For nearly two months, malicious JavaScript code hidden within a Tornado Cash governance proposal has been leaking deposit notes and data to a private server. Tornado Cash is a decentralized, open-source mixer on the Ethereum blockchain that ensures transaction privacy through non-custodial, trustless, and serverless anonymization. Governance proposals in Decentralized Autonomous Organizations (DAOs) such as Tornado Cash are important mechanisms for establishing strategic directions, presenting updates, and changing the core of technical protocols.

The Rhysida ransomware gang is demanding $3.4 million after attacking Lurie Children's Hospital, forcing staff to use manual processes to take care of patients. The Rhysida Ransomware-as-a-Service (RaaS) group, which emerged in May 2023 and has previously disrupted 16 hospitals in the US, has now added Lurie Children's Hospital to its darknet extortion site. The hospital is one of the largest pediatric healthcare organizations in the Midwest, serving 239,000 children annually and treating more children with cancer and blood disorders than any other hospital in Illinois.

Canadian authorities recently were scrambling to respond to cyberattacks targeting the Royal Canadian Mounted Police (RCMP) and Global Affairs Canada.

According to security researchers at Guardio, thousands of domains, many once owned by major companies, have been abused to get millions of emails past spam filters.  The researchers came across a significant campaign dubbed SubdoMailing and attributed it to a threat actor named ResurrecAds.  The researchers reported identifying roughly 8,800 hijacked domains, specifically over 13,000 associated subdomains, being used to send out approximately five million emails per day.  The researchers noted that the number of abused domains is growing by the hundreds every day.

The National Institute of Standards and Technology (NIST) has updated the Cybersecurity Framework (CSF), its widely used guidance document for reducing cybersecurity risk. The 2.0 edition is for all audiences, industry sectors, and organizational types, regardless of their level of cybersecurity sophistication. In response to comments received on the draft version, NIST expanded the CSF's core guidance and produced related resources to help users make the most of the framework.

A malicious campaign against Ukrainian entities based in Finland has been distributing the commercial Remote Access Trojan (RAT) named Remcos RAT through a malware loader called IDAT Loader. The attack, carried out by a threat actor known as UAC-0184, used steganography. IDAT Loader, which overlaps with another loader family called Hijack Loader, has recently been used to serve additional payloads such as DanaBot, SystemBC, and RedLine Stealer. A threat actor tracked as TA544 has also used it to deliver Remcos RAT and SystemBC in phishing attacks.

The Biden administration urges the technology industry to make secure products from the start, recently calling for increased use of memory-safe programming languages. The effort by the Office of the National Cyber Director (ONCD) seeks to reduce coding errors that enable attackers to exploit how software manages computer memory. These flaws can be used to compromise or corrupt data and execute malicious code.

Pikabot has returned with updates to its capabilities and components, as well as a new delivery campaign. It is a loader, primarily acting as a delivery mechanism for other malware. It first appeared in early 2023 and has since been widely used by threat actors to deliver payloads. Following the disruption of the Qakbot botnet, Pikabot surfaced as an alternative, becoming especially active in the second half of 2023. It was initially distributed through malspam and malvertising campaigns that promoted seemingly legitimate software like AnyDesk, Slack, and Zoom.

Less than a week after law enforcement hacked the LockBit gang's servers, the group relaunched its ransomware operation on a new infrastructure, threatening to target the government sector more often. The gang published a message about their negligence in allowing the breach and future plans for the operation in a message under a mock-up FBI leak. On February 19, authorities shut down LockBit's infrastructure, which included 34 servers hosting the data leak website, data stolen from victims, cryptocurrency addresses, decryption keys, and more.