The US Cybersecurity and Infrastructure Security Agency (CISA) recently revealed that its Chemical Security Assessment Tool (CSAT) was breached by a malicious actor and warned chemical facilities that sensitive data may have been exfiltrated.  CISA noted that the attackers exploited a zero-day vulnerability in an Ivanti Connect Secure appliance to infiltrate CSAT from January 23 to 26, 2024.

The "RansomHub" ransomware operation is using a Linux encryptor designed to encrypt VMware ESXi environments in attacks against organizations. RansomHub, a Ransomware-as-a-Service (RaaS) operation, active since February 2024, has claimed over 45 victims in 18 countries and shares code with "ALPHV/BlackCat" and "Knight" ransomware. This article continues to discuss findings regarding RansomHub's ESXi encryptor.

A cyberattack on CDK Global, a Software-as-a-Service (SaaS) provider for car dealers and auto equipment manufacturers, has temporarily disrupted customer operations. CDK helps about 15,000 car dealerships in North America manage sales, customer relationships, financing, and other operations. Customers use locally installed apps to access the CDK platform. A cloud-based Software-Defined Wide Area Network (SD-WAN) and a Virtual Private Network (VPN) solution make 24/7 access to the platform and CDK data centers possible. This article continues to discuss the CDK Global cyberattack.

According to Symantec, telecommunications companies in an Asian country have been targeted with tools linked to Chinese espionage groups. Since 2021, the campaign has targeted telecommunications operators, a university in another country, and others with "Coolclient," "Quickheal," "Rainyday," and other malware. This article continues to discuss findings regarding the years-long espionage campaign that has targeted telecommunications companies in Asia with tools associated with Chinese groups.

Cyber defenders should prepare for cyberattacks enabled by Artificial Intelligence (AI). At the Infosecurity Europe 2024 conference, cyber threat intelligence professionals discussed which AI-powered cyber threats are being actively exploited, which are likely to emerge, and which are still potential threats. Trend Micro VP of threat intelligence Jon Clay said Large Language Model (LLM) tools enable threat actors to write clear phishing emails and deliver them in different languages. Some LLM tools let them embed URLs in messages.

A malware loader called "SquidLoader" is linked to an unknown threat actor that has targeted Chinese-speaking victims for two years, LevelBlue Labs reports. LevelBlue Labs believes SquidLoader was active for at least a month before its discovery at the end of April. The threat actor using it has long targeted entities in China. Recently observed attacks start with phishing emails delivering malware loaders disguised as documents for Chinese organizations. When the loaders are executed, they fetched and executed shellcode payloads in the loader process' memory.

The French cybersecurity agency ANSSI reports that the Russian-aligned threat actor "Nobelium" has targeted French diplomatic entities and public organizations since 2021. The French agency said the threat actor participated in at least five coordinated campaigns between 2021 and 2024. Nobelium has targeted the French Ministry of Culture, the French Ministry of Foreign Affairs, the National Agency for Territorial Cohesion (ANCT), and several French embassies.

According to security researchers at the NCC Group, the notorious LockBit group has reemerged to become the most prominent ransomware actor in May 2024.  The researchers noted that LockBit 3.0 returned to the fold in May to launch 176 ransomware attacks, 37% of the total number for the month.  This represents an enormous 665% month-on-month increase for the ransomware-as-a-service (RaaS) gang.  LockBit’s activity in May was higher than the next most prominent groups: Play, which was responsible for 32 attacks (7%), and RansomHub with 22 attacks (5%).

"Fickle Stealer," a new Rust-based information stealer malware, is delivered via multiple attack chains to steal sensitive data from compromised hosts. Fortinet FortiGuard Labs said it knows of four distribution methods, some of which use a PowerShell script to bypass User Account Control (UAC) and execute Fickle Stealer. The script periodically sends the victim's country, city, IP address, operating system version, computer name, and username to the attacker's Telegram bot. This article continues to discuss findings regarding the Fickle Stealer malware.

Phoenix Technologies' SecureCore UEFI firmware solution has a high-severity vulnerability that could affect hundreds of PC and server models using Intel processors. Researchers at Eclypsium discovered the vulnerability called "UEFIcanhazbufferoverflow," using an automated analysis system. A local attacker can escalate privileges and execute arbitrary code in UEFI firmware during runtime using the security hole. Eclypsium warned that the Black Lotus UEFI rootkit may exploit this vulnerability.