Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.
Threat actor group Lazarus has crafted a new backdoor used in operations targeting the aerospace industry. “Lightless Can” is a RAT, and Lazarus members are spreading it by impersonating Meta recruiters on LinkedIn. The actors pass “coding challenges” which are “for a job interview”, so victims download to both their company and personal devices, spreading the malware. Read full article.
Magecart is inserting malicious code into HTML pages of various websites, with a focus on food and retail industries. Magecart is an umbrella term; the collective is comprised of several different criminal actor groups who employ skimming and custom malware to steal PII and financial information form ecommerce websites. One of Magecart’s skimmers, Kritec, successfully impersonated third party vendors like Google Tag in the spring of 2023. Article here.
Akira actors first used stolen VPN credentials from a third-party contractor’s account to access internal BHI networks. This same account was used to conduct continued recon of the internal network. It took the actors just over a week (nine days) to take 767,000 files/690 GB of data. Exposed data included full names, SSNs, DOBs, and more PII of BHI customers. Read more.
The Ukrainian Cyber Alliance (UCA) used CVE-2023-22515, which involves Confluence, to escalate privileges and access Trigona’s confluence server. They gained insight into the infrastructure and published Trigona’s support documents, exfilled the developer environment and information pertaining to Trigona’s crypto payments, as well as the back-end of Trigona’s chat service and blog/leak site details. After collecting all the information, UCA defaced and deleted Trigona’s site. Read here.
Israeli hacking collective Predatory Sparrow recently reemerged after taking time off from digital operations. This group, who has historically targeted Iran, posted in Persian in their Telegram channel on Monday, October 16, asking if their followers were “…following what is happening in Gaza.” They also shared a link to Iranian Mehr News Agency, which was down at the time. Learn more.
KillNet caused the UK Royal Family’s website to be unavailable for 90 minutes on Sunday, October 1. KillMilk, the leader of KillNet, called the incident “an attack on pedophiles” – a reference to Prince Andrew’s ongoing scandal. Fueling the fire, Britain’s King Charles had recently condemned the Russian invasion of Ukraine in a public speech, and KillNet attempts to exact retribution on those who speak out against Russian actions. Read full article.
ALPHV ransomware gang claimed responsibility for an early October attack against northwestern Florida courts. The attack possibly revealed social security numbers and other personal information of the court employees, as well as judges themselves. ALPHV also claims to have a network map of the court’s online systems, which likely includes credentials, leading to further network infiltration and possible lateral movement. Read full article.
Ransomware group BianLian successfully breached Air Canada with their ransomware, claiming 210 GB of data. Air Canada acknowledged an incident in September 2023, but said that the stolen information was limited. BianLian shared screenshots on their ransomware page indicating that the employee data was only a part of what they stole, and that they also had technical information, such as an SQL database. Learn more.