Cybersecurity experts have raised concerns over a suspected attack by Russian hackers on four Ukrainian telecom providers using AcidPour, a data-wiping malware that can disable embedded devices. A longer statement about the malware’s ability by Juan Andres Guerrero Saade and Tom Hegel revealed that “AcidPour’s expanded capabilities would enable it to better disable embedded devices including networking, IoT, large storage (RAIDs), and possibly ICS devices running Linux x86 distributions,” Activities around the malware observed to be a variant of AcidRain is associated with threat activity cluster of the Russian military intelligence.
Over 100 Organizations in the E.U. and U.S. faces New StrelaStealer Phishing Attacks.
The trend of phishing attacks aimed at delivering StrelaStealer, an ever-evolving information stealer, became a concern after the discovery by cybersecurity researchers. Companies primarily targeted are E.U. and U.S finance, manufacturing, high-tech, professional and legal, insurance, energy, government, and construction companies. A cybersecurity researcher disclosed
“These campaigns come in the form of spam emails with attachments that eventually launch the StrelaStealer’s DLL payload. In an attempt to evade detection, attackers change the initial email attachment file format from one campaign to the next, to prevent detection from the previously generated signature or patterns.”
A closer observation of the attack vector shows it delivers a variant of the stealer that packs in better obfuscation and anti-analysis techniques. It is propagated via invoice-themed emails bearing ZIP attachments containing a JavaScript file developed to drop a batch file, which triggers the launching of the stealer DLL payload using rundll32.exe.
Connectwise, F5 Software Flaws Exploited by China-Linked Group
According to cybersecurity researchers, a China-linked threat actor is believed to have orchestrated a widespread attack against Southeast Asian and U.S. research and education institutions, Hong Kong businesses, charity organizations, and NGOs leveraging the security flaws present in Connectwise ScreenConnect and F5 BIG-IP software. Further information revealed that through the campaign, the actor delivers custom malware that creates a backdoor on a compromised Linux host.
The flaws are tagged (CVE-2023-22518) Atlassian Confluence, (CVE-2024-1709) ConnectWise ScreenConnect, (CVE-2023-46747) F5 BIG-IP, (CVE-2022-0185) Linux Kernel, and (CVE-2022-3052) Zyxel. Google-owned Mandiant also tracks the activity under the uncategorized moniker UNC5174.
Over 39,000 WordPress Sites Gets Infected With Scam Redirects through Massive Sign1 Campaign
Reports from Sucuri revealed that over 2,500 sites have been compromised through the campaign in the last two months, while over 39,000 WordPress sites have become victims of the Sign1 malware campaign in the previous six months. The campaign aimed at redirecting users to a scam website uses JavaScript Injections. When inserted into a legitimate HTML widget, the injection provides attackers the ground to attach their malicious codes to the websites. In the process, an XOR-encoded JavaScript code is subsequently decoded and used to execute a JavaScript file hosted on a remote server that promotes redirection to a VexTrio-operated traffic distribution system (TDS) on certain conditions.
Ben Martin, a cybersecurity researcher, explained the attackers’ aim in a statement: “One of the most noteworthy things about this code is that it is specifically looking to see if the visitor has come from any major websites such as Google, Facebook, Yahoo, Instagram, etc.”
