News Items

Since at least May 2020, an unknown threat actor has been observed using a malicious Windows kernel driver in attacks likely targeting the Middle East. Fortinet Fortiguard Labs, which labeled the artifact WINTAPIX (WinTapix.sys), links the malware, with low confidence, to an Iranian threat actor. According to security researchers, WinTapix.sys is a loader, so its primary objective is to produce and execute the next phase of the attack, which is achieved using a shellcode. Samples and telemetry data analyzed by Fortinet indicate that Saudi Arabia, Jordan, Qatar, and the United Arab Emirates are the primary targets of the campaign. The activity has not been attributed to a previously identified threat actor or group. Using a malicious kernel mode driver aims to subvert or disable security mechanisms and gain access to the targeted host. This article continues to discuss researchers' observations and findings regarding the new WinTapix.sys malware.

THN reports "New WinTapix.sys Malware Engages in Multi-Stage Attack Across Middle East"

Meta, the owner of Facebook and Instagram, was fined $1.3 billion by the Irish Data Protection Commission for violating the European Union's (EU) General Data Protection Regulation (GDPR). Meta violated the GDPR by transferring the personal data of EU users to US servers. This is the largest penalty imposed since the EU's strict data privacy policies went into effect in 2016. It exceeds Amazon's previously record-breaking $808 million fine in 2021 for data protection violations. As a result of the European Court of Justice's nullification of the Privacy Shield, the EU and the US continue to explore alternatives on a new data flow. Originally, Privacy Shield served as a data transfer mechanism under the GDPR, allowing participating companies to comply with EU requirements regarding transferring personal data to third countries. Although a replacement is expected later in the year, a number of multinational corporations, including Meta, continue to unlawfully rely on the previous agreement, specifically the use of standard contractual clauses. This article continues to discuss Meta being fined for GDPR violations.

Dark Reading reports "Meta Hit With $1.3B Record-Breaking Fine for GDPR Violations

The Picus Red Report 2023, based on the analysis of over 550,000 active malware strains, uncovered more than 5 million malicious activities. In the report, researchers identified the top cybercriminal tactics used in 2022. The findings also highlighted the increasing prevalence of "Swiss Army knife" malware, which can execute various destructive actions throughout the whole cyber kill chain while evading security measures. The analysis conducted by Picus Labs brings further attention to the adaptability of modern malware. According to the research, one-third of the entire sample uses more than 20 different tactics, techniques, and procedures (TTPs). Modern malware can exploit legitimate software, move laterally within systems, and encrypt files, which is considered exceptionally sophisticated. Picus notes that the advanced level of malware development is likely attributable to the vast resources of well-funded ransomware groups. The findings emphasize the need for security defenders to develop innovative behavior-based detection methods. This article continues to discuss the concept of multi-purpose malware, the growing versatility of malware, and how to improve anti-malware security efforts.

Security Intelligence reports "Swiss Army Knife Malware Slices Through Systems In so Many Ways"

The cybercrime group FIN7, which has previously used ransomware strains created by groups such as REvil and Maze, has added a new strain to its arsenal. Researchers from Microsoft's security team observed the group deploying the Clop ransomware in April. This was the group's first ransomware campaign since late 2021. Microsoft noted that FIN7, which it now refers to as Sangria Tempest, was observed deploying multiple tools to gain a foothold on victim systems before moving laterally within a network and launching the Clop ransomware. Prior to managing the now-retired DarkSide and BlackMatter ransomware operations, the group deployed REvil and Maze. In November, SentinelOne researchers linked the cybercrime group to the Black Basta ransomware operation, which was responsible for high-profile attacks against the American Dental Association and the German wind farm operator Deutsche Windtechnik. Since 2012, FIN7, formerly known as Carbanak, has conducted dozens of cybercriminal operations. Around 2020, the group went from using point-of-sale malware to ransomware. Between 2015 and 2018, FIN7 was accused of attacking over 100 US companies and orchestrating breaches of many US retailers. This article continues to discuss the FIN7 cybercrime family being tied to Clop ransomware.

The Record reports "Researchers Tie FIN7 Cybercrime Family to Clop Ransomware"

A man has recently been sentenced to 13 years and four months for running a multi-million-dollar fraud website that led to at least $124.2m being stolen globally. Of this, $53.4m was taken from UK victims. Law enforcement believes the actual losses to be far higher because fraud is a heavily underreported crime. Tejay Fletcher, 35, from London, UK, was handed the jail term after pleading guilty to charges of making or supplying articles for use in fraud, encouraging or assisting the commission of an offense, possessing criminal property, and transferring criminal property. The crimes took place between November 30, 2020, and November 8, 2022. The sentence followed a large international law enforcement operation led by London's Metropolitan Police in coordination with the City of London Police, the National Crime Agency, Europol, Eurojust, Dutch authorities, and the FBI. The police noted that while Fletcher was not directly responsible for the scams, his website offered tools for hire that enabled its users to launch sophisticated financial scams. Criminals used the service's technology to pose as representatives of banks, including Barclays, Santander, HSBC, Lloyds, and Halifax. They would call members of the public to warn of suspicious activity on their accounts, and ask them to disclose sensitive security information, such as one-time passcodes, to access their money. The police stated that the software allowed users to mask their phone numbers to trick victims into believing they were calling from their bank. iSpoof users could choose from a number of packages, allowing them to purchase the number of minutes they wanted to use the software for in Bitcoin. The police said that at its peak, the site had 59,000 registered users. Before it was shut down in November 2022, iSpoof was growing at a rate of 700 new users every week. In the 12 months until August 2022, around 10 million fraudulent calls were made globally via iSpoof, with roughly 3.5 million of those made in the UK.

Infosecurity reports: "UK Man Sentenced to 13 Years for Running Multi-Million Fraud Website"

Researchers at Coventry University are helping people protect their privacy after finding excessive data collection by websites and apps. Citizen Scientists Investigating Cookies and App General Data Protection Regulation (GDPR) compliance (CSI-COP) is an award-winning privacy project led by the Centre for Computational Science and Mathematical Modelling (CSM) at Coventry University in partnership with nine other organizations. Its purpose is to investigate what personal data websites and apps automatically track when a user visits a web page or uses an app, and which have been designed to be more privacy-friendly. As part of the project, members of the public were recruited and trained as 'citizen scientists' to investigate the cookie notices and privacy policies used by websites and mobile apps. The CSI-COP collaborators and privacy champions will present their findings, unveiling a repository of cookies and online trackers containing the project's findings on over 1,000 websites and apps. The repository will allow people to determine if CSI-COP featured an app they use or a website they visited. This article continues to discuss the CSI-COP project and repository.

Coventry University reports "Coventry University Researchers Shocked by Excessive Data Harvesting by Apps"

A team of researchers from Tencent Labs and Zhejiang University has presented a new attack dubbed 'BrutePrint,' which brute-forces fingerprints on modern smartphones to circumvent user authentication and seize control of the device. Performing brute-force attacks involves numerous trial-and-error attempts to crack a code, key, or password in order to gain unauthorized access to accounts, systems, or networks. Using what they say are two zero-day vulnerabilities, namely Cancel-After-Match-Fail (CAMF) and Match-After-Lock (MAL), the researchers were able to bypass existing protections on smartphones, such as attempt limits and liveness detection, which protect against brute-force attacks. The authors of the technical paper also discovered that biometric data on the Serial Peripheral Interface (SPI) of fingerprint sensors were inadequately protected, allowing a man-in-the-middle (MITM) attack to steal fingerprint images. Ten popular smartphone models were used to test BrutePrint and SPI MITM attacks, with unlimited attempts on all Android and HarmonyOS (Huawei) devices and ten additional attempts on iOS devices. This article continues to discuss the new BrutePrint attack.

Bleeping Computer reports "Android Phones Are Vulnerable to Fingerprint Brute-Force Attacks"

Most ransomware attackers use one of three primary vectors to infiltrate networks and gain access to organizations' critical systems and data. According to researchers, the most significant vector for successful ransomware attacks in 2022 was the exploitation of public-facing applications, which accounted for 43 percent of all breaches, followed by compromised accounts (24 percent) and malicious email (12 percent). The use of compromised accounts increased from 18 percent in 2021 to 22 percent in 2022. A ransomware attack can be prevented in large part by doubling down on the most common attack vectors. Many businesses are not the initial targets of attackers, but their lax Information Technology (IT) security makes them easy to breach, so cybercriminals seize the opportunity. Taking into account the top three initial vectors, which make up nearly 80 percent of all cases, it is possible to implement defensive measures that will significantly reduce the likelihood of becoming a victim. This article continues to discuss how most cyberattacks start and the basic steps that can help organizations avoid attacks.

Dark Reading reports "3 Common Initial Attack Vectors Account for Most Ransomware Campaigns"

According to new research from Imperial College London, the technology mandated by the UK's Online Safety Bill could be used to transform millions of phones into facial recognition tools. Client-Side Scanning (CSS) was examined in regard to its potential privacy implications. Under the Online Safety Bill, CSS would be implemented to identify when people are attempting to share images known to be illegal content before they are encrypted and sent. The new research, which will be presented at IEEE Security and Privacy, suggests it would be possible to use CSS to search people's private messages without their knowledge, for example, by conducting facial recognition. The UK parliament is currently reviewing the Online Safety Bill. CSS is also included in a European Union proposal that, if approved, could mandate its installation on hundreds of millions of phones. According to Dr. Yves-Alexandre de Montjoye of Imperial College London's Department of Computing and coauthor of the new paper, the research shows that the software could be built or modified to include other hidden features, such as scanning private content from people's phones using facial recognition, the same technology used at airport gates. This article continues to discuss the potential privacy implications of the CSS tool.

Imperial College London reports "Tech Mandated by Online Safety Bill 'Could Turn Phones Into Surveillance Tools'"

Hot Topics in the Science of Security (HotSoS) 2023

The snowball effect caused by Large Language Models (LLMs) such as ChatGPT is still in the early stages. Combined with the open-sourcing of other Generative Pre-Trained Transformer (GPT) models, the number of Artificial Intelligence (AI)-based applications is exploding, and ChatGPT can be used to create highly sophisticated malware. As time passes, applied LLMs will only increase, with each one specializing in its own domain and trained on carefully curated data for a particular purpose. One such application, trained on data from the dark web itself, has just emerged. DarkBERT, as its South Korean creators named it, has arrived and provides an introduction to the dark web. DarkBERT is based on the RoBERTa AI architecture, which was created in 2019. Researchers have discovered it has more performance to offer. To train the model, the researchers crawled the dark web through the Tor network's anonymizing firewall and then filtered the raw data to create a database of the dark web. DarkBERT stems from this database being used to feed the RoBERTa LLM, a model that can analyze and extract useful information from new dark web content. Researchers demonstrated that DarkBERT outperformed other LLMs, which should enable security researchers and law enforcement to delve deeper into the web's darkest corners. This article continues to discuss DarkBERT.

Tom's Hardware reports "Dark Web ChatGPT Unleashed: Meet DarkBERT"

The Federal Trade Commission (FTC) plans to update its Health Breach Notification Rule (HBNR) to clarify language regarding security breaches, user consent, and other functions, which will result in stricter enforcement for developers of consumer-driven health apps and technology. The FTC voted unanimously on May 18 to update the HBNR. A policy statement was also issued regarding its intent to combat unjust or deceptive practices associated with the collection, use, and marketing of biometric information and technologies. The risk of biometric technology breaches is directly related to the exposure of consumers' digital identities and their privacy. The FTC vote followed a second enforcement action taken under the HBNR against the developers of Premom on May 17 to resolve numerous privacy allegations, including that the fertility app and its parent company, Easy Healthcare, deceived users by sharing their personal and health information with third parties. In addition to a monetary penalty, the app developer must implement a number of adjustments to its privacy and security program and notify its users of the FTC settlement. This article continues to discuss the FTC unanimously agreeing to combat consumer privacy violations regarding biometric information and technology.

SC Media reports "FTC to Crack Down on Biometric Tech, Health App Data Privacy Violations"

Apple recently released security updates for its operating systems to patch dozens of vulnerabilities that could expose iPhones and Macs to hacker attacks, including three zero-days affecting the WebKit browser engine. Two of the actively exploited vulnerabilities, CVE-2023-28204 and CVE-2023-32373, have been reported to the tech giant by an anonymous researcher. Apple noted that their exploitation can lead to sensitive information disclosure and arbitrary code execution if the attacker can trick the targeted user into processing specially crafted web content, this includes luring them to a malicious site. No information is available on the attacks exploiting these zero-day flaws. Apple revealed in its advisories that these were the vulnerabilities that it patched with its first Rapid Security Response updates, specifically iOS 16.4.1(a), iPadOS 16.4.1(a), and macOS 13.3.1(a). Now, iOS 16.5 and iPadOS 16.5 fix CVE-2023-28204 and CVE-2023-32373, as well as CVE-2023-32409, a WebKit zero-day that can be exploited to escape the Web Content sandbox. Apple noted that CVE-2023-32409 was reported to them by Google's Threat Analysis Group and Amnesty International, which indicates that it has likely been exploited by the products of a commercial spyware vendor. The latest iOS and iPadOS updates patch over 30 other vulnerabilities, including ones that can lead to a security bypass, sandbox escape, arbitrary code execution, exposure of location and other user data, privilege escalation, termination of an app, recovery of deleted photos, retaining access to system configuration files, contact information exposure from the lock screen, and modifications of protected parts of the file system. CVE-2023-28204 and CVE-2023-32373 have also been fixed with the release of iOS and iPadOS 15.7.6. The exploited WebKit vulnerabilities have also been resolved in Apple TV, Apple Watch, and Safari. Apple stated that the latest macOS Ventura update fixes the three zero-days and nearly 50 other vulnerabilities that can lead to sensitive information disclosure, arbitrary code execution, DoS attacks, a security feature bypass, and privilege escalation. Apple has also updated macOS Monterey to version 12.6.6 and Big Sur to version 11.7.7 to patch more than two dozen vulnerabilities, but none of the zero-days.

SecurityWeek reports: "Apple Patches 3 Exploited WebKit Zero-Day Vulnerabilities"

Security researchers at Recorded Future warn that threat actors are gaining significant interest in voice cloning-as-a-service (VCaaS) offerings on the dark web, designed to streamline deepfake-based fraud. The researchers noted that deepfake audio technology can mimic the voice of a target to bypass multi-factor authentication, spread disinformation, and enhance the effectiveness of social engineering in business email compromise (BEC)-style attacks, among other things. The researchers warned that, increasingly, out-of-the-box voice cloning platforms are available on the dark web, lowering the bar to entry for cybercriminals. Some are free to use with a registered account, while others cost little more than $5 per month. The researchers noted that in some cases, cybercriminals are abusing legitimate tools such as those intended for use in audio book voiceovers, film and television dubbing, voice acting, and advertising. One popular option is ElevenLabs' Prime Voice AI software, a browser-based text-to-speech tool that allows users to upload custom voice samples for a premium charge. The researchers noted that the company had restricted the use of the tool to paid customers, which has led to an increase in references to threat actors selling paid accounts to ElevenLabs as well as advertising VCaaS offerings. The researchers stated that, fortunately, many current deepfake voice technologies are limited in generating only one-time samples that cannot be used in real-time extended conversations. However, the researchers argued that an industry-wide approach is needed to tackle the threat before it escalates.

Infosecurity reports: "Experts Warn of Voice Cloning-as-a-Service"

AllWinner and RockChip are China-based companies that power several popular Android TV boxes sold on Amazon. These Android-powered TV set-top boxes are typically inexpensive and highly customizable, incorporating multiple streaming services into a single device. Their listings on Amazon have collectively accumulated thousands of positive reviews. However, security researchers say the devices are sold with malware capable of initiating coordinated cyberattacks. Daniel Milisic purchased an AllWinner T95 set-top box last year and found that the chip's firmware was infected with malware. Milisic discovered that the set-top box was communicating with command-and-control (C2) servers and awaiting further instructions. His ongoing investigation, which he published on GitHub, revealed that his T95 model connected to a botnet composed of thousands of malware-infected Android TV boxes. According to Milisic, the default payload of the malware is a clickbot, which is code that generates ad revenue by secretly tapping on advertisements in the background. When the infected Android TV boxes are powered on, the preloaded malware contacts a C2 server, obtains instructions on finding the malware it needs, and pulls additional payloads to the device that carry out ad-click fraud. Milisic explained that due to the malware's design, its creators can distribute any payload they want. Bill Budington, an EFF security researcher, independently validated Milisic's findings after purchasing an affected device from Amazon. Several other AllWinner and RockChip Android TV models, including the AllWinner T95Max, RockChip X12 Plus, and RockChip X88 Pro 10, are also preloaded with the malware. This article continues to discuss the popular Android TV boxes being sold infected with malware.

TechCrunch reports "Popular Android TV Boxes Sold on Amazon Are Laced With Malware"

Two code packages named "nodejs-encrypt-agent" were recently discovered to contain the open-source information-stealing malware TurkoRat in the popular npm JavaScript library and registry. The malware-containing packages were discovered by ReversingLabs researchers, who report that the perpetrators behind them attempted to have the packages impersonate another legitimate package, agent-base version 6.0.2, which has been downloaded over 20 million times. Checkmarx recently published a report highlighting an emerging trend of threat actors exploiting npm's failure to account for certain types of typosquatting for years, potentially leading enterprises to inadvertently download malware. ReversingLabs researchers stated that the discovery of the most recent malicious packages, along with version number irregularities, was a red flag. In this case, a "strangely high version number" was used to attempt to trick developers into downloading what appeared to be a new release of the package. This article continues to discuss the discovery of TurkoRat-poisoned packages in the npm development library.

Dark Reading reports "Once Again, Malware Discovered in npm"

In massive Internet scans, hackers are actively searching for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites in an attempt to exploit a recently disclosed critical account password reset vulnerability. The critical vulnerability, tracked as CVE-2023-32243, affects Essential Addons for Elementor versions 5.4.0 to 5.7.1, allowing unauthenticated attackers to reset the passwords of administrator accounts and take control of the impacted websites. The vulnerability that affected over one million websites was discovered by PatchStack on May 8, 2023, and fixed by the vendor on May 11, with the release of version 5.7.2 of the plugin. However, researchers published a proof-of-concept (PoC) exploit on GitHub on May 14, making it widely accessible to attackers. Wordfence reported observing millions of probes for the plugin's presence on websites and blocking at least 6,900 exploitation attempts. This article continues to discuss hackers actively probing for vulnerable Essential Addons for Elementor plugin versions on thousands of WordPress websites.

Bleeping Computer reports "Hackers Target Vulnerable WordPress Elementor Plugin After PoC Released"

According to a new study, the security of Application Programming Interfaces (APIs) remains a top cybersecurity concern in 2023, but many businesses still lack dedicated API security. Traceable AI research conducted at this year's RSA conference reveals that while 69 percent of organizations claim to incorporate APIs into their cybersecurity strategy, 40 percent of businesses lack dedicated professionals or teams for API security. Twenty-three percent of respondents do not know if their organization has dedicated API security. Although most organizations (61 percent) do not believe they have been the target of an API attack in the past 12 months, an alarming 36 percent of respondents are unsure. In addition, 25 percent of those who have adopted API security tools are unable to baseline API behavior and identify anomalous activity that may be indicative of an API attack. Fifty percent of respondents are uncertain whether their API security solution possesses these capabilities. This article continues to discuss key findings from Traceable AI's 2023 State of API Security report.

BetaNews reports "Securing APIs Is a Top Priority, Yet Many Don't Have Dedicated Security Solutions"

According to government officials, small electric utilities, wastewater facilities, and hospitals struggle to defend their organizations against new cyber threats due to limited resources. David Travers, head of the Environmental Protection Agency's (EPA) Water Infrastructure and Cyber Resilience Division, emphasized that about 100,000 drinking water systems and 16,000 wastewater systems serve the US and its territories, with customer bases ranging from over 8 million to less than 500 people. The most significant cyber risk in the water industry is the failure of many utilities to adopt best practices. Travers added that this critical vulnerability is evident from a recent industry survey, which revealed that most utilities had not taken key steps to protect their operations. Cyber incidents at water systems have also exploited the failure to implement cybersecurity best practices. Hundreds of smaller water and wastewater systems have received individualized technical assistance from the EPA, and subject matter experts have identified gaps in cybersecurity best practices and implemented remediation actions tailored to the utility entities' resources and objectives. The agency announced in March that it will incorporate cybersecurity into periodic safety assessments. According to Brian Mazanec of the Department of Health and Human Services (HHS), the department has developed different sets of industry best practices for small, medium, and large hospital systems, with resources that small hospitals can use as-is. This article continues to discuss cybersecurity challenges faced by small utilities and hospitals as well as efforts to help them.

GovInfoSecurity reports "Small Utilities, Hospitals Struggle With Newer Cyber Threats"

According to security researchers at Trellix, China-Taiwan tensions have led to a significant increase in cyberattacks targeting Taiwan. The researchers spotted a surge in cyberattacks aimed at Taiwanese industries, with the primary goal of deploying malware and stealing sensitive information. The researchers stated that they observed a surge in malicious emails targeted toward Taiwan, starting April 7 and continuing until April 10. The number of malicious emails during this time increased to over four times the usual amount. The researchers noted that although various industries were targeted during the surge, the most impacted industries in the respective time frame were networking/IT, manufacturing, and logistics. Moreover, the researchers observed a significant rise in extortion emails targeting Taiwan government officials. The researchers stated that though it's unclear if this activity is from China-backed threat actors, it speaks to a continued increase in attacks specifically targeting Taiwan. The researchers identified different types of malicious email campaigns, including false payment overdue notifications, fake shipment notifications from reputable companies like DHL, and fraudulent quotation request emails that contain malware-laden attachments. Additionally, attackers have employed phishing pages and harmful URLs to trick users into revealing their login details. One notable malware observed during these attacks is PlugX, a Remote Access Trojan (RAT) commonly associated with Chinese Advanced Persistent Threat (APT) groups. The researchers also saw other malware families being used, such as Kryptik, Zmutzy, and Formbook.

Infosecurity reports: "Cyber Warfare Escalates Amid China-Taiwan Tensions"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) and Office of the National Cyber Director (ONCD) recently awarded the winners of the fourth annual President's Cup Cybersecurity Competition in a private ceremony at the White House. The individual winners are Ben Marks of the National Security Agency (NSA) and US Army Chief Warrant Officer 1 Andrew Fricke of the 781st Military Intelligence Battalion. The President's Cup, led and hosted by CISA, presents competitors with challenges based on the National Initiative for Cybersecurity Education (NICE) Framework Work Roles to identify, recognize, and reward the best cybersecurity talent in the federal workforce. Nearly 240 teams and over 1,100 individuals competed for the top rewards. The competition featured two individual tracks: one tested offensive skills, such as those required for the exploitation analyst and cyber operator NICE work roles, and the other tested defensive skills, such as those required for the incident response and forensics analyst work roles. This article continues to discuss the President's Cup Cybersecurity Competition.

CISA reports "CISA and ONCD Award Champions of the Fourth Annual President's Cup Cybersecurity Competition"

Proofpoint researchers explored how attackers could abuse access to a Microsoft Teams account and discovered attack vectors that could allow hackers to move laterally by launching additional phishing attacks or tricking users into downloading malicious files. According to Proofpoint, about 40 percent of Microsoft 365 cloud tenant companies have seen at least one unauthorized login attempt to gain access to a user account via Microsoft Teams in the second half of 2022 using either the web or desktop clients. Although this is less than the percentage of organizations that saw malicious login attempts on their Azure Portal or Office 365 accounts, it is significant enough to indicate that attackers are particularly interested in Microsoft Teams. Access to a Teams account can be gained via an Application Programming Interface (API) token, stolen credentials, or an active session cookie. Once inside, attackers will likely access other services or target other users. This article continues to discuss the researchers' findings regarding how attackers can enable lateral movement within a network via a compromised Teams account.

CSO Online reports "Researchers Show Ways to Abuse Microsoft Teams Accounts for Lateral Movement"

The 8220 Gang, a cryptojacking group, has been observed weaponizing a six-year-old security vulnerability in Oracle WebLogic servers to pull vulnerable instances into a botnet and spread cryptocurrency mining malware. The flaw, tracked as CVE-2017-3506 with a CVSS score of 7.4, could allow an unauthenticated attacker to remotely execute arbitrary commands. According to Trend Micro researcher Sunil Bharti, this will enable attackers to gain unauthorized access to sensitive data or compromise the entire system. The group, first documented by Cisco Talos in 2018, is named for its original use of port 8220 for command-and-control (C2) network communications. SentinelOne reported last year that the 8220 Gang identifies targets by scanning the public Internet for misconfigured or vulnerable hosts. The 8220 Gang uses SSH brute force attacks post-infection to move laterally within a compromised network. Earlier this year, Sydig reported attacks carried out by the "low-skill" crimeware gang between November 2022 and January 2023 to breach vulnerable Oracle WebLogic and Apache web servers and deploy a cryptocurrency miner. This article continues to discuss the 8220 Gang exploiting a six-year-old security flaw in Oracle WebLogic servers.

THN reports "8220 Gang Exploiting Oracle WebLogic Flaw to Hijack Servers and Mine Cryptocurrency"

Millions of Android phone owners worldwide unknowingly contribute to the financial upkeep of the Lemon Group. The Lemon Group operators infected their devices before they purchased them. Now, they steal and sell SMS messages and one-time passwords (OTPs), serve unwanted advertisements, create online messaging and social media accounts, and more using their mobile devices. Lemon Group has claimed that its clients have access to nearly 9 million Android devices infected with the Guerrilla malware. However, Trend Micro believes that the actual number may be larger. In recent years, a number of cybercriminal groups have developed lucrative business models around pre-infected Android devices. Trend Micro researchers performed forensic analysis on the ROM image of an Android device infected with the Guerrilla malware. Their investigation revealed that the group has infected Android devices in 180 countries. Over 55 percent of the victims are located in Asia, 17 percent in North America, and about 10 percent in Africa. Trend Micro was able to identify over 50 brands of mobile devices, the majority of which were inexpensive. This article continues to discuss Lemon Group's Guerrilla malware model.

Dark Reading reports "Lemon Group Uses Millions of Pre-Infected Android Phones to Enable Cybercrime Enterprise"