The cybercrime market for malicious tools sees a new addition in the form of a new backdoor named TinyTurla-NG or TTNG, used by a Russian APT to target Polish NGOs. The campaign exploits compromised WordPress sites for C2 operations. In other headlines, researchers tranquilized Moobot, a Russian military-linked botnet posing a threat to Ubiquiti routers globally. The GRU used to harvest credentials and host malicious tools through this operation.

The FortiGuard team has discovered a collection of malware droppers employed to distribute diverse final-stage payloads. Known as TicTacToe droppers, they obscure the payloads, including Leonem, AgentTesla, and Remcos, in phishing emails containing .iso file attachments.

Top Breaches Reported in the Last 24 Hours

Misconfiguration exposed 380 million records

Cybersecurity researcher Jeremiah Fowler uncovered a massive data leak, allegedly, by edge cloud service provider Zenlayer, revealing a staggering 380 million records. The exposed database, totaling 57.46GB, contained internal logs and customer data without basic password protection, inviting potential exploitation by threat actors. Zenlayer released a statement confirming awareness of the issue.

State government network compromised

The CISA and MS-ISAC disclosed a breach in an unnamed state government organization. Attackers gained access via a former employee's admin account, exploiting it to infiltrate internal systems. Access to a virtualized SharePoint server provided further credentials, granting administrative privileges to the network and Azure Active Directory.

Top Malware Reported in the Last 24 Hours

Turla's new backdoor targets Polish NGOs

Cisco Talos researchers discovered the Russia-linked Turla APT deploying a new backdoor named TinyTurla-NG (TTNG) in attacks against Polish NGOs. Resembling Turla’s previous implant, TinyTurla, TTNG serves as a last-resort backdoor for persistence. The malware, operating through svchost.exe, employs various commands for file manipulation and switching C2 URLs. The campaign has been active since December 2023.

TicTacToe: a malware distribution strategy

FortiGuard's recent study exposed the intricate TicTacToe dropper that has been used in a sophisticated malware distribution campaign since 2023. Employing multi-layered obfuscation techniques, these droppers would conceal final-stage payloads, including Leonem, AgentTesla, and LokiBot, often disseminated through phishing emails, using .iso file attachments. The analysis revealed complex obfuscation methods, runtime assembly loading, and developments in detection evasion.

U.S. disrupts Russian military botnet

The U.S. federal government downed a criminal botnet commandeered by Russian military intelligence for worldwide cyberespionage. Dubbed Moobot, this variant of the Mirai botnet targeted Linux-based IoT devices, particularly routers manufactured by Ubiquiti. Operated by the GRU-linked APT28, the botnet facilitated credential harvesting and spear-phishing campaigns.

**RansomHouse unleashes 'MrAgent' **

Raas operation RansomHouse introduced MrAgent, a tool designed to streamline the deployment of its data encrypter across multiple VMware ESXi hypervisors. MrAgent identifies host systems, disables firewalls, and automates ransomware deployment, compromising all managed VMs. Configurable via C2 servers, it executes custom encryption events, manipulates hypervisor settings, and thwarts intervention attempts.

Top Vulnerabilities Reported in the Last 24 Hours

Authentication bypass flaw in Wi-Fi networks

Security researchers unveiled Wi-Fi authentication bypass vulnerabilities in open-source software Wpa_supplicant and Intel's iNet Wireless Daemon (IWD). Exploiting CVE-2023-52160 in Wpa_supplicant enabled attackers to intercept enterprise network traffic without user interaction, while CVE-2023-52161 in IWD allows access to home networks without knowing the password. Android, Linux, and ChromeOS users are particularly vulnerable.

High-severity flaws in Windows security products

ESET released patches for a critical vulnerability (CVE-2024-0353) affecting its consumer, business, and server security products for Windows. The flaw, discovered in the real-time file system protection feature, could allow attackers with low privileges to delete arbitrary files with System privileges. As reported by Trend Micro’s ZDI, there's no evidence of exploitation in the wild. Affected products include antivirus, endpoint, server, and email security solutions.

Top Scams Reported in the Last 24 Hours

Package delivery scam

Threat actors employed AWS Simple Notification Service (SNS) and the SNS Sender script for a smishing campaign impersonating the US Postal Service. SentinelOne's report unveils the rising trend of cloud-based cyberattacks, posing grave risks to businesses. The campaign targets individuals with fake missed package notifications, extracting sensitive personal and payment information.