.2% increase in phishing attacks which passed secure email gateway detection.

“Last year, our prediction came to pass that phishing attacks would become more sophisticated, targeted and difficult to spot, due in large part to the proliferation of generative AI.” said Matt Aldridge, Principal Solutions Consultant at OpenText Cybersecurity.

“We predict that this trend will continue, as attackers continue to become better armed with AI-integrated solutions such as next-generation phishing kits. Ensuring that all bases are covered will need to be top of mind for SMB defenders. Getting the basics right has never been more critical.”

You might also like

• Take a look at our pick of the best antivirus software around
• Thousands of employees could be falling victim to obvious phishing scams every month
• Check out our choices for best malware removal software

• TfL shares its first-ever estimate of the cyberattack's cost
• It is around $38m, with a significant part going to external help
• Experts call upon tighter cooperation to protect critical infrastructure

To address the cyber attack Transport for London (TfL) suffered in September this year, the organization has had to spend around £30 million (roughly $38 million), it was confirmed.

This was the first time TfL tried to estimate the financial cost of the cyberattack, The Standard writes in its report, adding that more data will be available in the coming weeks.

In early September, the local government body responsible for managing the transportation system in Greater London reported suffering a cyber-incident, and a few weeks later, a teenager was arrested.

No insurance

A subsequent investigation determined that certain customer data was accessed and stolen, possibly including bank account numbers and sort codes.

A spokesperson to the organization was cited saying that it’s still too early to determine the full financial impact of the attack, since there are “a range of costs associated with managing and mitigating the cyber incident”, on which TfL has already spent around £5m. That, The Standard further clarifies, includes “external support” - third-party cybersecurity organizations that help respond and remedy the attack. “There are also costs associated with delays to some projects as well as costs that ensured we could keep London moving while we dealt with the incident.

TfL is still working on restoring its “back office”, it was said, and has recently started accepting applications for concessionary fares. To make matters worse, the organization was not insured against cyber-attacks since, as the publication cites, such risk is “borderline uninsurable”.

“Every single penny that we’ve needed to divert to responding to the cyber incident is a penny we cannot use for the benefit of customers and the benefit of improving services around London,” TfL chief finance officer Rachel McLean allegedly told the board.

“The £5m already spent has been funded out of TfL’s central contingency budget and we are doing everything we can to mitigate the impact and reduce the final cost.

“Due to their importance, safeguarding critical national infrastructure is vital to maintain order and prevent potential disasters caused by threats such as cyber-attacks,” commented Spencer Starkey, Executive VP of EMEA at cybersecurity pros SonicWall.

“Ensuring the cybersecurity of critical national infrastructure requires a comprehensive and ongoing effort. The ramifications of an attack and ensuing outage on CNI can be disastrous and it's important to place the utmost amount of time, money and efforts on securing them.”

Starkey called for “constant communication and cooperation,” as teamwork between private and public sectors, and imposing strict punishment, is the best way to protect critical infrastructure.

Via The Standard

You might also like

• Transport for London currently undergoing cyberattack
• Here's a list of the best antivirus
• These are the best endpoint protection tools right now

• iVerify has asked volunteers to scan devices for spyware
• Of the 2,500 scanned, 7 were infected
• The Pegasus spyware found is notoriously used against high-value targets

Spyware risks have been rising fast in recent years, and although security firms always advise caution, the consensus has been that only a very small number of people are affected by the attacks.

However, new research from iVerify shows that high-powered spyware may be more common than previously thought. The mobile security firm scanned the devices of 2,500 users who volunteered to use the iVerify Mobile Threat Hunting feature - and seven instances of high-powered Pegasus spyware were discovered.

This might not seem like a high number, or even a high percentage, but at a rate of 2.5 infected devices per 1,000 scans - this is "far higher than any previously published reports," iVerify confirmed.

High risk targets

Given the nature of the spyware and threat detection users, Mobile Threat Hunting software users are more likely to be those who are at a higher risk of spyware, such as government officials, journalists, and corporate executives.

The Pegasus software was developed by the Israeli NSO group in 2011, and can be used to remotely surveil individuals on both Android and iPhone devices. The spyware has been linked to so many instances to target political opponents, journalists, and dissidents, that the US halted the visas of anyone involved in its misuse earlier this year.

By offering a mobile threat scanner, iVerify is working to ‘democratize’ the mobile threat landscape, hoping to reveal the true scope of malware and protect mobile users.

“Traditional security models fail to capture the nuanced threats facing mobile devices.” iVerify confirmed in a statement.

“In the past, Pegasus detections have been rare due to a lack of effective detection solutions, but with improved detection and remediation methods, we believe there is more compromise than is currently understood.”

You might also like

• Take a look at our pick of the best antivirus software around
• What is spyware? And how do you protect yourself from it?
• Check out our choices for best malware removal software

• MirrorFace pivoted to spear phishing to target high-profile Japanese
• The group is looking for information regarding China-US relations
• It is using backdoors not seen in years

MirrorFace, a Chinese state-sponsored threat actor also known as Earth Kasha, has been observed stepping away from its usual practice to target specific individuals, with even more specific backdoors.

Cybersecurity researchers from Trend Micro recently observed MirrorFace engaging in spear phishing attacks, targeting individuals in Japan.

Previously, the group was focused on business entities, and abused vulnerabilities in endpoint devices such as Array Networks and Fortinet for initial access.

Targeting individuals

This time around, MirrorFace seems to be particularly interested in topics around Japan’s national security and international relations, the researchers stressed. They came to this conclusion after analyzing the victims, and the lures used in the spear phishing emails. The lures were mostly fake documents discussing Japan's economic security from the perspective of the current US - China relations.

"Many of the targets are individuals, such as researchers, who may have different levels of security measures in place compared to enterprise organizations, making these attacks more difficult to detect," Trend Micro said. "It is essential to maintain basic countermeasures, such as avoiding opening files attached to suspicious emails."

Those who failed to spot the attack, ended up getting two backdoors - NOODPOOR (also known as HiddenFace) and ANEL (also known as UPPERCUT). Trend Micro said the latter was particularly interesting, since it was basically nonexistent for years.

"An interesting aspect of this campaign is the comeback of a backdoor dubbed ANEL, which was used in campaigns targeting Japan by APT10 until around 2018 and had not been observed since then," they said. APT10 is likely MirrorFace’s umbrella organization.

Earth Kasha is quite an active group these days. In late November, researchers saw the group targeting organizations in Japan, Taiwan, India, and even Europe, through holes in Array AG, ProSelf, and FortiNet. They were also seen using SoftEther VPN, a legitimate open-source VPN tool, to bypass a target’s firewall and blend into legitimate traffic.

Via The Hacker News

You might also like

• US government agencies told to patch these critical security flaws or face attack
• Here's a list of the best antivirus
• These are the best endpoint protection tools right now

• US government representatives say at least eight US telcos were compromised by the Chinese
• The hackers have probably not yet been completely removed
• China is currently not responding to the claims

Salt Typhoon’s reach is a lot wider than initially thought, compromising numerous telecommunications companies and other organizations in both the private and public sector, around the world.

This is according to the representatives of the White House, the FBI, and CISA, who recently held press briefings to update the public on their findings regarding Salt Typhoon’s apparent mass-surveillance campaign.

The officials said that Salt Typhoon’s victims are located in dozens of countries around the world.

Evicting the squatters

While the full scope of the attack is yet to be determined, we do know that the attackers targeted telecommunications organizations in the States. In fact, it was said during the briefing that eight US telcos were compromised, up from four that were previously known.

So far, T-Mobile, Verizon, AT&T, and Lumen Technologies have all confirmed having been targeted by Salt Typhoon.

The campaign lasted for years, it was added. However, there is currently no evidence that the hackers managed to grab any classified communications.

As new information emerges, this attack seems to be turning into a major escalation. Salt Typhoon is a Chinese, state-sponsored threat actor focused on cyber-espionage against western targets. For months now, cybersecurity experts, government agents, and the media have been reporting on Salt Typhoon’s attacks on internet service providers, telecommunications firms, and similar companies. The targets have been working hard on cleaning up their IT systems, but according to CISA, there’s still work to be done.

"We cannot say with certainty that the adversary has been evicted, because we still don't know the scope of what they're doing. We're still trying to understand that, along with those partners," a senior CISA official said in a Tuesday press call, BleepingComputer reports.

China did not yet issue an official statement or comment regarding these allegations. In the past, the country’s representatives have vehemently denied any wrongdoing, instead accusing the United States of being the world’s cyber-bully.

Via BleepingComputer

You might also like

• Cisco warns a decade-old vulnerability is back and targeting users
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• The Cybernews team found a huge database belonging to Safelinking
• It cointained 30 million links, as well as customer data
• A malicious bot scraped, and destroyed it

A company that provides safe links services kept a major database with sensitive information unlocked and available to anyone who knew where to look.

As a result, sensitive information on millions of people got leaked on the dark web, and the database ended up destroyed.

This is according to cybersecurity researchers Cybernews. In early August, the team discovered a “poorly configured” and passwordless MongoDB database belonging to a company called Safelinking.net, a firm that provides password-protected links services.

Ransom demanded

When someone wants to send sensitive data across the internet, they can lock the link behind a PIN, or password, using companies like Safelinking. Thus, it is safe to assume that the data behind the link is highly sensitive in nature.

Still, Safelinking made the all-too-common error and failed to properly secure the database, Cybernews argues. It contained 30 million private links, as well as account data on more than 150,000 users. This data includes people’s usernames, emails, encrypted passwords with salt and API hashes, notification settings, security settings associated with the links, social media account IDs, and protected links.

Oftentimes, the researchers are first ones to find these databases, averting a bigger catastrophe. Not this time, though. Cybernews discovered that a malicious bot beat them to the punch, pulling all the data to an attacker-controlled server, and leaving a message that the archives would be destroyed if roughly $600 in bitcoin isn't paid.

Since Safelinking didn’t pay the ransom demand, the bot destroyed the database, and it’s no longer publicly available.

"It's a good reminder of why it's so important to have solid security measures in place for platforms handling this type of data,” said the Cybernews research team. “Even if the platforms sometimes fail to secure users' privacy, it's good to know basic security hygiene, like using multi-factor authentication.”

Via Cybernews

You might also like

• Mystery database containing sensitive info on 762,000 car-owners discovered by researchers
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• CISA added a number of high-severity flaws to its catalog
• One of the bugs is a 10/10
• One but is being exploited by Chinese state-sponsored actors

Multiple vulnerabilities plaguing solutions from Zyxel, North Grid Proself, ProjectSend, and CyberPanel, are being actively exploited in the wild to bypass authentication, mount XXE attacks, drop malicious JavaScript, deploy arbitrary files, and more.

Earlier this year, multiple cybersecurity researchers, vendors, and professionals, warned about these bugs at different times, with reports coming in from Sekoia, Censys, VulnCheck, and others.

Now, the US Cybersecurity and Infrastructure Security Agency (CISA) added these flaws to its Known Exploited Vulnerabilities (KEV) list, confirming in-the-wild abuse. Federal agencies have a three-week deadline to patch the software up or stop using it altogether, which expires on December 25, 2024.

Earth Kasha

The most dangerous of the flaws is an incorrect default permissions vulnerability, discovered in CyberPanel. It has a severity score of 10/10 (critical) and is tracked as CVE-2024-51378. It can be used to bypass authentication and execute arbitrary commands using shell metacharacters.

Other notable mentions include an improper restriction of XML External Entity (XEE) reference vulnerability, tracked as CVE-2023-45727, with a severity score of 7.5. It affects Proself Enterprise/Standard Edition Ver5.62 and earlier, Proself Gateway Edition Ver1.65 and earlier, and Proself Mail Sanitize Edition Ver1.08.

Late last month, researchers from Trend Micro said that this bug was one of many that was being used by Chinese state-sponsored threat actors Earth Kasha (aka MirrorFace). The Chinese also used bugs in Array AG, and Fortinet FortiOS/FortiProxy, to establish initial access on their targets’ endpoints.

Furthermore, a bug found in ProjectSend versions prior to r1720 allows a remote, unauthenticated user to create accounts, upload web shells, and embed malicious JavaScript. It is tracked as CVE-2024-11680, and comes with a severity score of 9.8 (critical).

All the bugs recently added to KEV can be found on this link.

Via The Hacker News

You might also like

• Cisco warns a decade-old vulnerability is back and targeting users
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• BT Group confirmed its Conferencing services were targeted
• Black Basta took responsibility for the attack
• The group claims to have stolen hundreds of gigabytes of sensitive information

British telecommunications behemoth BT Group confirmed that it was recently targeted by the ransomware actors known as Black Basta.

The group targeted its Conferencing business division, and even forced it to shut down parts of its infrastructure.

The results of the attack are up for debate, however, since BT claimed very little damage was done, with Black Basta saying the exact opposite.

Prolific player

"We identified an attempt to compromise our BT Conferencing platform. This incident was restricted to specific elements of the platform, which were rapidly taken offline and isolated," BT told BleepingComputer in a statement. "The impacted servers do not support live BT Conferencing services, which remain fully operational, and no other BT Group or customer services have been affected."

But Black Basta begs to differ. The group claims to have stolen 500GB of sensitive data in the attack, including financial and organizational data, “users and personal docs,” NDA agreements, confidential information, and then some. To support their claims, the group released document screenshots, folder listings, and more. It also said it would be leaking the files soon, if the company does not pay the ransom demand.

We don’t know how much money Black Basta is asking for.

"We're continuing to actively investigate all aspects of this incident, and we're working with the relevant regulatory and law enforcement bodies as part of our response," the BT Group spokesperson concluded.

Black Basta is currently one of the biggest ransomware threats out there, according to the FBI and CISA. In March this year, the two agencies issued a joint report stating that in its first two years of existence the group targeted more than 500 organizations all over the world.

Among the victims are organizations in 12 out of 16 critical infrastructure sectors, including the Healthcare and Public Health (HPH) Sector. Some of Black Basta’s victims include Hyundai Europe, Capita, The American Dental Association, Yellow Pages Canada, Dish, and many others.

Black Basta most likely emerged after the downfall of Conti, another major ransomware player until the beginning of the Russian invasion of Ukraine.

Via BleepingComputer

You might also like

• Black Basta ransomware has become one of the biggest threats worldwide, CISA and FBI say
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Mac users need to stop believing that macOS is safer than Windows
• Generative AI has helped non-coders to create their own malware
• Social engineering continues to be the most common attack method

Cybersecurity experts from Moonlock are warning of the increasing prevalence of sophisticated macOS malware created with the help of generative AI.

In its 2024 Threat Report, Moonlock explored how publicly available tools like ChatGPT have enabled hackers to work around the technical barriers they were previously subject to in order to create malicious software more quickly.

The research found screenshots posted to darknet forums showing hackers using artificial intelligence to guide them through the development of Mac-bound malware step by step.

AI is helping to build macOS malware

Among the examples given was a case involving Russian-speaking threat actor ‘barboris,’ who admitted to building macOS malware without any prior coding experience thanks to generative AI. With natural language prompts, barboris was able to create an infostealer capable of targeting Keychain credentials and cryptocurrency wallet information.

The reported summarizes: “The barrier to entry is lower than ever, and AI has become a new ally for cybercriminals seeking to launch macOS-focused campaigns.”

Moonlock explains that the rise of malware-as-a-service (MaaS) has also made macOS malware more accessible than ever. Cheapening MaaS options are lowering the barriers for attackers and making macOS malware more common that it used to be.

The researchers claim that the rise of MaaS has made cybercrime into a collaborative effort, creating new roles for creators and distributors.

Previously, Apple’s desktop operating system was favored over its Windows counterpart for being less susceptible to cyberattacks, however the researchers explained that the notion that macOS is still as safe is now a dated one.

Users are being advised to treat macOS as they would any other operating system or internet-connected device, by keeping software updated with security patches, only downloading apps from trusted sources such as the Mac App Store, and installing renowned third-party security tools.

However, while the threat environment may be shifting, social engineering remains the most common way of forcing entry, and all users should be wear of handing out sensitive information unless it is absolutely necessary.

"We expect a surge in the variety of stealers targeting macOS in 2025," noted Mykhailo Pazyniuk, Malware Research Engineer at Moonlock. "During 2024 we've observed different threat actors trying to bypass Apple’s protection mechanisms, emphasizing on users as the weakest link in this attack chain. Therefore, threat actors haven’t bothered much with finding exploits in macOS itself just yet."

"One thing is certain – since many stealers eventually did their job and managed to exfiltrate sensitive user data and their crypto assets, the market of MaaS and macOS exploits will continue to grow in 2025, possibly offering more ways to stay undetected for antivirus software," Pazyniuk said.

You might also like

• We’ve listed the best antivirus software for Mac and for PC
• Downloaded something dodgy? Consider the best malware removal
• Apple says Mac users are being targeted by dangerous zero-day attacks, so update now