In a major breakthrough, the Ukrainian Cyber Alliance (UCA) has procured hundreds of gigabytes of likely stolen documents from the servers of Trigona ransomware and shut down its infrastructure. Be extra careful about clicking ads on Google search engine, as even Google missed this one. A deceptive ad has been found with a nearly identical URL that managed to dupe even security-savvy users. The ad ran for several days, sponsored by an advertiser verified by Google's Ad Transparency Center. Through this campaign, attackers attempt to infect a victim’s system with FakeBat malware.

Google-owned Mandiant brings attention to a critical security flaw affecting Citrix NetScaler ADC and NetScaler Gateway appliances. Security researchers highlighted that cybercriminals can bypass authentication checks. These attacks have so far targeted professional services, technology, and government organizations.

Top Breaches Reported in the Last 24 Hours

Over 820,000 customer data exposed

DNA Micro, a California-based IT company, inadvertently exposed the data of more than 820,000 customers due to a system misconfiguration. The breach affected customers who opted for a screen warranty through DNA Micro's subsidiary, InstaProtek, as well as companies like Liquipel and Otterbox that offered warranty services with their products. The leaked data included sensitive information such as full names, addresses, phone numbers, and IMEI numbers. The breach lasted for at least six months.

Knight ransomware steals big from USCS

The Knight ransomware group is suspected of carrying out a cyberattack on US Claims Solutions (USCS), an insurance industry provider. The group claims to have exfiltrated over 600GB of data from the attack. Threat actors have issued a ransom threat to USCS, providing a deadline for ransom payment. The management of USCS was given 48 hours to respond to the threat, and Knight has threatened to sell or publicly release the exfiltrated data if they do not receive a response.

Hacker leaks millions of 23andMe profiles

A hacker known as 'Golem' has leaked an additional 4.1 million genetic data profiles pertaining to 23andMe. Most of these individuals reside in Great Britain and Germany. This follows a previous leak of 1 million Ashkenazi Jewish profiles earlier this month. 23andMe stated that the data was obtained through credential stuffing attacks on accounts with weak passwords or from other data breaches, with no evidence of a security breach on their systems.

Eastern european critical sector target

A group of hackers targeted more than a dozen oil, gas, and defense companies in Eastern Europe using an updated version of the MATA backdoor framework. The MATA backdoor was previously attributed to the North Korean hacker group Lazarus, though direct attribution was not confirmed. The campaign, which ran from August 2022 to May 2023, utilized phishing emails to trick victims into downloading malware exploiting a vulnerability in Internet Explorer. The attackers masqueraded as employees of the target organizations.

Casio breach impacts in 149 Countries

Japanese electronics manufacturer Casio has reported a data breach that impacted its customers in 149 countries; the breach occurred on its ClassPad education platform. Casio detected the incident after a ClassPad database failure within its development environment and found evidence of unauthorized access to customer information. The exposed data includes customer names, email addresses, countries of residence, service usage details, and purchase information, but not credit card information.

Top Malware Reported in the Last 24 Hours

UCA neutralizes Trigona ransomware group

In a bold operation, the Ukrainian Cyber Alliance (UCA) successfully infiltrated and wiped out the servers of the notorious Trigona ransomware group. Utilizing a critical vulnerability in Atlassian Confluence Data Center and Server, UCA gained access and meticulously collected data, including source code and potential decryption keys. The cyber activists remained undetected for six days, sharing revealing screenshots along the way. After harvesting all available information, UCA defaced Trigona's sites and released an administration panel key.

Malicious ads impersonate Keepass

Google is facing scrutiny for hosting a convincing malicious ad that posed as an advertisement for the open-source password manager, Keepass. The ad, despite Google's vetting process, appeared genuine, leading users to believe it was trustworthy. Upon clicking the ad, users were directed to ?eepass[.]info, which mimicked the legitimate Keepass site. A closer examination revealed that ?eepass[.]info was encoded punycode, represented as xn--eepass-vbb[.]info, housing a malware family known as FakeBat.

Microsoft warns of Lazarus exploiting JetBrains bug

Microsoft cautioned against the Lazarus Group actively exploiting a critical vulnerability (CVE-2023-42793) in JetBrains TeamCity to infiltrate vulnerable servers. These attacks have been attributed to two subgroups, Diamond Sleet and Onyx Sleet. Diamond Sleet deploys a known implant called ForestTiger after compromising TeamCity servers, while another variant uses malicious DLLs and remote access trojans. Onyx Sleet creates a new user account for system impersonation.

Top Vulnerabilities Reported in the Last 24 Hours

Adversaries exploit WinRAR bug

Google's TAG reported that multiple government-backed hacking groups have been exploiting the known vulnerability, CVE-2023-38831, in WinRAR tool for Windows. The vulnerability allows attackers to execute arbitrary code when a user attempts to view a benign file within a ZIP archive. The attackers use phishing emails and malicious documents to target victims. The attacks have been linked to Russian and Chinese APT actors.

Critical Citrix flaw faces threats

Citrix issued a warning regarding the exploitation of a recently disclosed critical security flaw, CVE-2023-4966, in NetScaler ADC and NetScaler Gateway appliances. The vulnerability affects specific versions of NetScaler ADC and NetScaler Gateway and, if exploited, could lead to exposure of sensitive information. The flaw allows attackers to hijack existing authenticated sessions, potentially bypassing MFA or other strong authentication processes. Mandiant detected zero-day exploitation of the vulnerability starting in late August 2023.