Top News

• Trend Micro warns of active attacks against Apex Central console

"Trend Micro has advised customers to update its Apex Central technology following the discovery of web-based attacks targeting a newly discovered vulnerability.
Both hosted and on-premises versions of the Apex Central web-based centralized management console are vulnerable to a file upload vulnerability that poses a remote code execution (RCE) risk.
Put simply, flaws in a security dashboard that allows security teams to monitor endpoints for security compliance and threats make it possible for attackers to upload and subsequently execute malware within corporate environments."

Link

TLP¹ : Green

• Intel shuts down all business operations in Russia

"US chipmaker Intel announced Tuesday night that it had suspended all business operations in Russia, joining tech other companies who pulled out of the country due to the invasion of Ukraine.
Intel had already suspended all shipments to customers in Russia and Belarus last month after the US government issued sweeping sanctions that prevented the export of technology to the countries.
With today's announcement, Intel is shutting down all business operations in the country, which includes 1,200 employees located in Russia.
“Intel continues to join the global community in condemning Russia’s war against Ukraine and calling for a swift return to peace," announced Intel in a Tuesday night press release."

Link

TLP¹ : Green

• Chinese hackers abuse VLC Media Player to launch malware loader

"Security researchers have uncovered a long-running malicious campaign from hackers associated with the Chinese government who are using VLC Media Player to launch a custom malware loader.
The campaign appears to serve espionage purposes and has targeted various entities involved in government, legal, and religious activities, as well as non-governmental organizations (NGOs) on at least three continents.
This activity has been attributed to a threat actor tracked as Cicada (a.k.a. menuPass, Stone Panda, Potassium, APT10, Red Apollo) that has been active for more than 15 years, since at least 2006."

Link

TLP¹ : Green

Cybersecurity State: Surveillance, Cyberwarfare, Cybercriminality and Hacktivism

• Russia-linked Armageddon APT targets Ukrainian state organizations, CERT-UA warns

"Ukraine CERT-UA published a security advisory to warn of spear-phishing attacks conducted by Russia-linked Armageddon APT (aka Gamaredon, Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) targeting local state organizations. The phishing messages have been sent from “vadim_melnik88@i[.]ua,” the campaign aims at infecting the target systems with malware.
The Gamaredon group was first discovered by Symantec and TrendMicro in 2015, but evidence of its activities has been dated back to 2013. The group targeted government and military organizations in Ukraine. In December 2019, the APT group targeted several Ukrainian diplomats, government and military officials, and law enforcement."

Link

TLP¹ : Green

• Symantec: Chinese APT Group Targeting Global MSPs

"Malware hunters at Broadcom’s Symantec division have spotted signs that a long-running cyberespionage campaign linked to Chinese nation-state hackers is now going after managed service providers (MSPs) with a more global footprint.
In a report issued Tuesday, Symantec said it observed a group known as Cicada (APT10, Stone Panda) expanding its target list to include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America."

Link

TLP¹ : Green

• South African and US Officers Swoop on Fraud Gang

"South African and US investigators have teamed up to arrest several members of a suspected fraud gang linked to an infamous Nigerian business email compromise (BEC) syndicate.
Officers from the Hawks Serious Commercial Crimes Unit and US Secret Service agents swooped on the Johannesburg homes of four men and three women aged between 25 and 42, according to Interpol.
They’re said to have been responsible for at least one possible BEC scam that conned a US-based company out of €455,000 ($496,000) and romance fraud."

Link

TLP¹ : Green

• Anonymous targets the Russian Military and State Television and Radio propaganda

"Anonymous continues to support Ukraine against the Russian criminal invasion targeting the Russian military and propaganda.
Anonymous leaked personal details of the Russian military stationed in Bucha where the Russian military carried out a massacre of civilians that are accused of having raped and shot local women and children. Leaked data include names, ranks and passport details of Russians serving in the 64 Motor Rifle Brigade which occupied Bucha prior to March 31."

Link

TLP¹ : Green

• FIN7 Cybercrime Operation Continues to Evolve Despite Arrests

"Despite recent arrests and convictions, the FIN7 cybercrime operation has continued to evolve, with hackers updating their tools and techniques and changing monetization strategies, according to cybersecurity firm Mandiant.
Also referred to as Anunak, and Carbanak, FIN7 has been around since at least 2015, mainly focused on the theft of credit card information from businesses worldwide. There are multiple groups of hackers that operate under the FIN7 umbrella, and even more of them can be associated with the gang."

Link

TLP¹ : Green

Breaches: Data Breaches and Hacks

• Block Admits Data Breach Involving Cash App Data Accessed by Former Employee 

"Block, the company formerly known as Square, has disclosed a data breach that involved a former employee downloading unspecified reports pertaining to its Cash App Investing that contained information about its U.S. customers.
"While this employee had regular access to these reports as part of their past job responsibilities, in this instance these reports were accessed without permission after their employment ended," the firm revealed in a April 4 filing with the U.S. Securities and Exchange Commission (SEC)"

Link

TLP¹ : Green

• Ransomware Gang Leaks Files Stolen From Industrial Giant Parker Hannifin

"A notorious cybercrime group has leaked several gigabytes of files allegedly stolen from US industrial components giant Parker Hannifin.
Parker Hannifin specializes in motion and control technologies, and it provides precision engineered solutions for organizations in the aerospace, mobile, and industrial sectors.
In a Tuesday regulatory filing, the Fortune 250 company said it detected a breach of its systems on March 14.
Upon discovering the intrusion, Parker shut down some systems and launched an investigation. Law enforcement has been notified and cybersecurity and legal experts have been called in to assist."

Link

TLP¹ : Green

• Texas Department of Insurance Exposed Data of 1.8 Million People

"The Texas Department of Insurance recently disclosed a “data security event” that appears to have affected roughly 1.8 million people.
The Texas Department of Insurance (TDI) disclosed the incident on March 24, but DataBreaches.net noticed that the Texas Attorney General’s office reported on April 4 that 1.8 million Texans are impacted.
The exposed information includes names, addresses, phone numbers, dates of births, and partial or full social security numbers, as well as information about injuries and worker compensation claims."

Link

TLP¹ : Green

Vulnerabilities: Vulnerability Advisories, Zero-Days,Patches and Exploits

• 44 Vulnerabilities Patched in Android With April 2022 Security Updates

"The Android updates released by Google for April 2022 include patches for 44 vulnerabilities, including several rated “critical severity.”
As usual, the update was split into two parts, with the first of them arriving on devices as the “2022-04-01 security patch level” and addressing 14 security holes.
The most important of these is a high-severity bug in Framework that could be exploited to escalate privileges, without any form of user interaction. What’s more, no additional execution privileges are needed either, Google says in its advisory."

Link

TLP¹ : Green

Incident Response: Infrastructure, Training, SIEM and Incident Handling

• Battling Cybersecurity Risk: How to Start Somewhere, Right Now

"Between a series of recent high-profile cybersecurity incidents and the heightened geopolitical tensions, there's rarely been a more dangerous cybersecurity environment. It's a danger that affects every organization – automated attack campaigns don't discriminate between targets.
The situation is driven in large part due to a relentless rise in vulnerabilities, with tens of thousands of brand-new vulnerabilities discovered every year. For tech teams that are probably already under-resourced, guarding against this rising tide of threats is an impossible task."

Link

TLP¹ : Green

• What We Can Learn From Lapsus$ Techniques

"The Lapsus$ cybercriminal collective has been making headlines in recent weeks. After several high-profile attacks, the security community is turning its gaze toward this new threat actor and its techniques.
The Okta incident also reveals some details of their techniques. Microsoft has now published an in-depth blog post detailing the activities it has observed associated to DEV-0537, its reference name for Lapsus$. Cybersecurity blog Krebs on Security has a deeper dive into some of the group's activities, confirming several of Microsoft's findings."

Link

TLP¹ : Green

Technical Articles: Forensics, Reverse Engineering, Malware, Phishing, Pentesting, Software Security and Cryptography

• Australia warns of money recovery phishing luring past victims

"The Australian Competition & Consumer Commission is raising awareness about a spike in money recovery scams. The agency warns in an alert today that reports of money recovery scams this year have increased in Australia by 725% compared to the same period in 2021.
The losses reported in Q1 2022 are estimated to be $270,000 (up by 301% compared to 2021), which add up to losses incurred by victims who previously fell for the same type of scam.
The case appears to be particularly effective because the original scammers maintain a list of people who proved to be gullible, having been scammed in the context of other campaigns.
Although these people have higher than average alertness due to past negative experiences, they are still very likely to fall for the trap because of the believable theme used in the second attempt."

Link

TLP¹ : Green

• Windows Persistence: COM Hijacking (MITRE: T1546.015)

"According to MITRE, “Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence.” To hijack a COM object, an attacker needs to make certain changes in registry hives and replace the reference to a legitimate system component with a malicious one. When that application is run and the COM object is called, the malware is run instead, hence, giving persistence.
In this article, we will cover the methodology for COM hijacking."

Link

TLP¹ : Green

• Microsoft adds on-premises Exchange, SharePoint to bug bounty program

"Microsoft has announced that Exchange, SharePoint, and Skype for Business on-premises are now part of the Applications and On-Premises Servers Bounty Program starting today.
With the expansion of this bug bounty program, security researchers who find and report vulnerabilities affecting on-premises servers are eligible for awards ranging from $500 up to $26,000.
"The Microsoft Applications and On-Premises Servers Bounty Program invites researchers across the globe to identify vulnerabilities in specific Microsoft applications and on-premise servers and share them with our team," the company says."

Link

TLP¹ : Green

• Ukraine Warns of Cyber attack Aiming to Hack Users' Telegram Messenger Accounts

"Ukraine's technical security and intelligence service is warning of a new wave of cyber attacks that are aimed at gaining access to users' Telegram accounts.
"The criminals sent messages with malicious links to the Telegram website in order to gain unauthorized access to the records, including the possibility to transfer a one-time code from SMS," the State Service of Special Communication and Information Protection (SSSCIP) of Ukraine said in an alert."

Link

TLP¹ : Green

• Hackers Distributing Fake Shopping Apps to Steal Banking Data of Malaysian Users

"Threat actors have been distributing malicious applications under the guise of seemingly harmless shopping apps to target customers of eight Malaysian banks since at least November 2021.
The attacks involved setting up fraudulent but legitimate-looking websites to trick users into downloading the apps, Slovak cybersecurity firm ESET said in a report shared with The Hacker News.
The copycat websites impersonated cleaning services such as Maid4u, Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy and MaidACall and a pet store named PetsMore, all of which are aimed at users in Malaysia."

Link

TLP¹ : Green

¹Traffic Light Protocol (TLP) [1] for information sharing:

• Red:Not for disclosure, restricted to participants only.
• Amber: Limited disclosure, restricted to participants organizations.
• Green: Limited disclosure, restricted to the community.

[1]https://www.first.org/tlp