According to Forcepoint researchers, scammers are targeting users of the popular travel-related service provider Booking.com with Agent Tesla malware disguised as inquiries. Attackers send emails impersonating Booking.com, instructing the recipient to check an attached malware-infected PDF for a card statement. They exploit the stress caused by last-minute travel-related emails. Agent Tesla malware is an advanced Remote Access Trojan (RAT) that serves as a keylogger and information stealer. It is one of the most widely used RATs, impacting up to 7 percent of organizations worldwide.

Cybersecurity researchers at Patchstack have discovered a significant vulnerability in a WordPress plugin.  The vulnerability affects the LiteSpeed Cache plugin, which boasts over 4 million active installations and presents a risk of unauthenticated site-wide stored XSS (cross-site scripting).  The researchers noted that this could potentially allow unauthorized access to sensitive information or privilege escalation on affected WordPress sites via a single HTTP request.

For nearly two months, malicious JavaScript code hidden within a Tornado Cash governance proposal has been leaking deposit notes and data to a private server. Tornado Cash is a decentralized, open-source mixer on the Ethereum blockchain that ensures transaction privacy through non-custodial, trustless, and serverless anonymization. Governance proposals in Decentralized Autonomous Organizations (DAOs) such as Tornado Cash are important mechanisms for establishing strategic directions, presenting updates, and changing the core of technical protocols.

The Rhysida ransomware gang is demanding $3.4 million after attacking Lurie Children's Hospital, forcing staff to use manual processes to take care of patients. The Rhysida Ransomware-as-a-Service (RaaS) group, which emerged in May 2023 and has previously disrupted 16 hospitals in the US, has now added Lurie Children's Hospital to its darknet extortion site. The hospital is one of the largest pediatric healthcare organizations in the Midwest, serving 239,000 children annually and treating more children with cancer and blood disorders than any other hospital in Illinois.

Canadian authorities recently were scrambling to respond to cyberattacks targeting the Royal Canadian Mounted Police (RCMP) and Global Affairs Canada.

According to security researchers at Guardio, thousands of domains, many once owned by major companies, have been abused to get millions of emails past spam filters.  The researchers came across a significant campaign dubbed SubdoMailing and attributed it to a threat actor named ResurrecAds.  The researchers reported identifying roughly 8,800 hijacked domains, specifically over 13,000 associated subdomains, being used to send out approximately five million emails per day.  The researchers noted that the number of abused domains is growing by the hundreds every day.

The National Institute of Standards and Technology (NIST) has updated the Cybersecurity Framework (CSF), its widely used guidance document for reducing cybersecurity risk. The 2.0 edition is for all audiences, industry sectors, and organizational types, regardless of their level of cybersecurity sophistication. In response to comments received on the draft version, NIST expanded the CSF's core guidance and produced related resources to help users make the most of the framework.

A malicious campaign against Ukrainian entities based in Finland has been distributing the commercial Remote Access Trojan (RAT) named Remcos RAT through a malware loader called IDAT Loader. The attack, carried out by a threat actor known as UAC-0184, used steganography. IDAT Loader, which overlaps with another loader family called Hijack Loader, has recently been used to serve additional payloads such as DanaBot, SystemBC, and RedLine Stealer. A threat actor tracked as TA544 has also used it to deliver Remcos RAT and SystemBC in phishing attacks.

The Biden administration urges the technology industry to make secure products from the start, recently calling for increased use of memory-safe programming languages. The effort by the Office of the National Cyber Director (ONCD) seeks to reduce coding errors that enable attackers to exploit how software manages computer memory. These flaws can be used to compromise or corrupt data and execute malicious code.

Pikabot has returned with updates to its capabilities and components, as well as a new delivery campaign. It is a loader, primarily acting as a delivery mechanism for other malware. It first appeared in early 2023 and has since been widely used by threat actors to deliver payloads. Following the disruption of the Qakbot botnet, Pikabot surfaced as an alternative, becoming especially active in the second half of 2023. It was initially distributed through malspam and malvertising campaigns that promoted seemingly legitimate software like AnyDesk, Slack, and Zoom.