Security News > 2023 > March

Microsoft has announced that, starting in April 2023, they will be adding enhanced protection when users open or download a file embedded in a OneNote document - a known high-risk phishing file type. "Users will receive a notification when the files seem dangerous to improve the file protection experience in OneNote on Windows," the company said.

An updated version of a botnet malware called Prometei has infected more than 10,000 systems worldwide since November 2022. Prometei, first observed in 2016, is a modular botnet that features a large repertoire of components and several proliferation methods, some of which also include the exploitation of ProxyLogon Microsoft Exchange Server flaws.

A suspecting China-linked hacking campaign has been observed targeting unpatched SonicWall Secure Mobile Access 100 appliances to drop malware and establish long-term persistence. "The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades," cybersecurity company Mandiant said in a technical report published this week.

A coordinated international law enforcement exercise has taken down the online infrastructure associated with a cross-platform remote access trojan known as NetWire. "NetWire is a licensed commodity RAT offered in underground forums to non-technical users to carry out their own criminal activities," Europol's European Cybercrime Center said in a tweet.

Are you as protected as you should be? Maybe it's time for you to re-evaluate your MFA. As a follow-up, explore this eBook to learn more about Silverfort's Unified Identity Protection approach to MFA and gain insight into how to assess your existing protections and relative risk exposure. In the same manner, if attackers can move laterally in your environment by providing compromised credentials to command line access tools, it no longer matters that you have MFA protection for RDP and desktop login.

Worldwiredlabs.com, a domain utilized by cybercriminals to distribute the NetWire remote access trojan allowed perpetrators to assume control of infected computers and extract a diverse range of sensitive information from their unsuspecting victims. Law enforcement in Switzerland seized the computer server hosting the NetWire RAT infrastructure.

"In 2022, investment scam losses were the most scheme reported to the Internet Crime Complaint Center," the FBI shared in its 2022 Internet Crime Report. 2022 Internet Crime Report: Additional findings The number of complaints received by the IC3 is a bit smaller than the year before, but the overall recorded losses are highest than ever When it comes to BEC scams, the IC3 saw a slight increase of targeting victims' investment accounts instead of the traditional banking accounts, and an increase of BEC bad actors spoofing legitimate business phone numbers to confirm fraudulent banking details with victims.

The Xenomorph Android malware has released a new version that adds significant capabilities to conduct malicious attacks, including a new automated transfer system framework and the ability to steal credentials for 400 banks. "With these new features, Xenomorph is now able to complete automate the whole fraud chain, from infection to funds exfiltration, making it one of the most advanced and dangerous Android Malware trojans in circulation," warns ThreatFabric.

A new variant of the Android banking trojan named Xenomorph has surfaced in the wild, the latest findings from ThreatFabric reveal. "This new version of the malware adds many new capabilities to an already feature-rich Android banker, most notably the introduction of a very extensive runtime engine powered by Accessibility services, which is used by actors to implement a complete ATS framework," the Dutch security firm said in a report shared with The Hacker News.

A North Korean espionage group tracked as UNC2970 has been observed employing previously undocumented malware families as part of a spear-phishing campaign targeting U.S. and European media and technology organizations since June 2022. UNC2970 is the new moniker designated by the threat intelligence firm to a set of North Korean cyber activity that maps to UNC577, and which also comprises another nascent threat cluster tracked as UNC4034.