Security News

Microsoft on Wednesday disclosed that it identified a set of highly targeted social engineering attacks mounted by a Russian nation-state threat actor using credential theft phishing lures sent as Microsoft Teams chats. Microsoft said the campaign, observed since at least late May 2023, affected less than 40 organizations globally spanning government, non-government organizations, IT services, technology, discrete manufacturing, and media sectors.

Microsoft says a hacking group tracked as APT29 and linked to Russia's Foreign Intelligence Service targeted dozens of organizations worldwide, including government agencies, in Microsoft Teams phishing attacks. These new domains were part of the 'onmicrosoft.com' domain, a legitimate Microsoft domain that is automatically used by Microsoft 365 for fallback purposes in case a custom domain is not created.

Hackers exploited a zero-day vulnerability in Salesforce's email services and SMTP servers to launch a sophisticated phishing campaign targeting valuable Facebook accounts.The attackers chained a flaw dubbed "PhishForce," to bypass Salesforce's sender verification safeguards and quirks in Facebook's web games platform to mass-send phishing emails.

Services offered by an obscure Iranian company known as Cloudzy are being leveraged by multiple threat actors, including cybercrime groups and nation-state crews. The Texas-based cybersecurity firm said the company acts as a command-and-control provider, which provides attackers with Remote Desktop Protocol virtual private servers and other anonymized services that ransomware affiliates and others use to pull off the cybercriminal endeavors.

Chinese state-sponsored hackers have been targeting industrial organizations with new malware that can steal data from air-gapped systems. Researchers at cybersecurity company Kaspersky discovered the new malware and attributed it to the cyber-espionage group APT31, a.k.a. Zirconium.

Hackers are using a fake Android app named 'SafeChat' to infect devices with spyware malware that steals call logs, texts, and GPS locations from phones. The Android spyware is suspected to be a variant of "Coverlm," which steals data from communication apps such as Telegram, Signal, WhatsApp, Viber, and Facebook Messenger.

Hackers are actively exploiting a 'BleedingPipe' remote code execution vulnerability in Minecraft mods to run malicious commands on servers and clients, allowing them to take control of the devices. BleedingPipe is a vulnerability found in many Minecraft mods caused by the incorrect use of deserialization in the 'ObjectInputStream' class in Java to exchange network packets between servers and clients.

Threat actors associated with the hacking crew known as Patchwork have been spotted targeting universities and research organizations in China as part of a recently observed campaign. "Patchwork relied on a range of elaborate fictitious personas to socially engineer people into clicking on malicious links and downloading malicious apps," the social media giant said.

The U.S. Cybersecurity and Infrastructure Security Agency on Friday disclosed details of a "Novel persistent backdoor" called SUBMARINE deployed by threat actors in connection with the hack on Barracuda Email Security Gateway appliances. The findings come from an analysis of malware samples obtained from an unnamed organization that had been compromised by threat actors exploiting a critical flaw in ESG devices, CVE-2023-2868, which allows for remote command injection.

A legitimate Windows search feature is being exploited by malicious actors to download arbitrary payloads from remote servers and compromise targeted systems with remote access trojans such as AsyncRAT and Remcos RAT. The novel attack technique, per Trellix, takes advantage of the "Search-ms:" URI protocol handler, which offers the ability for applications and HTML links to launch custom local searches on a device, and the "Search:" application protocol, a mechanism for calling the desktop search application on Windows. It's worth noting that clicking on the link also generates a warning "Open Windows Explorer?," approving which "The search results of remotely hosted malicious shortcut files are displayed in Windows Explorer disguised as PDFs or other trusted icons, just like local search results," the researchers explained.