Bitdefender researchers have uncovered a surge in subscription scams, both in scale and sophistication, spurred by a massive campaign involving hundreds of fraudulent websites.

• Incredibly convincing websites, selling everything from shoes and clothes to diverse electronics, are tricking people into paying monthly subscriptions and willingly give away credit card data.
• Many of the websites are linked to a single address in Cyprus, likely home to an offshore company.
• The scam encompassed more than 200 different websites, including many that are still up and running.
• Criminals create Facebook pages and take out full ads to promote the already classic "mystery box" scam and other variants.
• The "mystery box" scam has evolved and now includes almost hidden recurring payments, alongside links to websites to various shops.
• Facebook is used as the main platform for these new and enhanced mystery box scams
• Content creators are being impersonated to promote mystery boxes or fraudster create new pages that look a lot like the originals.

This report presents:

• The intrusion set commonly known as Doppelgänger continues to spread disinformation narratives on social medias such as X, through bot accounts specifically made for such campaigns.
• As for its previous campaigns, Doppelgänger pushes its anti-western narrative on pages spoofing the medias of the targeted countries, such as France, Germany, Italy, Ukraine, and Israel. The disinformation campaign aims to manipulate public opinion by exploiting sensitive issues and exacerbating social and geopolitical divisions.
• The linguistic characteristics of the articles suggest that some of them were translated from Russian or edited by Russian natives, reinforcing the hypothesis that they are of Russian origin.
• In order to bypass both manual and automatic moderation on social media platforms, Doppelgänger continues to leverage Kehr[.]io, a redirection provider advertised on Russian speaking underground forums. This service hosts its infrastructure on IPs announced by English companies managed by Ukrainian and Belarusian individuals that we could connect with a high level of confidence to bulletproof network hosting solutions.
• The disinformation campaigns remain ongoing.

Analyse the ClickFix tactic and related campaigns. Uncover a ClickFix campaign impersonating Google Meet and cybercrime infrastructure.

Russia-linked phishing campaigns are targeting civil society and NGOs operating in the region and abroad, according to a new investigation by Access Now and the Citizen Lab.

The Trellix Advanced Research Center has recently observed an uptick of LockBit-related cyber activity surrounding vulnerabilities in ScreenConnect. This surge suggests that despite the Law Enforcement's (LE) "Operation Cronos" aimed at dismantling LockBit's infrastructure, the ransomware operators somehow managed to survive and stay a float. It appears that the cybercriminals group behind LockBit ransomware partially restored their infrastructure and created an impression that the LE actions did not affect their normal operation. Concurrently, alongside the resurgence of LockBit's exploitation of ScreenConnect vulnerabilities, we have seen other threat actors have either impersonated LockBit ransomware or incorporated LockBit into their own cyber attack campaigns.

Two ongoing campaigns bear hallmarks of North Korean state-sponsored threat actors, posing in job-seeking roles to distribute malware or conduct espionage.

There are several malicious fake updates campaigns being run across thousands of compromised websites. Here I will walk through one with a pattern that doesn’t match with others I’ve been tracking. This campaign appears to have started around July 19th, 2023. Based on a search on PublicWWW of the injection base64 there are at least 434 infected sites.

I’m calling this one ClearFake until I see a previously used name for it. The name is a reference to the majority of the Javascript being used without obfuscation. I say majority because base64 is used three times. That’s it. All the variable names are in the clear, no obfuscation on them.

One noticeable difference from SocGholish is that there appears to be no tracking of visits by IP or cookies. As an analyst you can you go back to the compromised site over and over coming from the same IP and not clearing your browser cache. This also means the site owner is more likely to see the infection as well.

Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest, whose evolving campaigns represent a growing concern for many organizations across multiple industries.

We analyze Mirai variant IZ1H9, which targets IoT devices. Our overview includes campaigns observed, botnet configuration and vulnerabilities exploited.

We’re sharing our latest research and analysis into malware campaigns that are targeting online businesses — including newer malware posing as AI tools.

A synopsis of the massive ongoing WordPress malware campaign: Balada Injector, including common techniques, functionalities, and vulnerability exploits used in attacks.

Cluster25 researchers analyzed several campaigns (also publicly reported by CERT-AGID) that used phishing emails to spread an InfoStealer malware written in .NET through an infection chain that involves Windows Shortcut (LNK) files and Batch Scripts (BAT). Taking into account the used TTPs and extracted evidence, the attacks seem perpetrated by the same adversary (internally named AUI001).

OpenAI chat has exploded in popularity over the last couple of weeks. People are using it to do all sorts of interesting things. If you are unfamiliar with OpenAI Chat and GPT-3, you can find a primer here. The gist is that it’s an artificial intelligence model that you can chat with as if it were a person. It can do all kinds of things like answer questions, write code, find bugs in code, and more. It also remembers context, so you can refer to something you already mentioned at it is able to follow along. I thought maybe this could be a useful tool for building email phishing campaigns for my pentesting work, so I thought I’d try it out and see what I could get it to do.

• The InterPlanetary File System (IPFS) is an emerging Web3 technology that is currently seeing widespread abuse by threat actors.
  • Cisco Talos has observed multiple ongoing campaigns that leverage the IPFS network to host their malware payloads and phishing kit infrastructure while facilitating other attacks.
  • IPFS is often used for legitimate

n April, VMware patched a vulnerability CVE-2022-22954. It causes server-side template injection because of the lack of sanitization on parameters “deviceUdid” and “devicetype”. It allows attackers to inject a payload and achieve remote code execution on VMware Workspace ONE Access and Identity Manager. FortiGuard Labs published Threat Signal Report about it and also developed IPS signature in April.

RECALLS the relevant conclusions of the European Council1 and the Council2, ACKNOWLEDGES that state and non-state actors are increasingly using hybrid tactics, posing a growing threat to the security of the EU, its Member States and its partners3. RECOGNISES that, for some actors applying such tactics, peacetime is a period for covert malign activities, when a conflict can continue or be prepared for in a less open form. EMPHASISES that state actors and non-state actors also use information manipulation and other tactics to interfere in democratic processes and to mislead and deceive citizens. NOTES that Russia’s armed aggression against Ukraine is showing the readiness to use the highest level of military force, regardless of legal or humanitarian considerations, combined with hybrid tactics, cyberattacks, foreign information manipulation and interference, economic and energy coercion and an aggressive nuclear rhetoric, and ACKNOWLEDGES the related risks of potential spillover effects in EU neighbourhoods that could harm the interests of the EU.