Once again, the intelligence-gathering objectives of a Chinese nation-state group have been observed in the wild, this time delivering the new TinyNote backdoor. The group reportedly uses file names related to foreign affairs as bait. In another malware campaign, researchers warn against the TrueBot malware. The threat has the ability to rapidly escalate and propagate, much like the way ransomware spreads across a network, leading to a broader infection. TrueBot is typically linked with Silence, a Russian group believed to have connections with another infamous Russian cybercrime actor known as Evil Corp.

Malware galore. A new Vidar info-stealer campaign has come to light that was launched the past week. Through this, cybercriminals attempt to pilfer credentials from the targeted individuals by sending complaints to online store admins.

Top Breaches Reported in the Last 24 Hours

Crypto users lose $35 million

Atomic Wallet is investigating a rather significant attack spree that swindled over $35 million worth of cryptocurrency from users' wallets. To mitigate the risk of further compromises, the developers have brought their download server, 'get[.]atomicwallet[.]io' offline. It is also requesting information from the victims such as the operating system in use, from where the software was downloaded, and activities performed prior to the cryptocurrency theft.

Spanish bank under pressure from hackers

The Play ransomware group listed Globalcaja, one of the prominent banks in Spain, as one of its victims. While the bank only confirmed the incident, hackers claimed they successfully obtained private and highly confidential information. This includes client and employee documents, passports, contracts, and more. The group has set a deadline of June 11, 2023, threatening to release the stolen data publicly if the ransom demand isn’t met.

Top Malware Reported in the Last 24 Hours

**Chinese group drops TinyNote **

Check Point took the wraps off of a Golang malware infection campaign by a Chinese actor known as Camaro Dragon. The malware named TinyNote operates as an initial payload with the ability to perform fundamental machine enumeration and execute commands through PowerShell or Goroutines. The distribution of the TinyNote backdoor is done through filenames associated with foreign affairs and it is suspected to specifically target embassies located in Southeast and East Asia.

TrueBot’s activity on the rise

Generally associated with the Silence group, the TrueBot downloader trojan botnet has been abusing critical flaws in Netwrix Auditor and using Raspberry Robin as a delivery vector. Botnet operators lure potential victims into downloading an executable file named "update.exe" through Google Chrome. Upon execution, it establishes connections with a recognized TrueBot IP address situated in Russia to fetch a second-stage executable, which is then executed through the Windows Command Prompt.

Vidar poses as customers

A unique phishing email is spreading Vidar info-stealer by impersonating complainants in conversations with online store admins. It uses email and website contact forms to collect the credential of the admins. Emails are usually crafted in a manner that conveys a sense of urgency. As an example, an email pressurizes the retailer to promptly issue a refund and thoroughly investigate the underlying cause of the issue. Vidar can steal a range of infromation from saved passwords, cryptocurrency wallets, and text files to Authy 2FA databases.

Top Vulnerabilities Reported in the Last 24 Hours

Splunk fixes multiple flaws

Updates have been released for multiple sensitive security issues found in Splunk Enterprise, including a privilege escalation bug known as CVE-2023-32707. The bug allows low-privileged users with the ‘edit_user’ capability to modify privileges to an administrative role, via specially crafted requests. The round of patches also addresses certain bugs exposing third-party packages for over four years. Splunk Enterprise has released versions 8.1.14, 8.2.11, and 9.0.5 that patch all of the identified flaws.

Zyxel urges firmware update

Zyxel, a Taiwanese networking device manufacturer, has released firmware updates for its ATP, USG Flex, VPN, and ZyWALL/USG firewall devices. The security issues resolved are tracked as CVE-2023-28771, CVE-2023-33009, and CVE-2023-33010. These vulnerabilities could trigger OS command execution, RCE attacks, and DoS attacks, respectively. The company has further advised customers to scan systems for infection.

Gigabyte mitigate risks

In an official announcement, Gigabyte informed users about BIOS updates aimed at eliminating a recently discovered backdoor feature related to the Gigabyte App Center. The feature was present in numerous models of Gigabyte motherboards. While there is no evidence of malicious exploitation of this backdoor thus far, it is to be noted that threat actors have previously abused similar tools in various attacks.