"RUBYCARP," a threat group with suspected Romanian origins, has been observed operating a long-running botnet for cryptocurrency mining, Distributed Denial-of-Service (DDoS), and phishing attacks. According to Sysdig, the group has been active for at least ten years and uses the botnet for financial gain. Its main mode of operation is a botnet launched through various public exploits and brute-force attacks.

It has recently been revealed that one month after paying cybercriminals to prevent the public release of data stolen in a February 2024 ransomware attack, Change Healthcare is being extorted again by a different cybercrime group.  Change Healthcare, a subsidiary of health insurance and services company UnitedHealth Group processes billions of healthcare transactions each year, and the ransomware attack crippled the healthcare system throughout the US.

Economic analysis and litigation support firm Greylock McKinnon Associates, Inc. (GMA) recently started notifying over 340,000 individuals that their personal and medical information was compromised in a year-old data breach.  The incident was detected on May 30, 2023, but it took the firm roughly eight months to investigate and determine what type of information was compromised and to identify the impacted individuals.  The company noted that both personal and Medicare information was compromised in the data breach.

ETH Zurich researchers have presented a secure one-way cryptographic function that differs from current methods. Instead of processing data using arithmetic operations, it is stored as a sequence of nucleotides, the chemical building blocks of DNA. Some experts believe that Q-Day will arrive within the next ten years. When this day comes, quantum computers will be so powerful that they can crack today's passwords. Password checks are based on the use of cryptographic one-way functions that calculate an output value from an input value.

According to 1Password, disruptive technologies such as Artificial Intelligence (AI) have exacerbated the tension between organizational security and employee productivity. Information Technology (IT) and security teams are struggling to keep up, even as their organizations face new challenges in a landscape constantly reshaped by rising cyber threats and disruptive technologies.

Magecart attackers are stashing persistent backdoors within e-commerce websites that can automatically push malware. According to Sansec researchers, the threat actors are exploiting a critical command injection vulnerability, tracked as CVE-2024-20720 with a CVSS score of 9.1, in the Adobe Magento e-commerce platform. It enables arbitrary code execution without user interaction.

Researchers have identified a new loader called "Latrodectus," linked to about a dozen campaigns since February 2024. The malware, which was mainly used by Initial Access Brokers (IABs), serves as a downloader to retrieve payloads and run arbitrary commands. Latrodectus was initially thought to be a variant of "IcedID," but a follow-up analysis confirmed that it is a different malware, most likely developed by the same creators as IcedID. Latrodectus was first discovered in operations linked to TA577, a known Qbot distributor.

A new phishing campaign is targeting Latin America to deliver malicious payloads to Windows systems. According to Trustwave SpiderLabs researcher Karla Agregado, the phishing email includes a ZIP file attachment that, when extracted, reveals an HTML file leading to a malicious file download disguised as an invoice. The HTML file contains a link that displays an error message, but when accessed from an IP address in Mexico, it loads a CAPTCHA verification page using Cloudflare Turnstile. This step leads to a redirect to another domain, from which a malicious RAR file is downloaded.

A team of researchers from ETH Zurich detailed a new type of attack that can compromise Confidential Virtual Machines (CVMs). They presented two variations of what they refer to as "Ahoi attacks." One of them, called "Heckler," involves a malicious hypervisor injecting interrupts to change data and control flow, which compromises CVMs' integrity and confidentiality.

About 2,000 hacked WordPress sites now show fake NFT and discount pop-ups, tricking visitors into connecting their wallets to cryptocurrency drainers that automatically steal funds. Last month, the website security company Sucuri revealed that hackers had compromised around 1,000 WordPress sites in order to promote cryptocurrency drainers through malvertising and YouTube videos.