Promon research highlights a new malware strain called "Snowblind" targeting banking customers in Southeast Asia. The new malware disables Android banking apps' ability to detect malicious modifications, thus avoiding detection. Snowblind exploits accessibility services on apps, which have extensive permissions to interact with and modify app interfaces. According to Promon, Snowblind uses these services to access sensitive information, navigate the device, and more. This article continues to discuss findings regarding the Snowblind malware.

Levi's recently announced that tens of thousands of their customers may have had their accounts compromised after a credential stuffing attack.  The company noted that 72,231 individuals may have been impacted by the incident, which occurred on June 13.  After the credential stuffing attack was discovered, Levi's said that it promptly forced a password reset the same day for all user accounts that were accessed during the relevant time period.  If any accounts were compromised, the threat actors wouldn't have been able to take much.

According to security researchers at Defiant, malicious code injected over the past week in five WordPress plugins creates a new administrative account.  The code was discovered on Monday after the researchers learned that a threat actor had taken over the Social Warfare plugin and added the malicious code in recent versions.  The researchers noted that starting June 22, several versions of the plugin were released with the injected code inside.

The National Institute of Standards and Technology (NIST) has launched a collaborative project to adapt its digital identity guidelines to support public benefits programs, such as those that help beneficiaries pay for food, housing, and more. NIST, together with the Digital Benefits Network (DBN) at Georgetown University’s Beeck Center for Social Impact + Innovation and the nonprofit Center for Democracy & Technology (CDT), will develop resources to help providers balance security, privacy, equity, and usability.

"P2PInfect" is a worm that uses the Redis in-memory database application to spread across networks in a peer-to-peer, worm-like way, building a botnet in the process. When it was discovered about a year ago, it had not yet caused any significant damage. However, this is no longer the case, as, according to Cado Security, an update has been distributed globally across P2PInfect infections, including a brand new rootkit, cryptominer, and ransomware.

Threat actors are using a new attack method involving specially crafted Management Saved Console (MSC) files to gain full code execution through Microsoft Management Console (MMC) and dodge security defenses. Researchers at Elastic Security Labs named the approach "GrimResource." This article continues to discuss the findings regarding the GrimResource approach.

THN reports "New Attack Technique Exploits Microsoft Management Console Files"

Submitted by grigby1
 

A polyfill.io supply chain attack has affected over 100,000 websites after a Chinese company bought the domain and the script was modified to redirect users to malicious websites. A polyfill is code that adds modern functionality to older browsers that do not normally support it. Hundreds of thousands of websites use polyfill.io to let all visitors use the same codebase, even if their browsers do not support modern features. This article continues to discuss the polyfill.io supply chain attack.

Etay Maor, Chief Security Strategist at Cato Networks, provides his insights into threat actors faking data breaches. Most likely, hackers sell fake data to make more money, according to Maor. He compares it to a thief selling fake jewelry or watches. Other reasons may include earning notoriety, creating distractions, uncovering security processes, and more. This article continues to discuss why hackers may fake a data breach, how threat actors generate fake data, and what organizations can do to combat this threat of fake data breaches.

The Shadowserver Foundation warns that botnet attacks are exploiting a recently disclosed critical-severity vulnerability in discontinued Zyxel NAS devices. The code injection flaw can be exploited remotely without authentication. An attacker can exploit it by sending crafted HTTP POST requests to a vulnerable device for Remote Code Execution (RCE). Recently, the Shadowserver Foundation reported the first exploitation attempts by a Mirai-like botnet.

New fraud campaigns have used the "Medusa" banking Trojan, also known as "TangleBot." Cleafy researchers recently reported that this sophisticated malware family, first discovered in 2020, has returned with significant changes. This Remote Access Trojan (RAT) malware can perform keylogging, screen control, and SMS reading/writing, allowing threat actors to commit on-device fraud (ODF). This article continues to discuss findings regarding the new Medusa Trojan variant.