Threat
alerts

The cryptocurrency world suffered from increasing cyberattacks targeting exchanges, users, and wallets. One of the most notable and recent incidents was the Bybit hack, allegedly orchestrated by the infamous Lazarus. As the industry expands, the number of crypto scams increase, with criminals adapting their sophisticated tactics to deceive users and steal funds. From phishing attacks to fake ICOs, Ponzi schemes, and rug pulls, the variety of scams is as diverse.

In recent weeks, internal communications from the Black Basta ransomware group have been leaked, revealing crucial information regarding their tactics, techniques, and vulnerabilities exploited during attacks. Security vendors and researchers have since analysed these communications, and one of the most notable findings is a list of 62 CVEs (Common Vulnerabilities and Exposures) that Black Basta has used and continues to exploit in their operations. Notoriously, VMWare has released a new advisory on critical vulnerabilities found in VMware ESXi, Fusion, and other tools.

A new phishing campaign, attributed to a threat actor known as Storm-2372, is targeting Microsoft accounts across multiple sectors. Microsoft’s Threat Intelligence Centre believes that Storm-2372 is linked to a nation-state operation that aligns with Russian interests, based on their tradecraft, victimology, and tactics.

In recent years, researchers observed a surge in Information Stealing (Infostealer) malware and their sophistication level. Infostealer’s purpose is to gather sensitive information such as financial data or information stored on a device such as credentials, browser & cookie data, documents and machine details.

n the last Patch Tuesday, Microsoft addressed a high-vulnerability flaw in Microsoft Outlook that could allow attackers to execute remote code via maliciously crafted emails. Similarly, Sophos has observed threat actors leveraging the Office365 suite in attacks such as email bombing, IT impersonation on Teams, and remote control via Quick Assist.

Ivanti disclosed two critical zero-day vulnerabilities affecting its Connect Secure, Policy Secure, and Neurons for ZTA gateways. While the researchers have yet to link the attacks to any advanced persistent threat (APT) group, they have identified several malware samples on compromised systems, including the SPAWN ecosystem of malware as well as newly discovered malware such as a credential harvesting tool called DRYHOOK and a dropper called PHASEJAM.

In 2024, threat actor Salt Typhoon (known as “Earth Estries”, “GhostEmperor”, “FamousSparrow”, and “UNC2286”) has been attributed to a series of cyber-attacks targeting U.S. telecommunications companies. The group’s primary focus is cyberespionage and it’s notorious for targeting government entities as well as global organisations including the telecommunications sector. Salt Typhoon exploits internet-facing systems by leveraging living-off-the-land binaries (LOLBINs) like WMIC.exe, PSEXEC.exe for lateral movement and customised malware to establish and maintain persistence.

Ivanti has issued critical security updates to address multiple vulnerabilities in its Cloud Services Application (CSA) and Connect Secure products. These flaws, if exploited, could lead to privilege escalation and remote code execution (RCE), posing significant risks to organizations relying on these tools.

Palo Alto Networks has identified a critical authentication bypass vulnerability (CVE-2024-0012) affecting its PAN-OS software. This flaw allows unauthenticated attackers with network access to the management web interface to gain administrator privileges. Attackers can further perform administrative actions, and manipulate configurations.