Last week, there have been new data breaches, the emergence of new ransomware gangs and even a group that has returned after a long absence. Read on to receive a quick summary of what happened this week in the space of cybersecurity.
PyPI temporarily suspended new sign-ups and projects amid a high influx of malicious users and packages. PyPI, the official third-party registry of open source Python packages has temporarily suspended new users and projects due to high influx of malicious users and packages. PyPI admins posted that the volume is so large that it has “outpaced our ability to respond to it in a timely fashion”. This preventative measure is expected to fend off threat actors until a more permanent solution can be found. New malware campaign: Impersonating CapCut to push information stealing malware. Cyble has found new malware campaigns that impersonate CapCut, Bytedance’s official video editor and maker for TikTok, to push several malware strains. Threat actors create websites that distribute malware disguised as CapCut installers. Both campaigns utilize malwares that steals information such as credentials, credit cards, passwords and auto-complete data, stored in your web browsers, applications and files. One even targets data stored in messaging apps like Telegram and Discord, cryptocurrency wallet apps, and remote access software like UltraViewer and AnyDesk. To avoid malware, directly download software from official websites rather than sites shared in forums, direct messages or social media. Also ensure to avoid promoted results when searching software tools. Luxottica confirms data breach after 70 million customers’ information leaked online. Luxottica confirmed that a third-party contractor has suffered a data breach in 2021, that resulted in the exposure of 70 million customers’ personal information after a database was posted this month for free on hacking forums. Luxottica is the world’s largest eyewear company, and is owner of brands such as Ray-Ban, Burberry, Dolce and Gabbana, Versace, Chanel, Oakley, and Prada. Although investigations are still ongoing, Luxottica has confirmed that data exposed includes customers’ full names, email addresses, phone numbers, addresses and birth date. To check if your information has been exposed in this breach, do visit the HIBP website and search for your email address to determine if your email address has been exposed. 2 NPM packages found to conceal open-source infostealer RAT. ReversingLabs researchers found open-source infostealer TurkoRat hidden inside 2 legitimate looking NPM packages: nodejs-encrypt-agent and nodejs-cookie-proxy-agent for 2 months before being detected and removed. Both packages were collectively downloaded approximately 1,200 times in the past 2 months. Some of the key malicious behaviors identified but not limited to, were the ability to write and delete from Window systems directories, execute commands, and tamper with DNS settings. Furthermore, there were features designed to steal sensitive information such as user login credentials and crypto wallets and to fool or defeat sandbox environments and debuggers used to analyze malicious files. PharMerica data breach, could have resulted in more than 5.8 million patients’ data stolen. PharMerica, one of U.S largest pharmacy providers, has confirmed its IT systems were breached, and they fear that threat actors might have stolen more than 5.8 million patients; personal and healthcare data. Personal information plausibly stolen includes but not limited to names, birth dates, social security number, medication lists and health insurance information. It is unsure if the parent company, BrightSpring, patients’ data was also compromised in this breach. A ransomware gang, Money Message, has claimed responsibility for this breach, and added PharMerica and BrightSpring to its site. MalasLocker unusual exportation tactic: Victims demanded to donate to approved charity. New ransomware operation, MalasLocker, is hacking Zimbra servers to steal emails and encrypt files. Uniquely, they are claiming that in exchange for an encryptor and to prevent data leaking, victims are required to donate to charity. The MalasLocker site currently distributes the stolen data for 3 companies, and the Zimbra configuration for 169 victims. Notorious cybercriminal group, FIN7 resurfaced. Microsoft threat analyst reported FIN7, a financially-motivated hacking group, “has come out of a long period of inactivity”. They have linked them to attacks where the objective was to deploy Clop ransomware on victims’ networks. This has been their first ransomware campaign since late 2021. FIN7 has been linked to attacks that target banks and companies’ point-of-sale terminals from various industry sectors in Europe and the U.S. Although some FIN7 members have been arrested over the years, the hacking group is still active. New ransomware group, RA Group, customizing leaked Babuk source code. RA Group is ramping up their cyberattacks via leveraging the leaked Babuk ransomware source code by customizing its approach. Cisco Talos reported that RA Group began on April 22, and has been rapidly expanding their operations. Not only do RA Group threaten to leak exfiltrated data if the victims Edon't pay for the ransom in 3 days, but also they are “selling the victim’s exfiltrated data on their leak site by hosting the victims’ leaked data on a secured Tor site.” As of now, they target organizations in the U.S and South Korea in the pharmaceutical, manufacturing, insurance and wealth management industries. Hackers actively probing vulnerable Wordpress Elementor plugin after flaw was disclosed last month. Since the announcement of the flaw found in Wordpress Elementor plugin that impacted over a million websites (and has been fixed with the release of a new plugin version), hackers are actively probing the vulnerable plugin in an attempt to exploit the password reset flaw. The day after the disclosure, WordFence recorded 5 million probing scans that determine if a site is vulnerable. WordFence do believe that this data signifies attackers looking for vulnerable sites, as the majority of these requests come from just 2 IP addresses. It is highly recommended for people that use the ‘Essential Addons for Elementor’ plugin to install version 5.7.2 or later immediately. CISA: Samsung security flaws allows Android ASLR bypass. CISA has warned about a security flaw affecting Samsung devices, which has been used in attacks to bypass Android ASLR (address space layout randomization protection). ASLR helps protect against buffer-overflow attacks. The security vulnerability (CVE-20223-21492) impacts Samsung devices running Android 11, 12 and 13. This is due to the sensitive information inserted into log files. Attackers can use the exposed information to conduct an ASLR bypass, which allows them to exploit the memory management issues. U.S Federal Civilian Executive Branch Agencies have been ordered to secure their Samsung devices in 3 weeks. Comments are closed.
|
Archives
June 2024
Categories
All
|
© 2021, TAFA HOLDINGS (S) PTE LTD. ALL RIGHTS RESERVED
|