A new malware threat, dubbed HijackLoader, has surfaced that can not only drop a variety of malware payloads but also establish persistence on compromised systems, posing a notable threat. During the encounter, researchers observed attackers dropping DanaBot, SystemBC, and RedLine Stealer. Meanwhile, emails from highly trusted domains could face a major lack of trust. Why? Researchers from the University of California San Diego have disclosed an email spoofing technique that capitalizes on vulnerabilities in email forwarding processes. Experts claim they reached out to Microsoft, Apple, and Google but to their knowledge, it has not been fully fixed.

Back to malware threats, DarkGate loader has been sighted once again in the wild in phishing campaigns. It exploits a vulnerability in Microsoft Teams and uses compromised accounts to send HR-themed messages with malicious attachments.

Top Breaches Reported in the Last 24 Hours

Massive ransomware attack hits Sri Lankan government

All government offices using the gov[.]lk email domain of Sri Lanka, including the Cabinet Office, have lost data from May 17 to August 26, 2023, following a major ransomware attack, confirmed by the Information and Communication Technology Agency (ICTA). Approximately 5,000 email addresses were potentially affected, with no offline backup available for the two-and-a-half-month data loss period.

Ragnar Locker operators cripple Israeli Hospital

The Ragnar Locker ransomware gang has claimed responsibility for an attack on Israel's Mayanei Hayeshua hospital, stating that they did not encrypt data to prevent disruptions to medical equipment but discovered serious network vulnerabilities. The cybercrime group threatened to leak 1 TB of stolen data, including personal information, internal emails, finances, and medical records.

Bookstore chain suffers customers data breach

Australian bookstore chain Dymocks Booksellers informed customers of a data breach that may have exposed personal information, including names, addresses, birth dates, gender, email addresses, and Booklovers membership details. While the company has not determined the exact number of affected individuals, data breach notification service Have I Been Pwned estimates that around 1.2 million Dymocks records, including over 800,000 unique email addresses, were stolen in the breach. The incident occurred in June.

Top Malware Reported in the Last 24 Hours

HijackLoader delivers multiple payloads

A new malware loader known as HijackLoader is seemingly gaining popularity among cybercriminals for distributing various payloads, including DanaBot, SystemBC, and RedLine Stealer. Despite lacking advanced features, HijackLoader's modular architecture enables it to employ various code injection and execution modules, making it a versatile threat. The loader utilizes evasion techniques, such as syscall usage to bypass monitoring and delays code execution to fly under the radar.

Fake Telegram Apps harvest sensitive user data

Multiple fake Telegram apps were discovered on the Google Play Store designed to collect sensitive information from compromised Android devices. These malicious apps, which have been collectively downloaded millions of times, can capture user names, IDs, contacts, phone numbers, and chat messages, sending the data to an actor-controlled server. Researchers named this activity "Evil Telegram" and highlighted that the malicious apps employ typosquatting techniques to appear legitimate.

Phishing campaign distributes DarkGate

A phishing campaign discovered in late August misused Microsoft Teams messages to distribute malicious attachments, delivering the DarkGate loader. The campaign, initiated through compromised external Office 365 accounts, deceived Teams users into downloading a cleverly disguised malicious ZIP file. Upon opening the attachment, malicious VBScript triggered an infection chain that led to the deployment of DarkGate loader, utilizing several techniques to evade detection.

Top Vulnerabilities Reported in the Last 24 Hours

Unpatched zero-day bug under abuse

Cisco has confirmed the existence of an unpatched zero-day vulnerability in its widely-used Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD). Akira ransomware gang is one among those who are exploiting this flaw to gain unauthorized access to security appliances. The vulnerability, tracked as CVE-2023-20269, allows attackers to identify valid credentials for unauthorized remote access VPN sessions and establish clientless SSL VPN sessions, potentially compromising network security. It remains unclear when the patch will be made available.

Flaws in email forwarding process

Computer scientists at the University of California San Diego have discovered vulnerabilities in the email forwarding process that allow for email spoofing. The technique, known as forwarding-based spoofing, can be used by attackers to impersonate renowned organizations, bypassing email provider safeguards. The vulnerabilities result from the fact that many organizations outsource their email infrastructure to third-party providers, allowing attackers to exploit the email forwarding process. Microsoft, Apple, and Google have been alerted, but fixes remain elusive.

Notepad++ released with security updates

Notepad++ version 8.5.7 has been released to address multiple buffer overflow vulnerabilities reported by GitHub security researcher Jaroslav Loba?evski. These vulnerabilities, including the high-severity flaw CVE-2023-40031, could potentially lead to arbitrary code execution. While the Notepad++ development team initially had a delayed response, fixes for these flaws have now been released and users are advised to update to version 8.5.7 to mitigate these security risks.