Hackers breached Dropbox Sign eSignature platform and stole sensitive data

Cloud storage firm DropBox disclosed a security incident, where hackers compromised its DropBox Sign eSignature environment and made off with authentication tokens, MFA keys, hashed passwords, and customer information. The attacker gained access to a Dropbox Sign automated system configuration tool and hacked into a service account that was part of Sign’s back-end and had privileges to take a variety of actions within Sign’s production environment. The threat actor then used this access to the production environment to access the customer database.

New Cuttlefish malware steals credentials from SOHO routers

The Black Lotus Labs team at Lumen Technologies has uncovered a sophisticated malware platform dubbed “Cuttlefish,” which targets networking equipment, particularly enterprise-grade small office/home office (SOHO) routers. The malware has been active since at least July 2023, with its latest wave spanning from October 2023 to April 2024.

Cuttlefish operates as a modular malware designed with a primary focus on stealing credentials from web requests passing through targeted routers within a local area network (LAN). Additionally, it has capabilities for DNS and HTTP hijacking.

“Goldoon” botnet targets D-Link routers with a decade-old vulnerability

A new botnet named Goldoon has emerged, targeting D-Link routers by exploiting a command execution flaw dating back almost a decade. The flaw, tracked as CVE-2015-2051, affects D-Link DIR-645 routers, enabling attackers to execute arbitrary commands through customized HTTP requests. The botnet's objective seems to be using compromised devices for further cyberattacks such as DDoS attacks.

Large-scale malware campaigns plant malicious content in Docker Hub repos

DevSecOps company JFrog shared details on a series of malware campaigns targeting Docker Hub, Docker’s cloud-based registry service that hosts and distributes images. According to JFrog’s findings, nearly 20% of all Docker Hub repositories analyzed hosted malware or malicious content, representing approximately 3 million Docker images out of the total 15 million hosted on the platform.

Ukraine’s threat landscape: Russian hackers shift from exploiting zero-days to attacking telecom providers

The CERT-UA team has released an analytical report titled “Russian Cyber Operations H2 2023,” based on a comprehensive analysis of cyber threats detected during the second half of 2023. Key findings indicate a shift from exploiting zero-day vulnerabilities in popular client-end software to attacks against well-prepared telecommunications providers. There's a notable increase in the use of N-day exploits and the emergence of new military-focused APTs and previously undetected criminal organizations dominating the cyber threat landscape in Ukraine.

Attackers are also increasingly relying on automation to accelerate infiltration and control of critical IT systems. Additionally, there's been a surge in financially motivated cybercrime groups targeting Ukrainian businesses and organizations, with approximately 40% of registered incidents in the latter half of 2023 related to financial theft.

In related news, cybersecurity firm Trellix published a technical write-up on AcidRain and AcidPour, two data-wiping malware variants used by the Russian state-sponsored actor Sandworm in the attacks against Viasat and various other Ukrainian targets. Also, LogPoint has analyzed another Sandworm’s malware - a backdoor known as Kapeka or KnuckleTouch.

Additionally, Trend Micro has a report out on how cybercriminals and state-backed threat groups share compromised networks. The report covers Russian threat actor APT28’s exploitation of Ubiquiti EdgeRouters (aka the MooBot botnet).

Ukraine targeted in malspam campaign exploiting an old MS Office bug

Cybersecurity researchers published technical details of a sophisticated targeted cyber operation against Ukraine, exploiting a nearly seven-year-old vulnerability in Microsoft Office software. The attack involves the use of a malicious PowerPoint slideshow file to deliver the Cobalt Strike tool to compromised systems.

The attack vector primarily relies on a PowerPoint slideshow file titled “signal-2023-12-20-160512.ppsx,” ostensibly shared through the Signal instant messaging app.

Sophisticated Chinese threat actor manipulates China’s Great Firewall

A sophisticated China-linked threat actor has been orchestrating operations within China's internet infrastructure since at least 2019. Dubbed “Muddling Meerkat,” the threat actor has been running a previously undisclosed multi-year operation that utilizes Domain Name System (DNS) queries, open DNS resolvers, and China's Great Firewall (GFW) to exert control over internet traffic.

Ukraine busts pro-Russian hacker network in Kyiv

The Security Service of Ukraine (SBU) has apprehended a group of hackers in Kyiv responsible for orchestrating fake accounts impersonating top officials of Ukrainian security agencies. These activities aimed to propagate misinformation and undermine Ukraine's defense forces.

The SBU said it dismantled bot farms operating in Kyiv, through which pro-Russian propaganda was disseminated. The police arrested two individuals running the operation who were involved in spreading misinformation about the war in Ukraine and attempting to discredit the Ukrainian Armed Forces.

Hacktivists expose Kaspersky Lab's involvement in military drone development

The international volunteer intelligence community InformNapalm has published an investigation revealing a close collaboration between the Russian antivirus maker Kaspersky Lab and the Russian UAV manufacturer Albatross in the development of military drones, which extends beyond conventional software development. The company's neural network solutions have been integrated into Albatross drones, including the flagship Albatross M5 fixed-wing drones and industrial quadcopters. This collaboration extends to projects such as the Kaspersky Antidrone system, aimed at countering unauthorized drone activities.

US sanctions 300 individuals and orgs associated with Russia's military-industrial sector

This week, the Office of Foreign Assets Control (OFAC) within the United States Department of the Treasury, along with the Department of State, has imposed sanctions on about 300 individuals and organizations associated with Russia's military-industrial sector, as well as its chemical and biological weapons programs. Additionally, they extend to entities from other nations aiding Russia in procuring components for weapons or defense-related manufacturing.

Among the entities sanctioned is the OKO Design Bureau, which specializes in the development of unmanned aerial vehicles (UAVs).

Cyber Partisans claim to have hacked Belarus KGB

The Belarusian hacktivist group known as the Cyber Partisans said that they infiltrated Belarus' national intelligence agency, the Belarusian KGB. The group alleges that the breach occurred in the fall of 2023, during which they managed to extract sensitive data from the agency's official website. The group claims to have accessed personnel files belonging to over 8,600 employees of the intelligence agency.

New report analyzes social engineering techniques used by Iranian state-sponsored hackers

Cybersecurity firm Mandiant released a comprehensive report highlighting Tactics, Techniques and Procedures (TTPs) associated with APT42, an state-sponsored threat actor believed to be affiliated with the Islamic Revolutionary Guard Corps Intelligence Organization (IRGC-IO). APT42 is targeting Western and Middle Eastern NGOs, media organizations, academia, legal services and activists.

CISA and partners share tips on how to defend OT systems against pro-Russia hacktivists

Cybersecurity agencies from the US, Canada, and the UK have jointly issued recommendations to critical infrastructure organizations in response to a wave of cyberattacks by suspected pro-Russia hacktivist groups. The attacks have targeted industrial control systems (ICS) and other operational technology (OT) systems, with a focus on sectors like water and wastewater systems, dams, energy, and food and agriculture. The advisory provides information and mitigations associated with this malicious activity, which has been observed since 2022 and as recently as April 2024.

Additionally, CISA and the FBI issued an alert urging software developers to eliminate path traversal vulnerabilities in software before shipping. The joint advisory comes in response to “recent well-publicized threat actor campaigns that exploited directory traversal vulnerabilities in software (CVE-2024-1708, CVE-2024-20345) to compromise users of the software—impacting critical infrastructure sectors, including the Healthcare and Public Health Sector.”

Speaking of which, Microsoft has recently detailed a path traversal-affiliated vulnerability pattern it dubbed “Dirty Stream,” which impacts multiple popular Android applications, including Xiaomi’s File Manager and WPS Office. This attack could enable a malicious application to overwrite files in the vulnerable application’s home directory.

N.Korean hackers exploit weak DMARC security policies to hide spearphishing attacks

The US State Department, NSA and the FBI released a joint security advisory highlighting the techniques used by North Korean hackers to disguise malicious emails as coming from legitimate journalists, academics, or other experts in East Asian affairs.

UK bans weak default passwords on IoT devices

The United Kingdom has become the first nation to prohibit default guessable usernames and passwords for Internet of Things (IoT) devices. Under the provisions of the Product Security and Telecommunications Infrastructure Act 2022 (PSTI), manufacturers of IoT devices are mandated to adhere to new security standards, compelling them to eschew weak or easily guessable default passwords such as “admin” or “12345”. However, the legislation does permit the installation of unique passwords by default.

Indonesian government caught using commercial spyware

A new report from Amnesty International has revealed that the Indonesian government has procured and is currently employing surveillance technologies from various commercial spyware providers. Among the identified tools are those developed by NSO Group, Candiru, FinFisher, Wintego, and Intellexa. Amnesty's investigation has uncovered multiple instances of spyware acquisitions or implementations between 2017 and 2023, involving both private enterprises and state bodies in Indonesia, including the Indonesian National Police (Kepala Kepolisian Negara Republik) and the National Cyber and Crypto Agency (Badan Siber dan Sandi Negara).

ZLoader malware resurfaces with an anti-analysis feature

The infamoius ZLoader banking trojan now comes with an updated anti-analysis feature similar to the original ZeuS v2.x. This feature, which limits the execution of ZLoader's binary to the infected machine, makes Zloader even more challenging to detect and analyze.

Wpeeper Android malware hides behind compromised WordPress sites

A new strain of Android malware called Wpeeper has been discovered that utilizes compromised WordPress sites to conceal its command-and-control servers (C2), making detection more challenging. Wpeeper operates as an ELF binary and employs HTTPS encryption for its communication with the C2 servers, ensuring the security of its transmissions. Its functionality includes typical backdoor features such as gathering device data, file management, data transfer, and remote command execution.

REvil hacker behind the 2021 Kaseya supply chain attack sentenced to 13 years

Yaroslav Vasinskyi, a 24-year-old Ukrainian national known as “Rabotnik,” was sentenced to 13 years and seven months in prison for his role in a large-scale Sodinokibi/REvil ransomware operation responsible for thousands of ransomware attacks, collectively demanding a sum exceeding $700 million in ransom payments. Besides the prison sentence, Vasinskyi was ordered to pay over $16 million in restitution for the damages incurred by his malicious activities.

Vastaamo hacker gets over 6 years in prison

A court in Finland announced its verdict on Julius “Zeekill” Kivimäki, one of the most infamous cybercriminals in Finland and former Lizard Squad member, for orchestrating the major hack of the Helsinki-based psychotherapy center Vastaamo's patient database. Kivimäki has been sentenced to 6 years and 3 months in prison.

European police shut down 12 phone fraud call centers

Law enforcement authorities have dismantled 12 phone fraud call centers across Albania, Bosnia and Herzegovina, Kosovo, and Lebanon. The operation, dubbed ‘Operation Pandora,’ led to the arrest of 21 individuals involved in a criminal network responsible for scamming thousands of victims daily. The fraudsters employed various tactics such as fake police calls, investment fraud, and romance scams to deceive their targets. Operating from different countries, they impersonated relatives, bank employees, or law enforcement officers to manipulate victims into giving up their savings through promises of lottery winnings, investment opportunities, or debt collection demands.

Ukrainian police dismantle a large-scale call center that defrauded foreigners

The Ukrainian police have dismantled a large-scale call center in Odessa, where employees were stealing funds from the bank accounts of foreigners. Among the victims were clients from banks in the USA, France, the UK, Spain, Poland, the United Arab Emirates, and other countries.

The perpetrators purchased databases of bank clients from the underground markets, including card numbers, expiration dates, CVV codes, and more. They would call or message the owners, falsely informing them of substantial winnings and prompting them to reveal the code sent via SMS. In reality, this was a one-time verification password, which the criminals used to link the victims' cards to their Apple and Google Pay wallets, transferring their funds to controlled accounts previously opened under fake identities in Ukrainian state-owned banks.

Fraudster jailed for selling counterfeit Cisco network equipment

Onur Aksoy, CEO of a group of companies overseeing various online storefronts, has been sentenced to six and a half years in prison. He was found guilty of orchestrating the sale of counterfeit Cisco network equipment totaling $100 million to various organizations, including government agencies, healthcare, educational institutions, and military units worldwide.

Aksoy operated multiple businesses in New Jersey and Florida, along with numerous Amazon and eBay storefronts. These entities imported tens of thousands of low-quality, altered networking devices from suppliers in China and Hong Kong with counterfeit Cisco labels, packaging, and documentation, presenting them as legitimate products. The scheme generated over $100 million in revenue, with Aksoy pocketing millions personally.

A cybersecurity consultant charged with a $1.5 million extortion scheme

Vincent Cannady, a cybersecurity consultant, was arrested for allegedly extorting an unnamed IT firm for up to $1.5 million. Cannady, who had been assigned to work with the firm through a staffing company, had access to sensitive information during his engagement. After his contract was terminated, he downloaded the company's confidential data without authorization and threatened to publicly disclose it unless his demands were met. He demanded $1.5 million in exchange for not revealing the information, citing unspecified discrimination and emotional distress claims. Cannady faces charges of Hobbs Act extortion, which carries a maximum sentence of 20 years in prison.