Phishing kits with cloaked techniques are becoming more prevalent in the threat landscape. Two days after the discovery of Tycoon MFA, researchers have found a new toolkit, named Darcula, that is actively targeting iPhone and Android users to steal their credentials. Packed with over 200 templates that impersonate brands and services from over 100 countries, the toolkit leverages the RCS protocol for Google messages and iMessage to send phishing messages. A sophisticated malware attack targeting the PyPi repository has also come to the notice, leading to the suspension of new project creation and new user registration. Threat actors are leveraging automation and typosquatting to upload malicious Python packages and steal information from developers.

In other updates, Google has issued patches for seven security flaws, including two-day vulnerabilities, impacting its Chrome web browser. The CISA has also updated its KEV catalog with a Microsoft Sharepoint RCE flaw, following the discovery of its active exploitation.

Top Breaches Reported in the Last 24 Hours

INC Ransom threatens to publish 3TB data

The INC Ransom group threatened to publish 3TB of data stolen from the NHS Dumfries and Galloway if the agencies failed to fulfill its ransom demand. As proof, it has shared some sample documents, containing medical assessments, analysis results, and psychological reports of doctors and patients. Meanwhile, the agencies have confirmed the attack by adding that clinical data of a small number of patients was leaked by the ransomware group.

Gilmer County hit by ransomware

The government of Gilmer County in Georgia issued a notice of suffering a ransomware attack that disrupted its ability to provide services to its more than 30,000 residents. As per the notification, the investigation is underway and the county government is working on restoring the impacted systems and services.

Top Malware Reported in the Last 24 Hours

Malicious Python packages uploaded

Checkmarx team reported a new multi-stage attack campaign against Python developers, which aims at stealing their crypto wallets, sensitive data from browsers, and various credentials. The attackers are leveraging typosquatting and automation to upload malicious Python packages to the repository. As a precautionary measure, PyPI has temporarily suspended new project creation and new user registration to mitigate the ongoing campaign.

New PhantomRAT discovered

A threat actor group linked to Ukraine was reported using a new malware, named PhantomRAT, to target organizations in Russia. To deliver PhantomRAT into victims’ systems, the hackers used phishing emails containing a PDF file disguised as a contract, along with an attached RAR archive protected by a password sent within the email. The malware is capable of downloading files from a command and control (C2) server and uploading files from a compromised host to the attackers' controlled server.

Top Vulnerabilities Reported in the Last 24 Hours

Flaws in Chrome browser addressed

Google fixed seven security vulnerabilities in the Chrome web browser, including two zero-day flaws exploited during the Pwn2Own Vancouver 2024 hacking competition. The first zero-day flaw is a type confusion vulnerability (CVE-2024-2887) in the WebAssembly open standard. The second flaw is a use-after-free flaw (CVE-2024-2886) in the WebCodecs API. The flaws have been fixed in version 123.0.6312.86/.87 for Windows and Mac and 123.0.6312.86 for Linux users.

CISA adds another flaw to KEV

The CISA added a Microsoft SharePoint Server Code Injection vulnerability (CVE-2023-24955) to its KEV catalog, highlighting its exploitation in the wild. The agency emphasizes that an attacker who has obtained Site Owner privileges can exploit this vulnerability to execute malicious code remotely on the targeted SharePoint server. The CISA has ordered federal agencies to address the vulnerability by April 16.

NVIDIA pushes emergency patches

Computing giant NVIDIA pushed out emergency security patches for flaws affecting its ChatRTX for Windows. Flagged as CVE-2024-0082 and CVE-2024-0083, the vulnerabilities carry high-risk ratings and can be exploited to launch harmful code via cross-site scripting attacks. The flaws affect ChatRTX for Windows 0.2 and prior versions.

Grafana platform impacted by BOLA

Unit 42 researchers have discovered a new Broken Object Level Authorization (BOLA) vulnerability that impacts the Grafana platform. This vulnerability, assigned as CVE-2024-1313, has a CVSS score of 6.5 and can allow low-privileged Grafana users to delete dashboard snapshots belonging to other organizations using the snapshot's keys. Users are suggested to upgrade the version to 10.4.x, 10.3.5, 10.2.6, 10.1.9 or 9.5.18 to mitigate the BOLA risk.

Top Scams Reported in the Last 24 Hours

Users warned about tax scams

Multiple instances of tax-related phishing scams targeting taxpayers were reported by researchers. One of these scams impersonated the IRS and informed users to scan a QR code to check pending documents. However, scanning the QR code leads the victims to several different malicious sites that steal their personal information. Apart from the scams, threat actors were found selling legitimate W2 and 1040 forms on dark web forums.

New Darcula phishing kit spotted

A new PhaaS named Darcula was found using nearly 20,000 domains to spoof brands and steal credentials from Android and iPhone users in more than 100 countries. Touted to offer over 200 templates, the kit has been used against various organizations, including financial, government, telecommunications, and airlines. These templates impersonate landing pages of multiple brands and use the correct local language, logos, and content to trick users. As part of the attack tactic, it uses the RCS protocol for Google messages and iMessage to send phishing messages.