Cybersecurity researchers at PRODAFT have detailed the inner workings of the ransomware operation led by Mikhail Pavlovich Matveev, a Russian national indicted earlier this year by the US government for his alleged role in executing thousands of attacks worldwide. Matveev, who goes by the aliases Wazawaka, m1x, Boriselcin, Uhodiransomwar, Orange, and waza, is alleged to have played a major role in the development and distribution of LockBit, Babuk, and Hive ransomware variants since at least June 2020.

In an email campaign characterized by sophisticated evasion tactics, attackers are exploiting a 6-year-old Microsoft Office Remote Code Execution (RCE) flaw to deliver spyware. According to Zscaler, the threat actors use business-related lures in spam emails that deliver files containing the RCE flaw. The attackers' ultimate goal is to load Agent Tesla, a Remote Access Trojan (RAT) and advanced keylogger discovered in 2014. They want to exfiltrate credentials and other data from an infected system through their Telegram bot.

Mozilla recently announced security updates for Firefox and Thunderbird to address 20 vulnerabilities, including several memory safety issues.  Firefox 121 was released with patches for 18 vulnerabilities, five of which have a high severity rating.  The most severe vulnerability is CVE-2023-6856, a heap buffer overflow bug in WebGL, the JavaScript API for rendering interactive graphics within the browser.  This vulnerability could allow an attacker to perform remote code execution and sandbox escape.

According to the Imperva Threat Research team, the 8220 gang has been exploiting an old Oracle WebLogic Server vulnerability, tracked as CVE-2020-14883, to spread malware. The 8220 gang has been active since 2017, deploying cryptocurrency miners on Linux and Windows hosts by exploiting known vulnerabilities. The group uses publicly available exploits that target well-known vulnerabilities. Although they are considered unsophisticated, the group is constantly changing tactics to avoid detection.

The Federal Criminal Police Office in Germany and the Internet crime-combating unit of Frankfurt have announced the shutdown of a dark web marketplace called Kingdom Market that distributed cybercrime tools, fake government IDs, and more. Authorities from the US, Switzerland, Moldova, and Ukraine were also involved in the law enforcement operation against the marketplace. Kingdom Market was an English-speaking dark web marketplace that had been operating since March 2021.

According to security researchers at S-RM, the average direct cost of a serious cybersecurity incident increased by 11% year-on-year to reach $1.7m in 2023. The researchers polled 600 C-suite and IT budget holders from US and UK organizations with revenues over $500m to produce their 2023 Cybersecurity Insights Report. The researchers found that the most common incident types were fraud, third-party compromise, and data exfiltration, although these varied by sector.

Interpol recently announced that as part of an international effort to tackle online financial fraud, authorities in 34 countries have arrested approximately 3,500 suspects and seized roughly $300 million worth of assets.  The six-month operation, named HAECHI IV, targeted business email compromise (BEC), e-commerce fraud, investment fraud, voice phishing, and money laundering associated with illegal online gambling, romance scams, and online sextortion schemes.

It was unclear how methodological limitations and incomplete data affected revenue estimates of cybercriminal groups using the Bitcoin blockchain. A new study by IMDEA Software Institute researchers calls into question existing estimates of cybercriminals' Bitcoin earnings. The study, titled "Cybercrime Bitcoin Revenue Estimations: Quantifying the Impact of Methodology and Coverage," delves into the full scale of the financial impact of cybercriminal activity.

Web injections, a popular technique used by various banking trojans, remain a threat. Malicious injections allow cybercriminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive data. IBM Security Trusteer researchers discovered a new malware campaign involving JavaScript web injections in March 2023. The campaign is widespread and evasive, with historical Indicators of Compromise (IOCs) suggesting a possible link to DanaBot.

Cybercriminals are using generative Artificial Intelligence (AI) to evade email security solutions and deceive employees. According to Mike Britton, CISO of Abnormal Security, generative AI makes detecting email attacks more difficult. Prior to the AI's breakthrough, cybercriminals relied on formats or templates to create malicious campaigns. Many attacks shared common Indicators of Compromise (IOCs), making them detectable by traditional security software.