Cybersecurity Analysts have linked an active spear-phishing campaign targeting the U.S. automotive industry to FIN7, a cybercrime syndicate with records of several nefarious acts. Details about the attack revealed the group is leveraging a Carbank backdoor called Anunak to perform their acts. Further details revealed by BlackBerry research teams state, “FIN7 identified employees at the company who worked in the IT department and had higher levels of administrative rights. They used the lure of a free IP scanning tool to run their well-known Anunak backdoor and gain an initial foothold utilizing living off the land binaries, scripts, and libraries (LOLBAS).”
Android Users are on Alert of a New Trojan called “SoumniBot”
Android users in South Korea are now alerted regarding their device usage due to the detection of SoumniBot, an Android trojan targeting the area. The report about the malware by Kaspersky researcher Dmitry Kalinin explained some details about the malware, which is “notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest.” The threat actor behind the attack is said to evade detection using three methods. The first involves leveraging the use of an invalid compression method value during the unpacking of the APK’s manifest file. The second stage consists of misrepresenting the archived manifest file size; the third is about utilizing long XML namespace names in the manifest file, rendering analysis tools useless and incapable of allocating memory to process them.
LabHost Phishing Services Disrupted by the Police in a Global Operation Leading to the Arrest of Over 30 Individuals.
LabHost, a cybercrime service described as one of the largest Phishing-as-a-Service (PhaaS) providers, is responsible for offering phishing pages targeting banks, high-profile organizations, and Canadian, U.S., and U.K. service providers. The international police clampdown on the group and its operations has resulted in the arrest of 37 individuals linked to the theft of personal credentials, which is part of the activities of the crime group. Some further reports about the operation tagged PhishOFF and Nebulae revealed the arrest of two LabHost users from Melbourne and Adelaide and three others in connection with drug-related offenses. The Australian Federal Police (AFP) also released a statement about it.
“Australian offenders are allegedly among 10,000 cybercriminals globally who have used the platform, known as LabHost, to trick victims into providing their personal information, such as online banking logins, credit card details, and passwords, through persistent phishing attacks sent via texts and emails.”
OpenMetadata Flaws Now Exploited by Hackers to Mine Crypto on Kubernetes
The listed OpenMetadata vulnerabilities become a playground for hackers to gain unauthorized access to Kubernetes workloads and mine cryptocurrencies.
CVE-2024-28847 (CVSS score: 8.8) – A Spring Expression Language (SpEL) injection vulnerability in PUT /api/v1/events/subscriptions (fixed in version 1.2.4)
CVE-2024-28848 (CVSS score: 8.8) – A SpEL injection vulnerability in GET /api/v1/policies/validation/condition/<expr> (fixed in version 1.2.4)
CVE-2024-28253 (CVSS score: 8.8) – A SpEL injection vulnerability in PUT /api/v1/policies (fixed in version 1.3.1)
CVE-2024-28254 (CVSS score: 8.8) – A SpEL injection vulnerability in GET /api/v1/events/subscriptions/validation/condition/<expr> (fixed in version 1.2.4)
CVE-2024-28255 (CVSS score: 9.8) – An authentication bypass vulnerability (fixed in version 1.2.4)
Microsoft Threat Intelligence team also confirmed the weaponization of these flaws since April 2024.
The Cactus ransomware group attack on XD Connects has resulted in the exfiltration and disclosure of 1% of a 1TB data set. The Netherlands company specializes in Design, Manufacturing, Wholesale, and Sustainability. It has over 500 employees and a revenue of $50.5 million.
