RATs on fire! A Linux RAT, Krasue, was found targeting telecom companies in Thailand since 2021. It uses a rootkit derived from open-source projects to maintain covert access and evade detection. The malware shares code similarities with XorDdos (another Linux malware), implying possibly the same author’s involvement. Meanwhile, the author of AsyncRAT malware seems to have upgraded its distribution tactics. Previously distributed via .chm files, it now uses WSF script format. The malware amalgamates malspam with phishing emails, leveraging strategies such as "fileless" injection to run without file installation on the target system.

Meanwhile, a year-old Bluetooth vulnerability may allow cybercriminals to inject keystrokes on Apple, Android, Linux, macOS, and iOS devices. The attack tricks Bluetooth host state machines into pairing with a fake keyboard without user confirmation.

Top Breaches Reported in the Last 24 Hours

South Korean defense firms on the target

The Seoul Metropolitan Police accused North Korean hacking group Andariel, linked to the Lazarus group, of pilfering 1.2TB of sensitive information, including data on anti-aircraft weapon systems, from its defense companies. During the attack, adversaries allegedly used a South Korean server rental company and extorted ransoms from at least three victims. The police have seized servers in South Korea that the group used in its campaign.

U.S. schools hit ahead of holidays

As the holiday season approaches, cyberattacks on K-12 schools and the broader education sector have amplified. Henry County Schools, a district near Atlanta, discovered suspicious activity impacting its network, leading to a confirmed ransomware incident. The BlackSuit ransomware gang posted the school's data on its leak site. Criminals could access only a “file storage area containing mostly historical procedural documents.”

Cyberattack cripples U.S. defense contractor

Austal, an Australia-based shipbuilding company serving as a contractor for the U.S. Navy, fell victim to a cyberattack claimed by the Hunters International ransomware group. The attackers leaked stolen information as proof of the breach and threatened to release more data, including financial details and engineering data. The company assured that no personal or classified information was impacted.

Cambridge NHS trust reveals historic data breaches

Cambridge University Hospitals NHS Foundation Trust CEO, Roland Sinker, disclosed two historical data breaches resulting from inadvertent patient data disclosure in Excel spreadsheets shared in response to Freedom of Information (FOI) requests. The first incident, from 2021, involved the unintentional sharing of maternity patient data, affecting 22,073 individuals. The breach was uncovered by What Do They Know administrators, prompting an NHS trust investigation, revealing a separate 2021 incident involving 373 cancer patients.

Nissan investigates cyberattack, warns of data leak

Japanese automaker Nissan is probing a cyberattack on its Australian and New Zealand systems, with potential access to personal information. Nissan Oceania alerted customers of a data breach risk. While website functionality seems unaffected, it warned of scams targeting account holders and advises vigilance. Nissan also clarified that its dealers' network is not impacted.

DICOM bugs expose millions of patient records

Security flaws in the Digital Imaging and Communications in Medicine (DICOM) standard are placing millions of patient's medical records at risk, as revealed by German cybersecurity consultancy Aplite. Weaknesses in Picture Archiving and Communication System (PACS) servers storing DICOM images have led to the exposure of over 3,800 exposed servers across 110 countries, impacting 16 million patients. Additionally, more than 43 million health records, encompassing examination results and referring physicians' details, are vulnerable.

Top Malware Reported in the Last 24 Hours

Linux trojan after Thailand telecom firms

Security researchers uncovered a new Linux RAT named Krasue, primarily targeting telecom companies in Thailand since at least 2021. The trojan deploys a rootkit, derived from open-source projects like Diamorphine and Suterusu, to maintain persistence on the host without detection. Krasue uses Real Time Streaming Protocol (RTSP) messages as a disguised "alive ping," a tactic rarely seen, making it challenging to detect. The trojan shares source code similarities with XorDdos, suggesting a common author or actors with access to its source code.

AsyncRAT malware alters distribution technique

AsyncRAT malware has shifted its distribution method, now employing WSF script format disseminated through compressed files. The malicious WSF script downloads and executes a VB script, leading to the deployment of a disguised JPG file. The attack involves converting the JPG file's extension to .zip, decompressing it, and executing an XML file with a command string that launches the Error.vbs file via PowerShell. The final step involves running the pwng.ps1 file, converting contained strings into a .NET binary, and executing the AsyncRAT malware.

Top Vulnerabilities Reported in the Last 24 Hours

Google patches Chromecast hardware bugs

Google addressed three security issues in its Chromecast media-streaming hardware that could allow malicious installation of custom operating systems. The bugs—CVE-2023-48424, CVE-2023-48425, CVE-2023-6181—posed a supply chain interception risk, enabling hackers to replace authentic software updates or packages during the distribution process with malicious versions. Experts warn of potential threats when purchasing Chromecast devices from third-party retailers.

Bluetooth flaw threatens Apple, Android, and Linux devices

A Bluetooth authentication bypass bug, identified as CVE-2023-45866, was discovered posing a significant threat to Apple, Android, and Linux devices, enabling attackers to connect and inject keystrokes to execute arbitrary commands. Discovered by SkySafe, the flaw doesn't require specialized hardware and can be exploited from a Linux machine with a standard Bluetooth adapter. Affected operating systems include Android 4.2.2-10, Ubuntu, Debian, Fedora, and macOS/iOS with a Magic Keyboard.

New SLAM attack leaks root password hash

Academic researchers have unveiled SLAM, a new side-channel attack targeting hardware security features in upcoming CPUs from Intel, AMD, and Arm. SLAM leverages transient execution, exploiting memory features like Linear Address Masking (LAM), Upper Address Ignore (UAI), and Top Byte Ignore (TBI) to obtain the root password hash from kernel memory. The attack primarily impacts future chips due to the lack of strong canonicality checks.