CISA received 4 files for analysis from an incident response engagement conducted at an Aeronautical Sector organization.
2 files (bitmap.exe, wkHPd.exe) are identified as variants of Metasploit (Meterpreter) and designed to connect and receive unencrypted payloads from their respective command and control (C2) servers. Note: Metasploit is an open source penetration testing software; Meterpreter is a Metasploit attack payload that runs an interactive shell. These executables are used as attack payloads to run interactive shells, allowing a malicious actor the ability to control and execute code on a system.
2 files (resource.aspx, ConfigLogin.aspx) are Active Server Pages (ASPX) web shells designed to execute remote JavaScript code on the victim server.
The report details the operations of W3LL, a threat actor behind a phishing empire that has remained largely unknown until now. Group-IB’s Threat Intelligence and Cyber Investigations teams have tracked the evolution of W3LL and uncovered that they played a major role in compromising Microsoft 365 business email accounts over the past 6 years. The threat actor created a hidden underground market, named W3LL Store, that served a closed community of at least 500 threat actors who could purchase a custom phishing kit called W3LL Panel, designed to bypass MFA, as well as 16 other fully customized tools for business email compromise (BEC) attacks. Group-IB investigators identified that W3LL’s phishing tools were used to target over 56,000 corporate Microsoft 365 accounts in the USA, Australia and Europe between October 2022 and July 2023. According to Group-IB’s rough estimates, W3LL’s Store’s turnover for the last 10 months may have reached $500,000. All the information collected by Group-IB’s cyber investigators about W3LL has been shared with relevant law enforcement organizations.
Apple released emergency security updates to fix two new zero-day vulnerabilities exploited in attacks targeting iPhone and Mac users, for a total of 13 exploited zero-days patched since the start of the year.
Some foreign companies may be complying—potentially offering China’s spies hints for hacking their customers.
In an ironic twist, Rockstar Games reportedly uses pirated software cracks to remove its DRM from some games they sell on Steam.
Our investigation of the security incident disclosed by Microsoft and CISA and attributed to Chinese threat actor Storm-0558, found that this incident seems to have a broader scope than originally assumed. Organizations using Microsoft and Azure services should take steps to assess potential impact.
Malicious packages uploaded to PyPI, NPM, and Ruby repositories are targeting macOS users with information stealing malware.
Phylum has identified a malware campaign spanning PyPI, npm and RubyGems. Delivering early stage malware to users.
Every morning at roughly the same time, a Russian hacker group known as NoName057(16) carries out distributed denial-of-service (DDoS) attacks on European financial institutions, government websites or transportation services.
Help desk staff duped into resetting MFA on Okta super admin accounts, allowing threat actors to move laterally across targeted organizations.
Irony, not barbed wire, cuts the deepest
The directive is the latest step in Beijing’s campaign to cut reliance on foreign technology and could hurt Apple’s business in the country.
Zaun Data Breach – Update. Zaun Ltd - fencing and gate manufacturers. Our ranges include perimeter and security fencing, gates and railings.
Apple released its first update to its new behavioural security protection in XProtect Behaviour Service on 8 August, and again on 1 September. Here are the details.
Child safety group Heat Initiative plans to launch a campaign pressing Apple on child sexual abuse material scanning and user reporting. The company issued a rare, detailed response on Thursday.
Ransomed, originally an illicit forum, is a ransomware collective that is finding new ways to extort victims by leveraging GDPR laws.
A group that operates through a data leak blog called Ransomed tells its alleged victims that shelling out an extortion payment is smarter than facing a government fine for a data breach.
Roughly 78% of healthcare organizations fell victim to a cyberattack over the past year and 60% of the incidents impacted care delivery
In early August, ReversingLabs identified a malicious supply chain campaign that the research team dubbed “VMConnect.” That campaign consisted of two dozen malicious Python packages posted to the Python Package Index (PyPI) open-source repository. The packages mimicked popular open-source Python tools, including vConnector, a wrapper module for pyVmomi VMware vSphere bindings; eth-tester, a collection of tools for testing Ethereum-based applications; and databases, a tool that gives asynchronous support for a range of databases.
