According to security researchers at Guardio, thousands of domains, many once owned by major companies, have been abused to get millions of emails past spam filters.  The researchers came across a significant campaign dubbed SubdoMailing and attributed it to a threat actor named ResurrecAds.  The researchers reported identifying roughly 8,800 hijacked domains, specifically over 13,000 associated subdomains, being used to send out approximately five million emails per day.  The researchers noted that the number of abused domains is growing by the hundreds every day.

The National Institute of Standards and Technology (NIST) has updated the Cybersecurity Framework (CSF), its widely used guidance document for reducing cybersecurity risk. The 2.0 edition is for all audiences, industry sectors, and organizational types, regardless of their level of cybersecurity sophistication. In response to comments received on the draft version, NIST expanded the CSF's core guidance and produced related resources to help users make the most of the framework.

A malicious campaign against Ukrainian entities based in Finland has been distributing the commercial Remote Access Trojan (RAT) named Remcos RAT through a malware loader called IDAT Loader. The attack, carried out by a threat actor known as UAC-0184, used steganography. IDAT Loader, which overlaps with another loader family called Hijack Loader, has recently been used to serve additional payloads such as DanaBot, SystemBC, and RedLine Stealer. A threat actor tracked as TA544 has also used it to deliver Remcos RAT and SystemBC in phishing attacks.

The Biden administration urges the technology industry to make secure products from the start, recently calling for increased use of memory-safe programming languages. The effort by the Office of the National Cyber Director (ONCD) seeks to reduce coding errors that enable attackers to exploit how software manages computer memory. These flaws can be used to compromise or corrupt data and execute malicious code.

Pikabot has returned with updates to its capabilities and components, as well as a new delivery campaign. It is a loader, primarily acting as a delivery mechanism for other malware. It first appeared in early 2023 and has since been widely used by threat actors to deliver payloads. Following the disruption of the Qakbot botnet, Pikabot surfaced as an alternative, becoming especially active in the second half of 2023. It was initially distributed through malspam and malvertising campaigns that promoted seemingly legitimate software like AnyDesk, Slack, and Zoom.

Less than a week after law enforcement hacked the LockBit gang's servers, the group relaunched its ransomware operation on a new infrastructure, threatening to target the government sector more often. The gang published a message about their negligence in allowing the breach and future plans for the operation in a message under a mock-up FBI leak. On February 19, authorities shut down LockBit's infrastructure, which included 34 servers hosting the data leak website, data stolen from victims, cryptocurrency addresses, decryption keys, and more.

Steel giant ThyssenKrupp recently announced that hackers breached systems in its Automotive division, forcing them to shut down IT systems as part of its response and containment effort.  ThyssenKrupp AG is one of the world's largest steel producers, employing over 100,000 personnel and having an annual revenue of over $44.4 billion (2022).  The firm is a crucial component of the global supply chain of products that use steel as a material across various sectors, including machinery, automotive, elevators and escalators, industrial engineering, renewable energy, and construction.

The National Security Agency (NSA), together with the UK National Cyber Security Centre (NCSC-UK) and other partners, has released a Cybersecurity Advisory (CSA) titled "SVR Cyber Actors Adapt Tactics for Initial Cloud Access." The CSA describes how Russia-based cyber actors are changing their tactics, techniques, and procedures (TTPs) to infiltrate and access intelligence in cloud environments. The cyber actors, known as APT29, Midnight Blizzard, the Dukes, or Cozy Bear, are believed to be linked to the Russian foreign intelligence service (SVR).