Security News

The Computer Emergency Response Team of Ukraine says Russian hackers are targeting various government bodies in the country with malicious emails supposedly containing instructions on how to update Windows as a defense against cyber attacks. Instead of legitimate instructions on upgrading Windows systems, the malicious emails advise the recipients to run a PowerShell command.

Veeam backup servers are being targeted by at least one group of threat actors known to work with multiple high-profile ransomware gangs. Malicious activity and tools echoing FIN7 attacks have been observed in intrusions since March 28, less than a week after an exploit became available for a high-severity vulnerability in Veeam Backup and Replication software.

Hackers are hijacking online stores to display modern, realistic-looking fake payment forms to steal credit cards from unsuspecting customers. These payment forms are shown as a modal, HTML content overlayed on top of the main webpage, allowing the user to interact with login forms or notification content without leaving the page.

The Chinese nation-state group dubbed Alloy Taurus is using a Linux variant of a backdoor called PingPull as well as a new undocumented tool codenamed Sword2033. Alloy Taurus is the constellation-themed moniker assigned to a threat actor that's known for its attacks targeting telecom companies since at least 2012.

The advanced persistent threat group referred to as Evasive Panda has been observed targeting an international non-governmental organization in Mainland China with malware delivered via update channels of legitimate applications like Tencent QQ. The attack chains are designed to distribute a Windows installer for MgBot malware, ESET security researcher Facundo Muñoz said in a new report published today. The group's hallmark is the use of the custom MgBot modular malware framework, which is capable of receiving additional components on the fly to expand on its intelligence-gathering capabilities.

Hackers are deploying new Linux malware variants in cyberespionage attacks, such as a new PingPull variant and a previously undocumented backdoor tracked as 'Sword2033. PingPull is a RAT first documented by Unit 42 last summer in espionage attacks conducted by the Chinese state-sponsored group Gallium, also known as Alloy Taurus.

An Iranian nation-state threat actor has been linked to a new wave of phishing attacks targeting Israel that's designed to deploy an updated version of a backdoor called PowerLess. The attack chain documented by Check Point begins with an ISO disk image file that makes use of Iraq-themed lures to drop a custom in-memory downloader that ultimately launches the PowerLess implant.

The Russian-speaking threat actor behind a backdoor known as Tomiris is primarily focused on gathering intelligence in Central Asia, fresh findings from Kaspersky reveal. Tomiris first came to light in September 2021 when Kaspersky highlighted its potential connections to Nobelium, the Russian nation-state group behind the SolarWinds supply chain attack.

Threat actors are employing a previously undocumented "Defense evasion tool" dubbed AuKill that's designed to disable endpoint detection and response software by means of a Bring Your Own Vulnerable Driver attack. "The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system," Sophos researcher Andreas Klopsch said in a report published last week.

Threat actors have been observed leveraging a legitimate but outdated WordPress plugin to surreptitiously backdoor websites as part of an ongoing campaign, Sucuri revealed in a report published last week. The plugin in question is Eval PHP, released by a developer named flashpixx.