Symantec reports that in the first quarter of 2024, successful ransomware attacks advertised on leak sites increased 9 percent despite high-profile law enforcement takedowns of major groups. The security vendor reported 962 claimed attacks in the first quarter of 2024, down from 1,190 in the previous three months but up from 886 in 2023. In December 2023 and February 2024, global law enforcement went after the "ALPHV/BlackCat" and "LockBit" groups. This article continues to discuss the increase in ransomware despite law enforcement disruptions.

GitLab has made security updates that address six vulnerabilities in GitLab Community Edition (CE) and Enterprise Edition (EE), including a critical-severity bug. The bug tracked as CVE-2024-6385, with a CVSS score of 9.6, allows an attacker to trigger a pipeline as another user. Contrast Security CISO David Lindner warns that the exploitation of the bug could enable attackers to run malicious code, access sensitive data, and compromise software integrity.

Dallas County is notifying over 200,000 people that the Play ransomware attack in October 2023 exposed their personal data to cybercriminals.  In October 2023, the Play ransomware gang added Dallas to its extortion portal on the dark web, threatening to leak data it stole during an attack on its systems, including private documents from various departments.  It was taking a long time for Dallas to finish their investigation into the incident, so it created a dedicated call center in January 2024 to help answer people's questions.

Advance Auto Parts started to send data breach notifications to over 2.3 million people whose personal data was stolen in recent Snowflake data theft attacks.  The company said that on June 5, 2024, a threat actor known as "Sp1d3r" began selling a massive 3TB database allegedly containing 380 million Advance Auto Parts customer records, orders, transaction details, and other sensitive information.  On June 19, the company confirmed the breach via a Form 8-K filing but said it only impacts current and former employees and job applicants.

According to researchers at Sysdig, the new threat actor called "CRYSTALRAY" now has over 1,500 victims. The threat actor has stolen credentials and deployed cryptocurrency miners. In February, Sysdig researchers first reported the actor's use of the "SSH-Snake" open source worm to spread laterally on breached networks. SSH-Snake steals SSH private keys from compromised servers and then uses them to move laterally to other servers while dropping additional payloads. This article continues to discuss recent findings regarding the CRYSTALRAY threat actor.

A recently disclosed PHP security flaw has been used to deliver Remote Access Trojans (RATs), cryptocurrency miners, and Distributed Denial-of-Service (DDoS) botnets. The vulnerability, tracked as CVE-2024-4577, with a CVSS score of 9.8, enables an attacker to remotely execute malicious commands on Windows systems using Chinese and Japanese language locales. According to Akamai researchers, attackers can escape the command line and pass arguments to be interpreted directly by PHP, through the exploitation of the vulnerability.

The US Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have released a joint alert about the exploitation of OS command injection vulnerabilities in network edge devices. In response to recent intrusions exploiting vulnerabilities that impact Cisco NX-OS, Palo Alto Networks PAN-OS, and Ivanti Connect Secure, business leaders and device manufacturers are urged to eliminate OS command injection vulnerabilities at the source.

Cryptocurrency investigators at Elliptic have claimed a popular online marketplace in Southeast Asia is actually being used primarily by money launderers and fraudsters.  The investigators claimed that Huione Guarantee is part of Cambodian conglomerate Huione Group, which is owned by the cousin of current prime minister Hun Manet.  Merchants on the marketplace, launched in 2021 apparently as a place to trace legitimate goods like property and cars, have pulled in at least $11bn over the past three years.

VMWare recently pushed out patches for a high-risk SQL injection vulnerability in its Aria Automation product and warned that an authenticated malicious user could target the flaw to manipulate databases.  The company noted that the vulnerability tracked as CVE-2024-22280 allows for unauthorized read and write operations in the database through specially crafted SQL queries.  The bug carries a CVSS severity score of 8.5/10.  The affected products include VMware Aria Automation version 8.x and VMware Cloud Foundation versions 5.x and 4.x.

The National Security Agency (NSA) joins the Australian Signals Directorate (ASD) and other agencies in publishing a Cybersecurity Advisory (CSA) titled "PRC MSS Tradecraft in Action." It delves into the tradecraft of a cyber actor group associated with the People's Republic of China (PRC) Ministry of State Security (MSS). The CSA aims to help cybersecurity professionals prevent, identify, and remediate network intrusions by sharing case studies of the adversary's tactics and techniques. This article continues to discuss the CSA on "PRC MSS Tradecraft in Action."