A malware loader called "SquidLoader" is linked to an unknown threat actor that has targeted Chinese-speaking victims for two years, LevelBlue Labs reports. LevelBlue Labs believes SquidLoader was active for at least a month before its discovery at the end of April. The threat actor using it has long targeted entities in China. Recently observed attacks start with phishing emails delivering malware loaders disguised as documents for Chinese organizations. When the loaders are executed, they fetched and executed shellcode payloads in the loader process' memory.

The French cybersecurity agency ANSSI reports that the Russian-aligned threat actor "Nobelium" has targeted French diplomatic entities and public organizations since 2021. The French agency said the threat actor participated in at least five coordinated campaigns between 2021 and 2024. Nobelium has targeted the French Ministry of Culture, the French Ministry of Foreign Affairs, the National Agency for Territorial Cohesion (ANCT), and several French embassies.

According to security researchers at the NCC Group, the notorious LockBit group has reemerged to become the most prominent ransomware actor in May 2024.  The researchers noted that LockBit 3.0 returned to the fold in May to launch 176 ransomware attacks, 37% of the total number for the month.  This represents an enormous 665% month-on-month increase for the ransomware-as-a-service (RaaS) gang.  LockBit’s activity in May was higher than the next most prominent groups: Play, which was responsible for 32 attacks (7%), and RansomHub with 22 attacks (5%).

"Fickle Stealer," a new Rust-based information stealer malware, is delivered via multiple attack chains to steal sensitive data from compromised hosts. Fortinet FortiGuard Labs said it knows of four distribution methods, some of which use a PowerShell script to bypass User Account Control (UAC) and execute Fickle Stealer. The script periodically sends the victim's country, city, IP address, operating system version, computer name, and username to the attacker's Telegram bot. This article continues to discuss findings regarding the Fickle Stealer malware.

Phoenix Technologies' SecureCore UEFI firmware solution has a high-severity vulnerability that could affect hundreds of PC and server models using Intel processors. Researchers at Eclypsium discovered the vulnerability called "UEFIcanhazbufferoverflow," using an automated analysis system. A local attacker can escalate privileges and execute arbitrary code in UEFI firmware during runtime using the security hole. Eclypsium warned that the Black Lotus UEFI rootkit may exploit this vulnerability.

Two men from New York and Rhode Island have recently pleaded guilty to hacking into a database maintained by a US federal law enforcement agency and using stolen personal information to extort people.  The Department of Justice (DoJ) said Sagar Steven Singh, 20, and Nicholas Ceraolo, 26, were part of an extortion group called Vile, which sought to harvest personal information and then post or threaten to post it on a public website, an action referred to as doxing.  Victims were then asked to pay the miscreants to have their personal information removed from the website.

Due to the many features of Internet-connected gym machines, IBM X-Force Red researchers decided to explore their user data security and whether there was any risk to users' physical safety. The team researched smart treadmills from Precor, a leading fitness equipment brand with over 143,000 machines containing Internet-connected consoles. Using an exposed SSH key pair, the researchers gained root-level access to three console versions and showed that treadmill belts can be stopped remotely, which could harm users.

The cyber espionage actor "UNC3866," linked to the zero-day exploitation of Fortinet, Ivanti, and VMware security flaws, uses multiple persistence mechanisms to maintain access to compromised environments. According to Mandiant researchers, the persistence mechanisms involved network devices, hypervisors, and Virtual Machines (VMs). The adversary has exploited zero-day flaws impacting Fortinet FortiOS, VMware vCenter, and VMware Tools to deploy backdoors, steal credentials, and more. This article continues to discuss findings regarding UNC3886 espionage operations.

The cryptocurrency exchange Kraken has revealed that alleged security researchers stole $3 million in cryptocurrency using a zero-day website bug. Chief Security Officer Nick Percoco disclosed that the exchange's security team received a vague bug report about an "extremely critical" flaw. It enabled anyone to artificially increase a Kraken wallet's balances. Kraken investigated the report and found a bug that allowed attackers to initiate deposits and receive funds even if the deposit failed.

Broadcom has addressed three VMware vCenter vulnerabilities, two of which are critical and enable Remote Code Execution (RCE). Hackers continue to target Virtual Machines (VMs) due to their rich repositories of sensitive data and applications. VMware vCenter is the central management console for VMware virtual environments, viewing and managing VMs, multiple ESXi hosts, and all dependent components. Heap overflow vulnerabilities were found in vCenter's Distributed Computing Environment/Remote Procedure Call (DCERPC) implementation.