QakBot returns! The malware operators have been observed targeting the hospitality industry in a new phishing campaign, impersonating an IRS employee. A multinational law enforcement effort had dismantled its infrastructure back in August. Rhadamanthys Stealer, a relatively new malware strain, was observed undergoing active development, making it a potent threat in the evolving cyber landscape. Two new versions of this C++ info-stealer have surfaced, with the newest version being provided with a new clipper plugin for diverting crypto payments, and much more.

WordPress hosting provider Kinsta is alerting users about phishing attacks using Google Ads to steal MyKinsta login credentials. Fraudulent sites mimicking Kinsta's appearance target users who want to visit official Kinsta sites, emphasizing the need for caution and refraining from clicking on suspicious links.

Top Breaches Reported in the Last 24 Hours

Genetic testing firm faces breach

Asper Biogene, a genetic testing company specializing in hereditary disease diagnostics, suffered a cyberattack leading to the illegal download of personal and health data for approximately 10,000 individuals. The breach was reported to the police and authorities on November 11, with the criminals making a ransom demand and threatening to release the stolen information. The breach also affected around 40 healthcare companies associated with the company.

**African bank suspends systems **

Central Bank of Lesotho confronted a severe cyberattack that disrupted several systems, prompting the suspension of some services. The attack was discovered on December 11, 2023, leading to the suspension of certain systems to prevent further infiltration. While the Central Bank of Lesotho assured the public of no financial losses, it acknowledged delays in payments. The National Payments System downtime has affected inter-bank transactions, prompting the implementation of alternative measures to facilitate payments.

MongoDB blurts out data

Database software provider MongoDB fell victim to a security breach, discovering unauthorized access to its corporate systems and customer data. The breach affected customer names, phone numbers, and email addresses, along with other customer account metadata and system logs for one specific customer. MongoDB emphasized that the incident had no impact on the MongoDB Atlas cluster authentication system. Affected customers were advised to monitor their accounts for any suspicious activities.

Ransomware attack cripples cancer center

The Fred Hutchinson Cancer Research Center, Seattle, was hit by a ransomware attack, as claimed by the Hunters International ransomware gang. The attackers added the healthcare organization to their dark web leak site, threatening to release 533GB of stolen data. Fred Hutch had disclosed a cyberattack earlier in December, revealing unauthorized activity on its clinical network. The personal data of over 800,000 patients may have been compromised.

Top Malware Reported in the Last 24 Hours

Rhadamanthys malware enhances capabilities

The developers of Rhadamanthys information-stealing malware released two major versions (0.5.0 and 0.5.1), introducing significant improvements and features. The info-stealer, initially known for targeting email, FTP, and online banking credentials, has evolved with a modular plugin system, allowing customization for specific distribution needs. The new versions include a Data Spy plugin for monitoring RDP login attempts, enhanced data theft from browsers, anti-analysis checks, and an embedded configuration.

InfectedSlurs botnet exploits QNAP flaw

Akamai shared updates on the InfectedSlurs botnet exploiting zero-day vulnerabilities to compromise routers and QNAP VioStor Network Video Recorder (NVR) devices. The botnet, initially identified in October 2023, leverages an RCE vulnerability (CVE-2023-47565) in QNAP VioStor NVR devices. While QNAP considers these devices discontinued for support, users are advised to upgrade firmware to the latest version.

QakBot resurfaces to target hospitality industry

Notorious malware strain QakBot reemerged in a new phishing campaign targeting the hospitality industry, according to Microsoft. The low-volume campaign, which began on December 11, involves phishing messages disguised as emails coming from an IRS employee. The phishing emails contain a PDF with a URL that downloads a digitally signed Windows Installer (.msi). Executing the MSI installer leads to the activation of QakBot through the execution of an embedded DLL.

Top Vulnerabilities Reported in the Last 24 Hours

Ubiquiti bug exposes accounts and video streams

Ubiquiti, the networking and video surveillance camera manufacturer, has addressed a bug that inadvertently provided some users with access to other customers' accounts and private live video streams. Initial reports on Reddit highlighted instances where individuals received push notifications featuring unrelated account data and video streams. Ubiquiti later acknowledged the issue, attributing it to an upgrade in its cloud infrastructure. About 1,216 accounts were wrongly associated with another group for about nine hours.

VoIP software warns of integration bug

VoIP software provider 3CX issued a security advisory, revealing an integration bug affecting versions 18 and 20 of its software. The bug primarily impacts the SQL integration, with the company noting that only 0.25% of its user base utilizes this feature. Users employing MongoDB, MsSQL, MySQL, and PostgreSQL databases are advised to disable their SQL database integrations as a precautionary measure until a solution is developed.

Top Scams Reported in the Last 24 Hours

Phishing via Google Ads

WordPress hosting provider Kinsta has issued a warning to its customers regarding a phishing scam exploiting Google Ads. The attackers use fraudulent sites promoted through Google Ads to steal MyKinsta login credentials. These phishing attacks specifically target individuals who have previously visited Kinsta's official websites. The malicious sites closely mimic Kinsta's interface to trick users into providing login credentials.