Brazil's Federal Police recently announced the arrest of a hacker whose description matches that of the notorious leaker known as USDoD.  USDoD, aka EquationCorp, has leaked significant amounts of information stolen from major organizations.  His targets include the FBI's InfraGard portal, Airbus, TransUnion, National Public Data (NPD), and CrowdStrike. In August, CrowdStrike and others independently determined that USDoD is a 33-year-old man identified as Luan B.G. and Luan G from the Brazilian state of Minas Gerais.

Cisco recently announced patches for eight vulnerabilities in the firmware of ATA 190 series analog telephone adapters, including two high-severity flaws leading to configuration changes and cross-site request forgery (CSRF) attacks.  The first high-severity flaw, CVE-2024-20458, impacts the web-based management interface of the firmware and exists because specific HTTP endpoints lack authentication, allowing remote, unauthenticated attackers to browse to a specific URL and view or delete configurations or modify the firmware.

According to Netskope Threat Labs, most of the attributable malware used in attacks on their customers over the past year is linked to state-backed groups.  The SASE provider based its findings on 12 months of data collected from customer environments, claiming the largest share of malware attacks came from North Korean groups, followed by China and Russia.  The Netskope findings would seem to validate warnings from the security services that state-backed cyber threats are spiraling out of control.

The National Security Agency (NSA), together with the Federal Bureau of Investigation (FBI), the US Cybersecurity and Infrastructure Security Agency (CISA), and others, has released a Cybersecurity Advisory (CSA) titled "Iranian Cyber Actors' Brute Force and Credential Access Activity Compromises Critical Infrastructure Organizations." The new CSA warns network defenders about malicious activity that can allow persistent access to sensitive systems.

The US Department of Justice (DoJ) has announced charges against two Sudanese nationals for their participation in Distributed Denial-of-Service (DDoS) attacks conducted by the hacker group named "Anonymous Sudan." Anonymous Sudan has targeted critical infrastructure, government organizations, and more with highly disruptive DDoS attacks. The cybercriminals also offered DDoS attack services to take down websites and online services. This article continues to discuss the DoJ's announcement of charges against Anonymous Sudan members and the disruption of their DDoS attack services.

The North Korean threat actor "ScarCruft" exploited a Windows security flaw to infect devices with the "RokRAT" malware. The flaw is a memory corruption bug in the Scripting Engine that enables Remote Code Execution (RCE) when using the Edge browser in Internet Explorer Mode. To exploit it, an attacker must convince a user to click on a specially crafted URL to execute the malicious code. This article continues to discuss findings regarding ScarCruft's delivery of RokRAT malware.

According to security researchers at Symantec, RansomHub is now the number one ransomware operation in terms of claimed successful attacks.  Overall, threat actors claimed 1255 attacks in the third quarter, down slightly from 1325 in Q2.    The researchers noted that RansomHub only became active in February this year but claimed top spot in Q3 with 191 victims posted to leak sites, up 155% on Q2's haul.

New variants of the Android banking trojan "TrickMo" have features for stealing a device's unlock pattern or PIN. According to Aazim Yaswant, a security researcher at Zimperium, these previously undocumented features allow the threat actor to operate on the device even when it is locked. TrickMo, first discovered in the wild in 2019, can grant remote control over infected devices, steal SMS-based One-Time Passwords (OTPs), and display overlay screens to capture credentials. This article continues to discuss findings regarding new TrickMo variants.

A critical vulnerability in Kubernetes could enable unauthorized SSH access to a Virtual Machine (VM) that is running an image created with Kubernetes Image Builder. The Kubernetes Image Builder project lets users create VM images for Cluster API (CAPI) providers running the Kubernetes environment, such as Proxmox or Nutanix. These VMs are used to set up nodes that will become part of a Kubernetes cluster. The vulnerability stems from default credentials being enabled during image-building and not being disabled after the process.

Etay Maor, Chief Security Strategist and founding member of the Cyber Threats Research Lab (CTRL) at Cato Networks, has highlighted how both defenders and attackers could use Artificial Intelligence (AI) in their operations. For example, Maor points out that AI models can be applied to augment human researchers and security products by generating a human-readable report of all security events and alerts with one button. Cybercriminals can conduct prompt injection attacks against AI models used in the analysis of malware code.