According to security researchers at Cisco Talos, a financially-motivated threat actor has been observed targeting organizations globally with a MedusaLocker ransomware variant.  Known as “BabyLockerKZ,” the variant has been around since at least late 2023, and this is the first time it has been specifically called out as a MedusaLocker variant.  The researchers noted that this variant uses the same chat and leak site URLs as the original MedusaLocker ransomware.

New international law enforcement actions have resulted in four arrests and the takedown of nine servers linked to the "LockBit" ransomware operation. According to Europol, the arrests included a suspected LockBit developer in France, two people in the UK believed to have supported an affiliate, and an administrator of a bulletproof hosting service in Spain used by the LockBit ransomware group. Authorities unmasked a Russian national named Aleksandr Ryzhenkov as one of the high-ranking Evil Corp cybercrime group members while also outing him as a LockBit affiliate.

Symantec threat analysts warns that the North Korean Advanced Persistent Threat (APT) group "Stonefly," also known as "APT45," continues to target US companies despite an indictment. Stonefly is linked to the Reconnaissance General Bureau (RGB), a North Korean military intelligence agency. Mandiant's threat analysts previously noted that APT45 relies on publicly available tools such as "3PROXY," malware modified from publicly available malware, and custom malware families. This article continues to discuss key findings regarding Stonefly. 

For at least three years, the Linux malware named "perfctl" has targeted Linux servers and workstations, evading detection with rootkits. According to Aqua Nautilus researchers, the malware likely targeted millions of Linux servers in recent years, possibly infecting several thousands. The perfctl malware is mainly deployed for cryptomining as compromised servers have been used to mine the Monero cryptocurrency, but the malware could easily be used for more harmful operations. This article continues to discuss findings regarding the perfctl Linux malware.

MITRE has announced the full release of the "EMB3D Threat Model," which now maps essential mitigations to security controls outlined in the Industrial Automation and Control Systems standard. EMB3D, announced in December 2023 and released in May 2024, provides information regarding cyber threats faced by embedded devices in critical infrastructure and other industries. The framework, aligned with CWE, ATT&CK, and CVE threat models, helps asset owners, operators, vendors, and security researchers secure embedded devices.

According to Egress, email phishing attacks increased 28 percent in the second quarter of 2024 compared to the first quarter, with attackers using effective methods to defeat defenses. Attackers often send phishing emails from familiar accounts to get around authentication protocols. From April to June 2024, 44 percent of attacks came from internally compromised accounts, with 8 percent coming from an account within the organization's supply chain. This article continues to discuss findings surrounding the surge in email phishing attacks.

Microsoft and the US government have seized more than 100 websites used by the Russian nation-state threat actor "Star Blizzard." A US court authorized Microsoft's Digital Crimes Unit (DCU) to disrupt 66 unique domains used by Star Blizzard to attack Microsoft customers. The US Department of Justice (DoJ) seized 41 more domains linked to the same actor. Star Blizzard may build new infrastructure, but the seizure of these domains will hinder its ability to influence the November US election. This article continues to discuss the disruption of Star Blizzard operations.

Sansec reports that multiple threat actors compromised over 4,000 online stores through the exploitation of a critical Adobe Commerce vulnerability named "CosmicSting." The vulnerability is an improper restriction of XML external entity reference (XXE). Adobe released a hotfix for the bug in July, warning of its exploitation in limited attacks, and the US Cybersecurity and Infrastructure Security Agency (CISA) added it to its Known Exploited Vulnerabilities (KEV) list.

Security researchers at Group-IB have discovered fake trading apps on Google Play and Apple's App Store that lure victims into "pig butchering" scams.  After being reported, the apps have been removed from the official Android and iOS stores after accumulating several thousand downloads.  Pig butchering is a scam where a victim is led to believe they are getting high investment returns on a fake trading platform that displays fabricated information.

Security researchers at Patchstack discovered a new vulnerability in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated attackers to inject malicious code into websites. The flaw impacts the plugin’s CSS queue generation process and affects over six million active installations. The vulnerability, tracked as CVE-2024-47374, is an unauthenticated stored XSS issue that could lead to privilege escalation or data theft. The researchers noted that it exploits the plugin’s “Vary Group” functionality, which controls cache variations based on user roles.