The thriving malware ecosystem continues to pose formidable challenges for cybersecurity professionals. Of late, an open-source remote access trojan was observed employing the DLL sideloading technique to covertly extract data from compromised Windows systems, capitalizing on the trust associated with Windows files such as ctfmon.exe and calc.exe. In another headline, SolarWinds has issued patches for multiple high-severity vulnerabilities found in its Access Rights Manager (ARM). Among them, there are three RCE bugs that could be exploited by unauthenticated attackers to execute arbitrary code with System privileges.

Also, it has been noted that financial fraud in India has spiked at the hands of Chinese scammers. They are reportedly abusing India's digital payment ecosystem, mostly through fake loan apps and real money games, to defraud victims.

Top Breaches Reported in the Last 24 Hours

Vehicle seizure data leaked

A security researcher discovered a data breach that exposed over 500,000 records related to vehicle seizures carried out by the Irish National Police, An Garda Síochána. The exposed database, operated by an unnamed contractor, contained sensitive data such as scanned identity documents, insurance inquiries, and incident reports dating back to 2017. It is estimated that up to 150,000 vehicle owners' information may have been affected.

Hospital’s online services shut down

A cyberattack disrupted online services for at least five hospitals in southwestern Ontario, Canada. TransForm, the IT provider for these hospitals, confirmed the cyberattack. The incident's cause and potential data breach are under investigation, with affected hospitals unable to provide further details. The hospitals urge patience from patients and anticipate delays in services.

FB and Insta profile access for sale

A threat actor is selling access to Facebook and Instagram's Police Portal—used by law enforcement agencies—for $700, according to cybersecurity researcher Alon Gal. The portal is used by law enforcement agencies to request user data and post removal. It remains unclear how the threat actor obtained access, but it poses significant risks, including unauthorized data requests, harassment, doxxing, fake law enforcement actions, and identity theft.

Top Malware Reported in the Last 24 Hours

Rival countries deploy custom payloads

Security experts connected Indian-origin threat actor DoNot Team to a new .NET-based backdoor called Firebird, used in cyberattacks on victims in Pakistan and Afghanistan. Firebird attack chains also include the delivery of a downloader called CSVtyrei, resembling Vtyrei, as well as non-functional code, suggesting ongoing development efforts. Separately, Zscaler ThreatLabz unveiled insights on the Pakistan-based Transparent Tribe APT targeting Indian government entities with a new malware arsenal, featuring a .NET binary trojan called ElizaRAT. Additionally, a nation-state actor known as Mysterious Elephant has been linked to spear-phishing campaigns involving the use of ORPCBackdoor.

Another RAT adopts DLL sideloading technique

The Quasar RAT has been observed using DLL sideloading to stealthily steal data from compromised Windows systems. This technique involves planting a malicious DLL file with a name that a legitimate executable is expected to look for. In this case, a legitimate binary named "ctfmon.exe" was renamed to "eBill-997358806.exe," and a malicious MsCtfMonitor.dll was used to deliver the Quasar RAT payload. While the initial access vector is unclear, it's likely to involve phishing emails.

Top Vulnerabilities Reported in the Last 24 Hours

SolarWinds patches sensitive bugs

SolarWinds has addressed eight high-severity vulnerabilities discovered in its Access Rights Manager (ARM). This includes three RCE flaws that can be exploited without authentication. The vulnerabilities stem from insufficient validation of user-supplied data in various methods within ARM, allowing unauthenticated attackers to execute arbitrary code or achieve privilege escalation. Users of ARM are advised to apply the patches to mitigate potential risks.

Top Scams Reported in the Last 24 Hours

China-based scammers conduct financial fraud

Cybercriminals based in China are utilizing counterfeit loan apps and India's real-time mobile payment system, Unified Payments Interface (UPI), to defraud victims. These scammers pose as loan providers, enticing individuals with the promise of easy loans in exchange for a fee, typically 5-10% of the loan amount. Victims are tricked into disclosing personal information, including bank details, phone numbers, and identity documents. After the fee is paid, no loan is provided, and the funds are funneled out of India to China using Chinese payment gateways.