Cybercriminals are constantly devising new ways to evade detection by security software. In one such observation, researchers detected a change in the distribution method of ROKRAT spyware to infect South Korean users. The attackers are using archives containing LNK files that initiate multi-chain infection chains. In other news, a malware, dubbed Octopus, was used to spy on 18 public service infrastructures by hacking a telecoms provider in Tajikistan.

There is also an update on the recent attack that occurred at Western Digital. It is believed that the BlackCat ransomware group had access to the company’s systems even as the company responded to the breach. The development comes after the attackers published a fresh list of screenshots containing internal emails and video conference recordings stolen from the firm.

Top Breaches Reported in the Last 24 Hours

United HealthCare discloses a data breach

United Healthcare, Maryland, notified its customers about a data breach that enabled threat actors to access the personal information of those enrolled in the company’s healthcare plans. The official believes that the exposed information includes first and last names, dates of birth, addresses, dates of services, health insurance identification numbers, and claim information of members.

Missouri people's data found exposed

Information for thousands of people based in Missouri was accessible to anyone using the Casenet website, the state’s judicial record system. The issue arose due to a vulnerability that is now fixed. However, thousands more documents containing sensitive information remain available on the website as they are considered open records.

Bitmarck hit by cyberattack

Bitmarck, an IT service provider based in Germany, suffered a cyberattack that temporarily disrupted its website. While the company is yet to determine whether any data was stolen, it has taken systems offline to isolate the scope of the attack.

Nearly $1.45 million in crypto stolen

Decentralized finance protocol 0VIX lost nearly $1.45 million in crypto assets in a hack. The attackers executed the hack by exploiting the flash loan feature. The stolen tokens were transferred to the Ethereum main net on Stargate Finance. The hackers exchanged them for ETH tokens.

Western Digital’s data leaked

In a new update, the BlackCat ransomware group published 29 screenshots of internal emails and video conferences related to Western Digital. It is believed that these files were stolen after the company detected the attack and while response actions were taken to block unauthorized access to their systems.

Top Malware Reported in the Last 24 Hours

BouldSpy malware

The Iranian government used an Android malware, called BouldSpy, to surveil minority groups and traffickers in the country. Upon execution, the malware collected account usernames, a list of installed apps and services, browser data, call logs, clipboard content, contact lists, device information, and SMS messages. The malware also enabled operators to log keystrokes, record audio, take screenshots, and capture device locations.

ROKRAT backdoor’s delivery changed

Over the years, the deployment methods of ROKRAT backdoor malware have evolved. Presently, archives containing LNK files are being used to deliver the malware that is attributed to the APT37 threat group. The lures used as part of the infection are largely focused on South Korean foreign and domestic affairs.

Octopus malware spotted

Russian cyberespionage group Nomadic Octopus has been associated with a new campaign, dubbed Operation PaperBug, that used the Octopus malware to spy on government officials, telecommunication services, and public service infrastructures in Tajikistan. The campaign used a broad range of devices, including individuals’ computers and OT devices, as part of the operation and was executed by hacking a telecoms provider that was linked to the 18 targeted entities. The malware is capable of capturing screenshots and pilfering sensitive information from target systems.

Top Scams Reported in the Last 24 Hours

**Phishing attack against Romanian customers **

Heimdal Security discovered an active phishing campaign that specifically targeted Romanian telecom customers. The campaign impersonated Romania’s National Post website to lure users. The phishing site was distributed via SMS in the form of a short link. The message read, “The delivery address for your package RO342521924SE is not valid, please update your delivery address in 24 hours or the package will be returned.”