My Weekly Roundup #160
A new botnet Orchard Generates DGA Domains with Bitcoin Transaction Information
DGA is one of the classic techniques for botnets to hide their C2s, attacker only needs to selectively register a very small number of C2 domains, while for the defenders, it is difficult to determine in advance which domain names will be generated and registered.
Twitter confirms zero-day used to expose data of 5.4 million accounts
Twitter has confirmed a recent data breach was caused by a now-patched zero-day vulnerability used to link email addresses and phone numbers to users’ accounts, allowing a threat actor to compile a list of 5.4 million user account profiles.
Unauthenticated RCE can allow hacking DrayTek Vigor routers without user interaction
A critical flaw in multiple models of DrayTek Vigor routers can allow unauthenticated, remote attackers to fully compromise affected devices.
Flight of the Bumblebee: Email Lures and File Sharing Services Lead to Malware
Among the threat actors distributing Bumblebee is Projector Libra. Also known as EXOTIC LILY, Projector Libra is a criminal group that uses file sharing services to distribute malware after direct email correspondence with a potential victim.
Student crashes Cloudflare beta party, redirects email, bags a bug bounty
A Danish ethical hacker was able to work his way uninvited into a closed Cloudflare beta and found a vulnerability that could have been exploited by a cybercriminal to hijack and steal someone else’s email.
GitHub blighted by “researcher” who created thousands of malicious projects
Just over a year ago, we wrote about a “cybersecurity researcher” who posted almost 4000 pointlessly poisoned Python packages to the popular repository PyPI.
Woody RAT: A new feature-rich malware spotted in the wild
The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year.
Initial Access Brokers Are Key to Rise in Ransomware Attacks
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.
Large-Scale AiTM Attack targeting enterprise users of Microsoft email services
ThreatLabz has discovered a new strain of a large-scale phishing campaign, which uses adversary-in-the-middle (AiTM) techniques along with several evasion tactics. Similar AiTM phishing techniques were used in another phishing campaign described by Microsoft recently here.
For months, JusTalk messages were accessible to everyone on the Internet
JusTalk, a popular mobile video calling and messaging app with 20 million global users, exposed a massive database of supposedly private messages to the public Internet for months.
LOLI Stealer – Golang-based InfoStealer spotted in the wild
Cyble Research Labs has been actively monitoring various Stealers and blogging about them to keep our readers aware and informed. Recently, we came across a malware sample which turned out to be a new malware variant named “LOLI Stealer.”
97% of top universities in the US, UK and Australia putting students, staff, and stakeholders at risk of being impersonated by cybercriminals
SolidBit Ransomware Enters the RaaS Scene and Takes Aim at Gamers and Social Media Users With New Variant
This blog entry offers a technical analysis of a new SolidBit variant that is posing as different applications to lure gamers and social media users.
Manjusaka: A Chinese sibling of Sliver and Cobalt Strike
Even though the request is an HTTP GET, it sends two bytes that are 0x191a as data. The reply is always the same, consisting of five bytes 0x1a1a6e0429. This is the C2 standard reply, which does not correspond to any kind of action on the implant.
Founder of pro-Russian hacktivist Killnet quitting group
The founder and leader of the crowdsourced pro-Russian hacktivists Killnet announced his plans to leave the group after an upcoming hack and leak operation against Lockheed Martin. Killnet is part of a new breed of cyberwarfare that emerged during Russia’s invasion of Ukraine.
Movie torrents hijacked to send tips on bypassing Russian censorship
A team of Ukrainian cyber-activists has thought of a simple yet potentially effective way to spread uncensored information in Russia: bundling torrents with text and video files pretending to include installation instructions.
Fileless Malware: What It Is and How It Works
Fileless malware uses a computer system’s built-in tools to execute a cyberattack. In other words, fileless malware takes advantage of the vulnerabilities present in installed software to facilitate an attack.
Malicious CHM Being Distributed to Korean Universities
The ASEC analysis team discovered that a malicious CHM file targeting certain Korean universities is distributed on a massive scale. The file that is being distributed is the same type as the one discussed in a post uploaded in May. Figure 1 shows the code of the HTM file inside the malicious CHM.
At least 34 healthcare orgs affected by alleged ransomware attack on OneTouchPoint
A ransomware attack on printing and mailing services provider OneTouchPoint is having several downstream effects on its customers, prompting it to release a data breach notice last week on behalf of 34 healthcare organizations.
How I Used DALL·E 2 to Generate The Logo for OctoSQL
Everybody has heard about the latest cool thing™, which is DALL·E 2 (henceforth called Dall-e). A few months ago, when the first previews started, it was basically everywhere.
Mark Hamill Works at the Jack In the Box Drive-Thru Where He Once Got Fired [Video]
A long ago, in a Jack in the Box drive-thru far, far away, an unknown Mark Hamill got fired for making clown voices. Many years later, owners probably biting their fingers, Mark is back with the clown voices, surprising fans with tales from the past… and autographs too!
‘Better Call Saul’ Recap: It’s ‘Breaking Bad’ Time
And here they finally are. Walter White and Jesse Pinkman. As the latter would say: Yeah, bitch!