According to Proofpoint researchers, the Command-and-Control (C2) mechanism of a new malware campaign uses Google Sheets. The activity, detected by Proofpoint on August 5, 2024, impersonates tax authorities from Europe, Asia, and the US to target over 70 organizations worldwide through "Voldemort." This custom tool gathers information and delivers payloads. Insurance, aerospace, transportation, academia, finance, technology, and other sectors have been targeted. This article continues to discuss the new malware campaign involving the use of Google Sheets.

A social engineering campaign targeting over 130 US companies sends employees to a fake malware-laden Virtual Private Network (VPN) page, exploiting concerns about a VPN issue. According to GuidePoint Research and Intelligence Team (GRIT) researchers, the threat actor calls a user on their cell phone and poses as a help desk representative trying to fix a VPN log-in issue. If the threat actor tricks the user, they send an SMS link to a malicious VPN site that masquerades as a legitimate vendor. This article continues to discuss findings regarding the new social engineering campaign.

Researchers at Phylum have discovered a coordinated campaign involving North Korea-linked threat groups targeting the npm ecosystem. The campaign started on August 12, 2024, with the publication of malicious npm packages aimed at infiltrating developer environments and stealing sensitive data. The packages use sophisticated tactics like multi-stage obfuscated JavaScript to download additional malware from remote servers. The malware contains Python scripts and a full Python interpreter that look for data in cryptocurrency wallet browser extensions.

The US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory on the "RansomHub" ransomware group, which is suspected of attacking the oil giant Halliburton. On August 21, Halliburton, the world's second-largest oil service company, disclosed in an SEC filing that a third party had accessed some of its systems. The incident response steps described by the company suggested a ransomware attack.

The Russian-based APT29 group used the same iOS and Google Chrome exploits as NSO Group and Intellexa in an espionage campaign against the Mongolian government. According to the researchers who discovered the campaign, it is still unclear how the APT group got the exploit. Three attacks linked "with moderate confidence" to APT29 in November 2023, February 2024, and July 2024 used the exploits. The campaigns involved watering hole attacks on Mongolian government websites. The threat actors compromised the websites and loaded a hidden iframe.

The City of Columbus, Ohio, has taken legal action against a security researcher for illegally downloading and distributing data stolen and leaked by the "Rhysida" ransomware gang from the City's Information Technology (IT) network. On July 18, 2024, a ransomware attack on Columbus, Ohio's capital and most populous city, caused service outages. Rhysida ransomware claimed responsibility for stealing 6.5 TB of databases, including employee credentials, server dumps, city video camera feeds, and other sensitive data.

Cybersecurity solutions provider Fortra recently announced patches for two vulnerabilities in FileCatalyst Workflow, including a critical severity flaw involving leaked credentials.  The critical issue is tracked as CVE-2024-6633 (CVSS score of 9.8) and exists because the default credentials for the setup HSQL database (HSQLDB) have been published in a vendor knowledgebase article.

There are currently efforts in California to establish first-in-the-nation safety measures for the largest artificial intelligence systems.  The proposal, aiming to reduce potential risks created by AI, would require companies to test their models and publicly disclose their safety protocols to prevent them from being manipulated.  The bill is among hundreds lawmakers are voting on during its final week of session.  Gov. Gavin Newsom then has until the end of September to decide whether to sign them into law, veto them, or allow them to become law without his signature.

Security researchers at Akamai recently warned that an unpatched vulnerability found in CCTV cameras commonly used in critical infrastructure is being actively exploited to spread a Mirai variant malware.  The command injection vulnerability, CVE-2024-7029, is found in the brightness function of AVTECH CCTV cameras that allows for remote code execution (RCE).  The vulnerability was highlighted in a Cybersecurity and Infrastructure Security Agency (CISA) industrial control system (ICS) advisory in August 2024.

According to security researchers at Forescout, published vulnerabilities rose by 43% in H1 2024 compared to H1 2023, with attackers heavily targeting flaws in virtual private networks (VPNs) and other perimeter devices for initial access.  The researchers noted that 23,668 vulnerabilities were reported in the first six months of 2024, with an average of 111 new CVEs per day.  The majority of published vulnerabilities in H1 2024 had either a medium (39%) or low (25%) severity score (CVSS), while just 9% had a critical score.