Invaders Drop News: Hacker Claims to Have Stolen Classified Data from HSBC & Barclays

More News:

• HSBC and Barclays suffered a data breach in April 2024, exposing sensitive data including database files, cert files, source code, and more.

• Russian hackers breached a UK news site, publishing a fake story to spread disinformation.

  Cybercrime and Threat Intel

• Pro-Russia hackers targeted Kosovo government websites with DDoS attacks in retaliation for support to Ukraine.

• Cyber-criminals are using SIM swap attacks to steal one-time passcodes and raid bank accounts.

  Malware Technical Reports

• Kinsing Botnet targets open-source apps, deploying cryptominer.

• New Crypto-Mining Botnet targets Windows systems.

  Advanced Cyber Threats

• Lazarus APT-Q-1 targets blockchain experts on LinkedIn, Upwork, and Braintrust with malicious ZIP files.

• North Korean APT group Kimsuky targets users in Japan and South Korea using Facebook Messenger messages.

In April 2024, a direct contractor of HSBC and Barclays was breached, exposing sensitive data from both banks. The attackers, known as @IntelBroker and @Sanggiero, gained access to a treasure trove of compromised data, including:

• Database files

• Cert files

• Source code

• SQL files

• JSON config files

• Compiled Jar files

The breach also involved the theft of several large CSV files, including:

• notary_request_2024.csv (512K lines)

• ledger_summary_2024.csv (241K lines)

• transaction_2024.csv (1 million lines)

• notification_2024.csv (501K lines)

This is a significant breach, and we'll be keeping a close eye on the situation. We'll provide updates as more information becomes available.

Stay vigilant and stay informed! If you have any questions or concerns about this incident or any other cybersecurity-related topics, feel free to reach out to us.

Security Breach Trends

Russian Hackers Breach UK News Site: According to reports, the hackers breached the news site's systems and published a fake story that was designed to spread disinformation. The good news is that the site quickly removed the story and alerted its readers to the breach. Want to learn more about this incident? Check out the full story from the Manchester Evening News:

Malicious Go Binary Delivered via Steganography in PyPI: Phylum's alerted to a suspicious publication on PyPI! The package in question, called "requests-darwin-lite," appeared to be a harmless fork of the popular "requests" library. However, our analysis revealed that it contained a malicious Go binary, cleverly hidden within a large version of the actual "requests" sidebar PNG logo.

Cybercrime and threat intel

Pro-Russia Hackers Target Kosovo Government Websites: Pro-Russia hackers targeted government websites in Kosovo with DDoS attacks, retaliating for support to Ukraine! Defense Minister Ejup Maqedonci claimed that Russian hackers launched a cyberattack against Kosovo in retaliation for his statement supporting Ukraine at the Defence 24 conference in Poland.

Cyber-criminals are using SIM swap attacks to steal one-time passcodes and raid bank accounts: According to a recent TechCrunch report, cyber-criminals are targeting victims with a phone call that claims to be from a security team. The victims are then asked to enter a six-digit security code that has been sent to their mobile device. But what the victims don't know is that the scammers already have their phone number and can easily intercept the code. Once the code is entered, the scammers have full access to the victim's online accounts, including bank accounts.

GoTo Meeting loads Remcos RAT via Rust Shellcode Loader: According to G Data, recent malware loaders abuse GoTo Meeting to deploy Remcos RAT. Lures include porn downloads, software setup files, and tax forms with file names in Russian and English language.

Malware technical reports

Kinsing Botnet Targets Open-Source Apps, Deploys Cryptominer: A botnet named Kinsing is exploiting vulnerabilities in over 75 different applications to breach systems and deploy a cryptominer. Alert: 90% of the targets are open-source applications! According to Aqua Security, the botnet has been active since 2019, receiving updates almost on a weekly basis.

New Crypto-Mining Botnet Targets Windows Systems: Antiy researchers have discovered a new crypto-mining botnet named HiddenShovel. The malware was first seen in November 2023, targeting Windows systems.

Wormhole Ransomware Fears: Chinese End-Users Targeted with Bitcoin Demands: It seems that Chinese end-users are being targeted with the Wormhole ransomware, and the attackers are demanding a hefty ransom in bitcoin. According to the report, users are typically asked to pay 0.04 bitcoin, which translates to around $2,500, to unlock their files. This is a significant amount, and we urge all our readers to be cautious when using Swiss wing software, as it's vulnerable to SQL injection attacks.

Rhysida Ransomware: Creepy Crawling Criminal Hiding in the Dark : Barracuda's security team has posted a report on the Rhysida ransomware gang and its operations. Stay vigilant and report any suspicious activity to your IT team. 👀

Advanced Cyber Threats

Lazarus APT-Q-1 Targets Blockchain Experts on LinkedIn, Upwork, and Braintrust: The campaign involves malicious ZIP files being sent to victims, which can compromise their systems and steal sensitive information. According to a report by Chinese security firm QiAnXin, the attackers are using social engineering tactics to trick their targets into opening the malicious files.

North Korean APT Group Targets Japan and South Korea: Genians says North Korean APT group Kimsuky is targeting users in Japan and South Korea using Facebook Messenger messages. Victims are sent malicious files, with the final payload being the ReconShark malware. To stay safe, be cautious when receiving files from unknown sources on Facebook Messenger.

MuddyWater's Sneaky Tactics: Iranian APT Group Exploits Residential Proxies: Obsidian reveals that Iranian APT group MuddyWater is increasingly adopting residential proxy IPs to hide its operations. The group relies on residential proxies when accessing previously phished accounts, using a residential IP from a victim's local area to bypass enterprise geofenced access policies and access the account without triggering security alerts.

Vulnerability Disclosure Digest

Critical Vulnerabilities in Cinterion Cellular Modems: Kaspersky researchers have found critical vulnerabilities in Cinterion cellular modems, allowing threat actors to take over modems using a malicious SMS message. Telit Cinterion cellular modems are typically embedded in industrial and IoT equipment to allow remote management. To stay safe, ensure your modems are updated with the latest firmware patches.

PDF.js Vulnerability Fixed: Mozilla Patches Threat Actor Exploit: Mozilla has fixed a bug (CVE-2024-4367) in the PDF.js web-based PDF viewer that could have allowed threat actors to execute malicious code via the app's font loader. Update your PDF.js version to stay safe from this vulnerability.

NextJS SSRF Bug: JavaScript Framework Vulnerable to Server-Side Request Forgery. Assetnote security firm has found an SSRF vulnerability in the NextJS JavaScript framework. Be cautious when using NextJS and make sure to keep it up-to-date with the latest security patches.