Security researchers have discovered a new cyber espionage group linked to Ukraine that has been active since at least January. They named the group "PhantomCore" and named the attackers' remote access malware "PhantomRAT." The hackers used a known vulnerability in the Windows file archiver tool WinRAR to launch attacks on unnamed Russian companies. Tracked as CVE-2023-38831, the bug was previously exploited by state-controlled hackers linked to Russia and China in early 2023 before being patched. This article continues to discuss findings regarding PhantomCore.

Implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) will improve the US Cybersecurity and Infrastructure Security Agency's (CISA ) ability to use cybersecurity incident and ransomware payment information reported to the agency to identify patterns, fill information gaps, quickly release resources to help entities suffering from cyberattacks, and notify others who may be affected. When information about cyber incidents is shared quickly, CISA can use it to help other organizations avoid a similar incident.

The US Department of State has announced a $10 million bounty for information that will help law enforcement find anyone launching cyberattacks against American infrastructure on behalf of another country. The feds highlighted the BlackCat/ALPHV Ransomware-as-a-Service (RaaS) operation, which helped the adversary who compromised Change Healthcare and led to billions of dollars in damages. This article continues to discuss the bounty put up by the US for information to help crack down on the RaaS group's cyberattacks against US critical infrastructure.

Splunk recently announced security patches for its Enterprise product, including vulnerabilities that have been assigned a high severity rating.  One of the flaws, CVE-2024-29946, impacts the Dashboard Examples Hub in the Splunk Dashboard Studio app and can be exploited to bypass protections for risky Search Processing Language (SPL) commands. Splunk noted that this could let attackers bypass SPL safeguards for risky commands with the permissions of a highly privileged user in the Hub.

To mitigate a malware upload campaign, the Python Package Index (PyPI) repository's maintainers suspended user registration and the creation of new projects. Checkmarx warns that multiple malicious Python packages are being distributed using typosquatting methods. According to researchers, this is a multi-stage attack with a malicious payload aimed at stealing cryptocurrency wallets, sensitive data from browsers, and more. Researchers have also reported that the malicious payload uses a persistence mechanism to survive reboots.

A Linux version of "DinodasRAT," a multi-platform backdoor, has been discovered in the wild, with targets including China, Taiwan, Turkey, and Uzbekistan. DinodasRAT, also known as "XDealer," is a malware written in C++ that can gather sensitive information from compromised hosts. In October 2023, a government entity in Guyana was targeted as part of "Operation Jacana," a cyber espionage campaign aimed at deploying the Windows version of the implant.

Cisco has released a set of recommendations to help customers mitigate password-spraying attacks on Remote Access VPN (RAVPN) services running on Cisco Secure Firewall devices. The company revealed that the attacks have also targeted other remote access VPN services and appear to be part of a reconnaissance operation. In a password-spraying attack, an adversary tries the same password on multiple accounts to log in.

According to ReliaQuest, most cyberattacks against organizations are executed through employee social engineering, and criminals are using Artificial Intelligence (AI), to improve their techniques. The use of AI to accelerate attacks has become a hot topic in major cybercrime forums, with a growing interest in weaponizing the technology.

An Apple ID spearphishing campaign involving push bombing and caller ID spoofing recently targeted several technology professionals, including startup founders and cybersecurity professionals. Parth Patel, a software engineer and co-founder of a stealth technology startup, said that he and other startup founders in his circle had been targeted. Patel reported receiving a flurry of push notifications on all of his Apple devices, all requesting permission to reset his Apple ID password.

The US National Vulnerability Database (NVD) program manager, Tanya Brewer, has officially announced that the National Institute of Standards and Technology (NIST) will delegate some management responsibilities for the world's most popular software vulnerability repository to an industry consortium. NIST established the US NVD in 2005 and has continued to operate it since then. The NVD Consortium will help NIST with funding and feedback for future developments.