Newsletter For Fifth Week of March 2023

New Dark Power ransomware claims 10 victims in its first month
A new ransomware operation named ‘Dark Power’ has appeared, and it has already listed its first victims on a dark web data leak site, threatening to publish the data if a ransom is not paid. The ransomware gang’s encryptor has a compilation date of January 29, 2023, when the attacks started. Furthermore, the operation has not been promoted on any hacker forums or dark web spaces yet; hence it’s likely a private project.

READ MORE

 

North Korean hackers using Chrome extensions to steal Gmail emails
A joint cybersecurity advisory from the German Federal Office for the Protection of the Constitution (BfV) and the National Intelligence Service of the Republic of Korea (NIS) warn about Kimsuky’s use of Chrome extensions to steal target’s Gmail emails. Kimsuky (aka Thallium, Velvet Chollima) is a North Korean threat group that uses spear phishing to conduct cyber-espionage against diplomats, journalists, government agencies, university professors, and politicians. Initially focused on targets in South Korea, the threat actors expanded operations over time to target entities in the USA and Europe. The joint security advisory was released to warn of two attack methods used by the hacking group — a malicious Chrome extension and Android applications.While the current campaign targets people in South Korea, the techniques used by Kimsuky can be applied globally, so raising awareness is vital.

READ MORE

 

GHackers use new PowerMagic and CommonMagic malware to steal data
Security researchers have discovered attacks from an advanced threat actor that used “a previously unseen malicious framework” called CommonMagic and a new backdoor called PowerMagic. Both malware pieces have been used since at least September 2021 in operations that continue to this day and target organizations in the administrative, agriculture, and transportation sectors for espionage purposes.

READ MORE

 

LockBit ransomware gang now also claims City of Oakland breach
Another ransomware operation, the LockBit gang, now threatens to leak what it describes as files stolen from the City of Oakland’s systems. However, the gang has yet to publish any proof that they’ve stolen any files from the West Coast port city’s network. On the new entry added to the LockBit dark web data leak website, they’re only warning that all the data they have will be published in 19 days, on April 10. LockBit has previously made claims that have proven to be false on at least one occasion.

READ MORE

 

New Android Banking Malware Attacking Over 400 Financial Apps
Several threat actors have already been exploiting a newly discovered Android banking trojan, dubbed Nexus, to penetrate 450 financial applications and steal data. While this malware was identified by cybersecurity analysts at Italian cybersecurity firm, Cleafy, they affirmed that it is still in its early development stages. However, ATO attacks against banking portals and cryptocurrency service providers can be conducted using this malware as it is equipped with all the main features.

READ MORE

 

Windows 11 and 10’s Snipping Tools Vulnerable to Data Exposure
New research has revealed that Microsoft’s Snipping Tool for Windows 11 and the Snip & Sketch tool in Windows 10 has a vulnerability that could allow sensitive information to be accessed by others. The vulnerability was discovered by David Buchanan, who found that if a screenshot was taken, saved and then cropped and saved again, the data may still be available in the file, and with a few “minor changes” the information could be accessed. While the vulnerability appears to be somewhat limited, Buchanan warns that information people thought they had deleted may still be floating around on the internet.

READ MORE

 

Hackers Inject Weaponized JavaScript (JS) on 51,000 Websites
Researchers from Unit 42 have been monitoring a widespread campaign of harmful JavaScript (JS) injections. The campaign aims to redirect unsuspecting victims to dangerous content, including adware and fraudulent pages.Websites continue to be infected by this threat in 2023, as it was active throughout 2022. The malicious JS code was discovered on over 51,000 websites, with several hundred appearing in Tranco’s top 1 million ranked websites.


READ MORE

 

Dole discloses employee data breach after ransomware attack
Fresh produce giant Dole Food Company has confirmed threat actors behind a February ransomware attack have accessed the information of an undisclosed number of employees. The company revealed that last month’s cyberattack directly impacted its employees’ information in the annual report filed with the U.S. Securities and Exchange Commission (SEC) on Wednesday. Dole disclosed the ransomware attack on February 22 and said it had a limited impact on its operations.

READ MORE

 

‘Bitter’ espionage hackers target Chinese nuclear energy orgs
A cyberespionage hacking group tracked as ‘Bitter APT’ was recently seen targeting the Chinese nuclear energy industry using phishing emails to infect devices with malware downloaders. Bitter is a suspected South Asian hacking group known to target high-profile organizations in the energy, engineering, and government sectors in the Asian-Pacific region. This hacking campaign was discovered by threat analysts at Intezer, who attribute it to Bitter APT based on the observed TTPs (tactics, techniques, and procedures) that match those of past campaigns by the same threat actor.

READ MORE

 

New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers
Poorly managed Linux SSH servers are being targeted as part of a new campaign that deploys different variants of a malware called ShellBot. “ShellBot, also known as PerlBot, is a DDoS Bot malware developed in Perl and characteristically uses IRC protocol to communicate with the C&C server,” AhnLab Security Emergency response Center (ASEC) said in a report. ShellBot is installed on servers that have weak credentials, but only after threat actors make use of scanner malware to identify systems that have SSH port 22 open.

READ MORE

 

 

The TechLab Cyber Security Team responsible for monitoring, identifying, detecting, protecting, isolating, responding and recovering based on current threats provides 24x7x365 services, TechLab Security specializes in various security products, projects, network devices, end-user devices, and system.

The TechLab Cyber Security Team Major Responsibilities Are:
• Monitor, Analyze, Correlate & Escalate Intrusion Events,
• Develop Appropriate Responses; Protect, Detect, Respond,
• Conduct Incident Management and Forensic Investigation,
• Maintain Security Community Relationships,
• Various Cyber Security Consulting Services such as Penetration Testing, Vulnerability Assessment, PCI-DSS Compliance and ISO27001 implementation and Audit compliances,
• Assist in Crisis Operations.