CyberSecurity news

FlagThis - #cyberthreat

do son@securityonline.info - 72d

HiatusRAT Malware Targets Webcams and DVRs - The FBI warned about a new wave of HiatusRAT malware attacks targeting internet-facing Chinese-branded web cameras and DVRs.
The FBI has issued a warning regarding a new HiatusRAT malware campaign which is targeting web cameras and DVRs, particularly those made by Chinese manufacturers. The attackers are exploiting vulnerabilities like weak default passwords, and are using tools like Ingram and Medusa to gain unauthorized access. Once compromised the devices are used as proxies and converted into covert communication channels. This campaign is targeting IoT devices in the US, Australia, Canada, New Zealand, and the UK. System administrators are urged to limit the use of the affected devices or isolate them from the rest of the network to prevent further exploitation.

Recommended read:
References :
  • CyberInsider: FBI Warns of HiatusRAT Campaigns Targeting Web Cameras and DVRs
  • BleepingComputer: The FBI warned today that new HiatusRAT malware attacks are now scanning for and infecting vulnerable web cameras and DVRs that are exposed online.
  • : FBI advisory: The FBI released this Private Industry Notification (PIN) to highlight HiatusRAT scanning campaigns against Chinese-branded web cameras and DVRs.
  • securityaffairs.com: The FBI warns of HiatusRAT scanning campaigns against Chinese-branded web cameras and DVRs
  • www.bleepingcomputer.com: Bleeping Computer
  • malware.news: Vulnerable webcams, DVRs subjected to HiatusRAT intrusions
  • malware.news: Vogons, Task Scams, HiatusRat, Cellebrite, Deloitte, Quantum, Aaran Leyland, and More - SWN #438
  • www.csoonline.com: That cheap webcam? HiatusRAT may be targeting it, FBI warns
  • Industrial Cyber: The Federal Bureau of Investigation (FBI) published Tuesday a Private Industry Notification (PIN) to spotlight HiatusRAT scanning campaigns.
  • Cybernews: Malicious campaigns are attacking Chinese-branded IoT devices – web cameras and DVRs – to crack authentication.
  • securityonline.info: The FBI, in collaboration with CISA, has issued a new alert regarding the HiatusRAT malware campaign. The latest iteration of the campaign has shifted its focus to Internet of Things.
SC Staff@scmagazine.com - 43d

North Korea Steals $659M in Crypto in 2024 - North Korean state-sponsored hackers are responsible for over $659 million in cryptocurrency heists during 2024, using sophisticated methods including fake job postings.
North Korean state-sponsored hackers have been identified as the perpetrators behind cryptocurrency heists totaling over $659 million in 2024. A joint statement from the United States, Japan, and South Korea warns the blockchain industry about these escalating cyber threats, which target not only exchanges and custodians but also individuals. The attacks have used increasingly sophisticated methods, including fake job postings to infiltrate companies, allowing threat actors to deploy malware and conduct social engineering attacks, with the Lazarus Group being identified as a key player in these operations.

The cyberattacks resulted in major losses for various cryptocurrency exchanges and platforms, including $308 million from DMM Bitcoin, $50 million each from Upbit and Radiant Capital, and $16.13 million from Rain Management. Additionally, the joint statement confirmed North Korea was responsible for a $235 million attack on WazirX, an Indian cryptocurrency exchange, in July 2024. These operations are believed to be aimed at funding North Korea's weapons programs, highlighting the international financial impact of the nation's cyber activities.

Recommended read:
References :
  • techcrunch.com: North Korea stole over $659M in crypto heists during 2024, deployed fake job seekers
  • www.scworld.com: North Korean crypto heist toll exceeded $659M in 2024
  • cryptobriefing.com: US, Japan, and South Korea warn blockchain industry of North Korea’s ongoing cyber threats
  • The Verge: North Korea linked to crypto heists of over $650 million in 2024 alone
  • : SecurityScorecard : North Korean state-sponsored APT Lazarus (Group) is targeting software developers looking for freelance Web3 and cryptocurrency work in what SecurityScorecard calls Operation 99.
@www.bleepingcomputer.com - 32d

Fake Malware Builder Backdoors 18000 Users - A threat actor used a fake malware builder to infect over 18,000 'script kiddies' with a backdoor, highlighting the risk of using cracked software and online tutorials.
A sophisticated cyberattack has successfully targeted low-skilled hackers, often referred to as "script kiddies," by using a modified version of the XWorm RAT builder. This fake builder, disguised as a tool for penetration testing, secretly infects the user's systems with a backdoor. This allowed the attacker to compromise over 18,000 devices worldwide. The malware was distributed via various channels including file-sharing services, Github repositories, Telegram channels, and even Youtube. Once installed, the malicious software exfiltrated sensitive data such as browser credentials, Discord tokens, Telegram data, and system information.

The campaign highlights the risks faced even by those attempting to engage in hacking activities. Threat actors, using aliases such as “@shinyenigma” and “@milleniumrat", have taken advantage of the eagerness of these individuals to download and utilize tools from online tutorials. The infected machines are located in Russia, the United States, India, Ukraine, and Turkey. The malicious tool utilizes Telegram for its command and control, using bot tokens and Telegram API calls. Security researchers have identified a kill switch to disrupt operations on active devices, though this is limited by offline machines and rate limiting mechanisms.

Recommended read:
References :
  • www.bleepingcomputer.com: A threat actor targeted low-skilled hackers, known as "script kiddies," with a fake malware builder that secretly infected them with a backdoor to steal data and take over computers
  • bsky.app: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
  • hackread.com: Hackers Use XWorm RAT to Exploit Script Kiddies, Pwning 18,000 Devices
  • www.cloudsek.com: Over 18,000 users infected themselves with a backdoor after they downloaded a cracked malware builder
  • Cyber Security News: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
  • gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
  • cyberpress.org: Weaponized XWorm RAT Builder Targeting Script Kiddies to Extract Sensitive Data
  • gbhackers.com: Weaponised XWorm RAT Builder Attacking Script Kiddies To Hack 18,000 Devices
  • www.scworld.com: XWorm RAT builder leveraged for widespread device compromise
@securityonline.info - 43d

North Korean Hackers Target Blockchain Industry Globally - The US, Japan, and South Korea warn of increased cyber threats from North Korean hackers targeting the blockchain industry for financial gain.
References: Cybernews , securityonline.info ,
The United States, Japan, and South Korea have jointly issued a warning to the blockchain industry regarding escalating cyber threats from state-sponsored North Korean hackers. These attacks are not limited to the three nations but extend to the broader international community, with a specific focus on stealing cryptocurrencies from exchanges, custodians, and individual users. The hackers' activities, attributed to groups such as the Lazarus Group, are aimed at generating illicit revenue for the North Korean government's weapons programs.

The scale of these cyber heists is significant, with over $650 million stolen in 2024 alone. Major losses include $308 million from DMM Bitcoin, $50 million from Upbit, and $16.1 million from Rain Management. Furthermore, attacks in 2023 on WazirX ($235 million) and Radiant Capital ($50 million) have also been linked to North Korean cyber actors. The tactics used are becoming increasingly advanced, involving social engineering attacks that deploy malware such as TraderTraitor and AppleJeus. This joint statement underscores the need for enhanced cybersecurity measures and international cooperation to prevent further financial losses.

Recommended read:
References :
  • Cybernews: State-sponsored North Korean hackers threaten not only the US, Japan, and South Korea but also the broader international community.
  • securityonline.info: Millions Stolen: North Korea Hackers Target Blockchain Industry
  • Crypto Briefing: US, Japan, and South Korea warn blockchain industry of North Korea’s ongoing cyber threats
@www.recordedfuture.com - 49d

RedDelta Chinese APT Cyber Espionage Operations - Chinese state-sponsored group RedDelta has been targeting Mongolia, Taiwan, and Southeast Asia since July 2023 using spearphishing techniques and evolving cyber threats to distribute its customized PlugX backdoor.
The Chinese state-sponsored cyber espionage group known as RedDelta, also referred to as Mustang Panda, has been actively targeting several countries in Asia and beyond since July 2023. Their operations have primarily focused on Mongolia, Taiwan, and Southeast Asia, but have also extended to Japan, the United States, Ethiopia, Brazil, Australia and India. RedDelta employs sophisticated spearphishing techniques, using lure documents themed around political and cultural events, such as the 2024 Taiwanese presidential candidate Terry Gou, the Vietnamese National Holiday, flood protection in Mongolia and meeting invitations. The group has been observed distributing its customized PlugX backdoor through adapted infection chains, targeting government and diplomatic organizations.

RedDelta has evolved its attack methods over time, initially using Windows Shortcut (LNK) files, transitioning to Microsoft Management Console Snap-In Control (MSC) files in 2024, and most recently using HTML files hosted on Microsoft Azure. Since July 2023 they consistently used the Cloudflare content distribution network (CDN) to proxy command-and-control (C2) traffic in order to blend in with legitimate network activity, making victim identification more difficult. The group’s activities, which have included successful compromises of the Mongolian Ministry of Defense and the Communist Party of Vietnam, align with the Chinese governments strategic priorities in Asia.

Recommended read:
References :
  • malware.news: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • www.recordedfuture.com: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • : RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • www.recordedfuture.com: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • www.recordedfuture.com: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • The Hacker News: RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns
  • app.recordedfuture.com: Recorded Future: RedDelta: Chinese State-Sponsored Group Targets Mongolia, Taiwan, and Southeast Asia with Evolving Cyber Threats
  • osint10x.com: RedDelta Deploys PlugX Malware to Target Mongolia and Taiwan in Espionage Campaigns
  • securityonline.info: RedDelta Leverages PlugX Backdoor in State-Sponsored Espionage Campaigns

Blogs

Research Tools