Security News

Phishers are using encrypted restricted-permission messages attached in phishing emails to steal Microsoft 365 account credentials. "The initial emails are sent from compromised Microsoft 365 accounts and appear to be targeted towards recipient addresses where the sender might be familiar."

A Brazilian hacking group has been targeting thirty Portuguese government and private financial institutions since 2021 in a malicious campaign called 'Operation Magalenha. The attackers use many methods to distribute their malware to targets, including phishing emails pretending to come from Energias de Portugal and the Portuguese Tax and Customs Authority, social engineering, and malicious websites that mimic these organizations.

Researchers from Cado Labs recently encountered an update to the emerging cloud-focused malware family, Legion. This sample iterates upon the credential harvesting features of its predecessor, with a continued emphasis on exploiting PHP web applications.

An updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services credentials associated with DynamoDB and CloudWatch. "This recent update demonstrates a widening of scope, with new capabilities such the ability to compromise SSH servers and retrieve additional AWS-specific credentials from Laravel web applications," Cado Labs researcher Matt Muir said in a report shared with The Hacker News.

Infostealer malware, which consist of code that infects devices without the user's knowledge and steals data, remains widely available to buy through underground forums and marketplaces, with the volume of logs, or collections of stolen data, available for sale increasing at alarming rates, according to Secureworks. "Infostealers are a natural choice for cybercriminals who are looking to rapidly gain access to businesses and then monetize that access," said Don Smith, VP threat research, Secureworks CTU. "They are readily available for purchase, and within as little as 60 seconds of installation on an infected computer will immediately generate a return on investment in the form of stolen credentials and other sensitive information. However, what has really changed the game, as far as infostealers are concerned, is improvements in the various ways that criminals use to trick users into installing them. That, coupled with the development of dedicated marketplaces for the sale and purchase of this stolen data, has really upped the ante," added Smith.

U.S. tech company and Siemens subsidiary Brightly Software is notifying customers that their personal information and credentials were stolen by attackers who gained access to the database of its SchoolDude online platform. "We at Brightly Software are writing to let you know about a recent security incident affecting an account you have on our SchoolDude application, an online platform used by educational institutions for placing and tracking maintenance work orders," Brightly told affected SchoolDude users.

The vulnerability, tracked as CVE-2023-29324, has been described as a security feature bypass. Akamai security researcher Ben Barnea, who discovered and reported the bug, noted that all Windows versions are affected, but pointed out Microsoft, Exchange.

Legion targets various services for email exploitation, according to Cado, whose research indicates that Legion is likely linked to the AndroxGh0st malware family first reported in December 2022. The report said Legion appears to be part of an emerging generation of hacking tools that aim to automate the credential harvesting process to compromise SMTP services.

A novel credential-stealing malware called Zaraza bot is being offered for sale on Telegram while also using the popular messaging service as a command-and-control. "Zaraza bot targets a large number of web browsers and is being actively distributed on a Russian Telegram hacker channel popular with threat actors," cybersecurity company Uptycs said in a report published last week.

Apart from extracting credentials and breaching web services, Legion can also create administrator users, implant webshells, and send out spam SMS to customers of U.S. carriers. The tool uses an array of methods to retrieve credentials from misconfigured web servers, like targeting environment variable files and configuration files that might contain SMTP, AWS console, Mailgun, Twilio, and Nexmo credentials.