Healthcare SaaS provider Welltok is warning that a data breach exposed the personal data of nearly 8.5 million patients in the U.S. after a file transfer program used by the company was hacked in a data theft attack.

International logistics giant DP World has confirmed that data was stolen during a cyber attack that disrupted its operations in Australia earlier this month. However, no ransomware payloads or encryption was used in the attack.

It’s not every day that you discover a new Russian hacking group complete with a song and dance routine (performed live), a sleek user interface (with dark mode!) and a clearly thought-out business model. But that is exactly what our security research team discovered with “AlphaLock,” a “pentesting training organization” that trains hackers and then monetizes their services through a dedicated affiliate program.
...
We originally discovered their group through a public Telegram channel that has since become private. This post will serve as a detailed investigation and description of one of the most brazen, strange, and best marketed cybercrime groups to appear in 2023.

• Cybercrime sophistication and commoditization continues to grow: We now have a real life example of a threat group that seeks to create its own talent pool through a training program, goes to extensive lengths to market itself, and plans to monetize this through a hacker-for-hire scheme. The level of technical sophistication required to do this isn’t very high, but the level of organizational sophistication and business acumen is quite interesting.
• Ransomware isn’t the only game in town: Cybercriminals typically choose the path of least resistance that is most likely to prove profitable, this has been increasingly the case as the cybercrime ecosystem has evolved into a functional market economy. However AlphaLock represents another potential method to both monetize and democratize cybercrime. This could be a particularly interesting model alternative for ransomware groups if the U.S. follows through with the proposal of banning ransomware payments.
• A Technical Threat Actor Supply Shortage? One of the most fascinating things about AlphaLock is they want to create a pipeline of talent to populate their hacker marketplace. This suggests that there may be limitations on the supply of talented threat actors that have the required degree of sophistication to the point where they have tried to build their own pipeline of actors.
• The Brand: Our researchers have noted an increasing focus on group “brand” and identity among financially motivated threat groups. AlphaLock has clearly made significant investments in time to create a brand and reputation for itself. Notice in the final post they even advertise that they are looking to hire someone to market themselves on Telegram and social media.
• Blurred Lines: Many security practitioners have often assumed that threat actors primarily operate on the dark web. In most cases today this isn’t the case. There are increasingly blurred lines between clear web sites, Tor, and social media applications such as Telegram that create easy avenues for threat actors to congregate and communicate.

The Lumma information-stealing malware is now using an interesting tactic to evade detection by security software - the measuring of mouse movements using trigonometry to determine if the malware is running on a real machine or an antivirus sandbox.

Toyota Financial Services (TFS) has confirmed that it detected unauthorized access on some of its systems in Europe and Africa after Medusa ransomware claimed an attack on the company.

Cloudflare is investigating an ongoing outage causing 'We're sorry

Attackers are exploiting a recently patched and critical severity Atlassian Confluence authentication bypass flaw to encrypt victims' files using Cerber ransomware.

Discord will switch to temporary file links for all users by the end of the year to block attackers from using its CDN (content delivery network) for hosting and pushing malware.

A new macOS malware dubbed 'KandyKorn' has been spotted in a campaign attributed to the North Korean Lazarus hacking group, targeting blockchain engineers of a cryptocurrency exchange platform.

The attackers impersonate members of the cryptocurrency community on Discord channels to spread Python-based modules that trigger a multi-stage KandyKorn infection chain.

Elastic Security discovered and attributed the attacks to Lazarus based on overlaps with past campaigns concerning the employed techniques, network infrastructure, code-signing certificates, and custom Lazarus detection rules.

Apple's "Find My" location network can be abused by malicious actors to stealthily transmit sensitive information captured by keyloggers installed in keyboards.

The Find My network and application is designed to help users locate lost or misplaced Apple devices, including iPhones, iPads, Macs, Apple Watches, AirPods, and Apple Tags.

The service relies on GPS and Bluetooth data crowd-sourced from millions of Apple devices worldwide to find devices reported as lost or stolen, even if those are offline.

Microsoft Exchange is impacted by four zero-day vulnerabilities that attackers can exploit remotely to execute arbitrary code or disclose sensitive information on affected installations.

A threat actor that security researchers call Prolific Puma has been providing link shortening services to cybercriminals for at least four years while keeping a sufficiently low profile to operate undetected.

Australian software company Atlassian warned admins to immediately patch Internet-exposed Confluence instances against a critical security flaw that could lead to data loss following successful exploitation.

HackerOne has announced that its bug bounty programs have awarded over $300 million in rewards to ethical hackers and vulnerability researchers since the platform's inception.

Citrix warned admins today to secure all NetScaler ADC and Gateway appliances immediately against ongoing attacks exploiting the CVE-2023-4966 vulnerability.

Cisco disclosed a new high-severity zero-day (CVE-2023-20273) today, actively exploited to deploy malicious implants on IOS XE devices compromised using the CVE-2023-20198 zero-day unveiled earlier this week.

Taiwanese networking equipment manufacturer D-Link confirmed a data breach linked to information stolen from its network and put up for sale on BreachForums earlier this month.

A group of cyber activists under the Ukrainian Cyber Alliance banner has hacked the servers of the Trigona ransomware gang and wiped them clean after copying all the information available.

The Ragnar Locker ransomware operation's Tor negotiation and data leak sites were seized Thursday morning as part of an international law enforcement operation.

A critical severity vulnerability impacting Royal Elementor Addons and Templates up to version 1.3.78 is reported to be actively exploited by two WordPress security teams.