Security News

Ransomware actors and cryptocurrency scammers have joined nation-state actors in abusing cloud mining services to launder digital assets, new findings reveal. Earlier this March, Google Mandiant disclosed North Korea-based APT43's use of the hash rental and cloud mining services to obscure the forensic trail and wash the stolen cryptocurrency "Clean."

A suspected pro-China hacker group tracked by Mandiant as UNC4841 has been linked to data-theft attacks on Barracuda ESG appliances using a now-patched zero-day vulnerability. "Due to the sophistication displayed by UNC4841 and lack of full visibility into all compromised appliances, Barracuda has elected to replace and not reimage the appliance from the recovery partition out of an abundance of caution," John Palmisano, Mandiant Incident Response Manager - Google Cloud, told BleepingComputer.

Symantec's threat research team, part of Broadcom, reports today that the threat actors have recently begun using USB malware to propagate to additional systems inside infected networks. Symantec's analysts report that Gamaredon's 2023 activity spiked between February and March 2023, while the hackers continued to maintain a presence on some compromised machines until May 2023.

Microsoft on Wednesday took the lid off a "Novel and distinct Russian threat actor," which it said is linked to the General Staff Main Intelligence Directorate and has a "Relatively low success rate." The tech giant's Threat Intelligence team, which was previously tracking the group under its emerging moniker DEV-0586, has graduated it to a named actor dubbed Cadet Blizzard.

The Chinese threat group 'ChamelGang' infects Linux devices with a previously unknown implant named 'ChamelDoH,' allowing DNS-over-HTTPS communications with attackers' servers. The link between ChamelGang and the new Linux malware is based on a domain previously associated with the threat actor and a custom privilege elevation tool observed by Positive Technologies in past ChamelGang campaigns.

The Chinese state-sponsored group known as UNC3886 has been found to exploit a zero-day flaw in VMware ESXi hosts to backdoor Windows and Linux systems. The VMware Tools authentication bypass vulnerability, tracked as CVE-2023-20867, "Enabled the execution of privileged commands across Windows, Linux, and PhotonOS guest VMs without authentication of guest credentials from a compromised ESXi host and no default logging on guest VMs," Mandiant said.

VMware patched today a VMware ESXi zero-day vulnerability exploited by a Chinese-sponsored hacking group to backdoor Windows and Linux virtual machines and steal data.The cyber espionage group-tracked as UNC3886 by cybersecurity firm Mandiant who discovered the attacks-abused the CVE-2023-20867 VMware Tools authentication bypass flaw to deploy VirtualPita and VirtualPie backdoors on guest VMs from compromised ESXi hosts where they escalated privileges to root.

A hacking group tracked as 'Pink Drainer' is impersonating journalists in phishing attacks to compromise Discord and Twitter accounts for cryptocurrency-stealing attacks. According to ScamSniffer analysts, Pink Drainer successfully compromised the accounts of 1,932 victims to steal roughly $2,997,307 worth of digital assets on the Mainnet and Arbitrum.

Squad claimed an attack that took down Russian telecom provider Infotel JSC on Thursday evening. Among other things, Moscow-based Infotel provides connectivity services between the Russian Central Bank and other Russian banks, online stores, and credit institutions.

British Airways, BBC and Boots have all been served an ultimatum after they were hit with a supply-chain attack by the ransomware group Clop. In February 2023, Clop claimed responsibility for a supply-chain attack that affected more than 130 organizations, including data belonging to CHS Healthcare patients.