HomeCybersecurity NewsCybersecurity news weekly roundup December 18, 2023
All ArticlesCybersecurity News
December 18, 2023

Cybersecurity news weekly roundup December 18, 2023

By Ben Walker

SAN MATEO, CA, December 18, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.

Four US residents behind $80 million pig butchering campaign charged by Department of Justice

Four suspects alleged to be involved in a major pig butchering scheme have been charged by the US Department of Justice, with two of them detained. The four suspects, all of them residents of California, are said to have created shell companies and bank accounts to launder money stolen through crypto investment scams and other acts of fraud. The Justice Department said that the “overall fraud scheme in the related pig-butchering syndicate involved at least 284 transactions and resulted in more than $80 million in victim losses. More than $20 million in victim funds were directly deposited into bank accounts associated with the defendants.” According to the FBI, “investment scam losses were the most (common or dollar amount) scheme reported” in 2022. Read more.

New KV-Botnet discovered to be targeting firewalls and routers to launch attacks

Researchers at Black Lotus have discovered a new botnet made up of routers and firewalls from Cisco, Fortinet, DrayTek, and Netgear that is being used “as a covert data transfer network for advanced persistent threat actors, including the China-linked threat actor called Volt Typhoon.” The devices, known as KV-Botnet, are being used by the APT to blend their malicious actions “into normal network activity by routing traffic through compromised small office and home office (SOHO) network equipment, including routers, firewalls, and VPN hardware.” The malware is entirely in-memory, which makes detection very challenging but does allow a victim to terminate the infection with a power cycle, although re-infection is likely. Read more.

BazarCall attackers legitimizing phishing emails using Google Forms

BazarCall is a phishing attack “utilizing an email resembling a payment notification or subscription confirmation to security software, computer support, streaming platforms, and other well-known brands.” These messages often tell a victim that a subscription they didn’t purchase is being renewed unless they call the number provided to cancel. Once on the line, a criminal on the other end will trick them into installing malware. A report from Abnormal indicates that attackers are now using Google Forms to make the emails appear more legitimate, filling out the form with fake transaction details and sending a copy of the phony form to the recipient. Since the form is sent from Google’s servers, it won’t flag security tools and originates from a Google address. Abnormal has yet to provide additional stages of this new technique. Read more.

Victims have lost $1 billion in cryptocurrency to approval phishing scammers

A report from Chainalysis has indicated that, since 2021, threat actors have stolen around $1 billion in cryptocurrency from victims using “approval phishing” scams. These scams see attackers fool people into “signing a malicious blockchain transaction that gives their address approval to spend specific tokens inside the victim’s wallet.” Once access to a wallet has been granted, the scammer can steal their funds. This is typically done via fraudulent investment schemes, impersonations, and romance scams. Despite the data, Chainalysis believes the losses may be much higher due to most romance scams going unreported. Read more.

New cybercrime market OLVX utilizes SEO and exclusive toolkits to grow in popularity

Hackers have a new marketplace to browse as they search for the tools they use to launch cyberattacks and commit fraud. OLVX is a new market that is growing in popularity and is hosted on the clear net as opposed to the dark web, allowing users to access it more easily and making it possible to promote with SEO. Researchers believe that OLVX’s growth in recent months is due to the latter, with some additional advertising and the hacker community’s word of mouth to help. To further incentivize customers, the OVLX marketplace admins “maintain relationships with various cybercriminals who create custom toolkits” for the platform, according to a report from ZeroFox. Read more.

WordPress RCE vulnerability found in plug-in downloaded more than 90,000 times

A WordPress backup plugin called Backup Migration has been found to harbor a critical RCE flaw with a CVSS severity rating of 9.8. Tracked as CVE-2023-6553, the bug “allows unauthenticated threat actors to inject arbitrary PHP code, resulting in a full site compromise,” according to Defiant researcher Alex Thomas. Backup Migration has been downloaded over 90,000 times, meaning many sites are vulnerable to the exploit. All versions of Backup Migration, except the latest one that patches the flaw, are vulnerable. Users are urged to update immediately. Read more.

Lazarus Group continues to exploit Log4J bug with new RAT malware

While the Log4J exploit is now two years old, North Korea’s Lazarus Group continues to find ways to exploit those who have yet to update their systems. Their latest effort sees the hacking collective release three new pieces of malware: two remote access trojans (RATs) called NineRAT and DLRAT and BottomLoader, a malware downloader. The malware is written in DLang, a language not usually used among criminals. Cisco Talos has dubbed this new Lazarus campaign “Operation Blacksmith.” Targeting agricultural, manufacturing, and security companies worldwide, the campaign began in March of 2023. Operation Blacksmith shows Lazarus employing new tools and tactics, proving that the threat actors continually evolve their strategies to remain effective. Read more.

Millions of patients’ data stolen in ransomware attack against Norton Healthcare

Operating over 40 hospitals and clinics in Kentucky, healthcare giant Norton suffered a ransomware attack in May that resulted in the stolen data of around 2.5 million patients, employees, and dependents. According to a letter sent to affected individuals, a hacker accessed the company’s “network storage” and made off with a “wide range of sensitive information,” such as names, dates of birth, Social Security numbers, health and insurance information, and medical identification numbers. Norton claimed to have not paid a ransom and did not name the group responsible for the attack, but ALPHV/BlackCat took credit for the attack around the time it happened. Read more.

Interpol reports that human trafficking for cyber fraud is expanding globally

An Interpol operation looking into human-trafficking fueled cybercrime has indicated that, while previously mostly confined to Southeast Asia, the criminal activity has spread globally as far as Latin America. The scheme has seen hundreds of thousands of vulnerable people trafficked by organized criminals and placed into scam centers where they are made to commit fraud while enduring physical abuse. One example uncovered by the operation is convincing Malaysians to go to Peru and Ugandans to Dubai, Thailand, and Myanmar. Promised highly paid employment, the victims are confined by armed criminals and forced to commit financial fraud. Read more.

Nearly 40% of Log4J apps are still vulnerable to security issues

According to a report from Veracode, two years after the Log4Shell vulnerability was disclosed, around 38% of Log4J applications are still using a version susceptible to security issues. Log4Shell, “an unauthenticated remote code execution (RCE) flaw that allows taking complete control over systems with Log4j 2.0-beta9 and up to 2.15.0,” has resulted in wide-ranging impact since it was found, with many organizations still not updating their systems despite the publicity surrounding the bug. Veracode’s report indicates that Log4Shell is still a source of risk in 1 out of 3 cases. Read more.

More cybersecurity news

Ben Walker
Ben Walker
Ben Walker is a freelance research-based technical writer. He has worked as a content QA analyst for AT&T and Pernod Ricard.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

cybersecurity news weekly roundup

Popular Articles