Read time: under 5 minutes

Welcome back, Invaders

A ransomware attack caused a cattle tragedy and disrupted 911 services as Ireland launched its National Cyber Emergency Plan. LoanDepot has suffered considerable ransomware damages. Meanwhile, a new macOS infostealer and a Ransomware as Terrorism Bill are being developed. What a coincidence? We consider it a sign of the times!

Today’s Insights

• Ransomware attack kills cow

• LoanDepot ransomware losses

• Cyberattack takes down 911 service

• Ireland's National Cyber Emergency Plan

• Ransomware as Terrorism Bill

• New macOS Infostealer

^{Cyber Criminal Chronicles}

Abuse of ScreenConnect: Proofpoint has seen more malware campaigns that break into systems using ScreenConnect, a legal remote access tool. Cybercriminals are using this software, which isn't always seen as malware, to get into computers without permission. This kind of abuse is similar to what has been seen with threat actors like TA450. Infosc.exchange Thread

Ukranian Police Arrest Instagram hackers: In March 2024, three people were arrested by Ukraine's cyber police for using brute-force attempts to break into Instagram accounts. It was found that the suspects sold account information that they had taken on the dark web. During raids in several towns and regions, police took more than 70 computers, 14 phones, bank cards, and more than $3,000 in cash. Report from the Cyber Police

Chinese scam gang caught: Four Chinese people were arrested in the U.S. for their part in a plan to scam older Americans out of money through tech support scams. The group used spam emails, pop-up ads, and phone calls to get people to call fake Indian call centers. They took more than $27 million from at least 2,000 people and used it to pay off other people. A fifth suspect is still on the run. The operation got money by using remote desktop software and different scams. The money was then sent to India using cryptocurrency. Justice.gov

^{Security Breach Trends}

Midnight Blizzard Breach UK Government: The Russian espionage organization Midnight Blizzard, known for its successful breach of Microsoft last year, has just infiltrated the email systems of the UK government, with a specific focus on attacking the Home Office. The hackers utilized the access they obtained from Microsoft to penetrate these systems, pilfering internal emails and other data. This breach is a component of a broader campaign in which Midnight Blizzard illicitly acquired data on all security vulnerabilities that have been disclosed to Microsoft over the course of several decades. Security researcher Kevin Beaumont disclosed that Microsoft did not identify this significant breach until January 2024. Furthermore, Beaumont pointed out that Microsoft's hack was more extensive than originally reported, as there was indications of hacked data on vulnerabilities. Curiously, Beaumont's LinkedIn profile was inexplicably banned immediately after disclosing these particulars. The Record Report

Nexera crypto-heist: A hacker stole $1.8 million in tokens from cryptocurrency network Nexera by exploiting a weakness in its smart contract. The attacker, who has been linked to past high-profile cryptocurrency thefts, such as the OKX $11 million scam, now owns 32.5 million NXRA tokens. Following the breach, Nexera paused the smart contract and suspended trading on decentralized exchanges, causing the token's value to fall by 40%. The corporation is cooperating with law enforcement and has informed centralized exchanges to cease trading activities. CoinDesk Report

Attack on McLaren Health Care: At least 13 hospitals and clinics across Michigan that are run by McLaren Health Care have been hit by a hack. This happened after a ransomware attack in September 2023, when the data of 2.1 million people was lost. The American Hospital Association's warning about a rise in attacks that disrupt patient care brought attention to the recent incident. It happened at the same time that hackers made threats demanding a $1.4 million payment by August 14. The attack shows that healthcare still has a lot of problems with safety.The Record Report

Ransomware attack kills cow: A cow died after being attacked by ransomware on a Swiss farmer's computer. The farmer couldn't get to health alerts from a milking robot, so the cow died. The hacker asked for $10,000 to unlock the file. Cyberattacks on farms can have very bad effects, as this event shows. Agrarheute Report

LoanDepot ransomware losses: LoanDepot has disclosed nearly $27 million in losses linked to a ransomware attack from January 2024. The breach affected approximately 17 million customers, with compromised data including Social Security numbers, financial account details, names, dates of birth, email and postal addresses, and phone numbers. The financial impact covers recovery efforts and customer compensation. LoanDepot's attack is part of a troubling trend, with similar incidents hitting other major US mortgage and real estate insurance providers like Mr. Cooper, Fidelity National Financial, and First American Financial. The company detailed these losses and the breach in a report filed with the SEC, highlighting the scale of the cyberattack and its repercussions on operations and customer data. SEC Filing

Cyberattack takes down 911 service: On Sunday, a cyberattack caused a significant disruption in 911 emergency services across central Texas, impacting multiple cities including Austin, Burnet, and Marble Falls. The attack involved an intentional denial of service that overloaded the 911 phone lines, forcing calls to be rerouted through other call centers. The affected systems, managed by the Capital Area Council of Governments (CAPCOG), experienced technical difficulties but emergency calls were still managed via alternative numbers. The incident highlights vulnerabilities in critical infrastructure and has led to increased scrutiny of cybersecurity measures for emergency services. FOX7News Report

^{Tech Trends & Privacy Protocols}

Update on CISA CVE: The Cybersecurity and Infrastructure Security Agency (CISA) has changed its CVE Executive Summary by adding a new action suggestion and changing an old one. This is meant to give better advice on how to deal with weaknesses. Details

CoD BO6 leaks:Activision's upcoming Call of Duty game title, Black Ops 6 Gulf War, wasleaked online—or at least an alpha version of the game. The leak comes before the game's anticipated public beta at the end of August. X Thread

Chrome Blocks 0.0.0.0: Soon, Google Chrome will not let public websites use the 0.0.0.0 IP address to connect to local resources. This update, which will be included with Chrome 133 around January, removes the limits that were in place on localhost and 127.0.0.1 in order to make the browser safer. In the past, malware and IoT botnets have used these secret URLs for bad things. Chrome

^{Policy & Governance Perspectives}

Ireland's National Cyber Emergency Plan: The first National Cyber Emergency Plan has been released by Ireland's cybersecurity body. It was based on the ransomware attack on the national health service in 2021 and other cyber incidents that followed. The plan combines lessons learned from both the public and private sectors to improve the country's ability to handle cyber situations Full Plan PDF

Ransomware as Terrorism Bill: Senator Mark Warner (D-VA) is sponsoring a bill that would make ransomware strikes look like they are from terrorist groups. The new law is meant to give intelligence agencies more power to fight ransomware gangs and make it easier to punish countries that host them. CyberScoop

^{Threat Intelligence Reports}

New macOS Infostealer: Kandji details a new macOS infostealer using SwiftUI and OpenDirectory API to harvest passwords. This infostealer’s dropper, written in Swift, uniquely avoids detection by bypassing common methods like OSAScript. The malware's second stage involves malicious bash scripts executed from a command-and-control server. Kandji Report

CMoon Worm: A new Windows worm, CMoon, has emerged in Russia, spreading through malicious documents on local websites. Discovered in late July, CMoon is capable of data theft, malware installation, and launching DDoS attacks. It propagates by replacing legitimate document links with executable files on compromised websites. The worm uses .NET and has sophisticated features, including USB drive infection and remote command execution. It targets specific Russian sites and has been linked to a broader range of cyberattacks. Kaspersky Report

Bad Add-ons for Browsers: ReasonLabs has found a group of websites that give away free software that runs bad add-ons for browsers. People who are looking for Windows utilities, video players, or game tools are likely to be affected by these extensions. They can change search results, show unwanted ads, and steal personal information. Over 300,000 users were affected by the malicious apps that were available in both the Google Chrome and Microsoft Edge stores. After being reported, some have been taken down. Reason Labs Full Report

^{Vulnerability Disclosure Digest}

Samsung Bug Bounty Pay: How Much Money Does Samsung Give Out for Bug Bounties? Since its start in 2017, the South Korean tech giant Samsung has given away almost $5 million to security experts through its bug bounty program. The company gave out more than $827,000 in awards in 2023 alone, with $57,000 being the biggest single payment. This year, Samsung wants to raise the rewards, especially for good reports. They have already raised the top prize to $1 million for reports that show remote code execution vulnerabilities in the Knox Vault security feature. (Blog from Samsung Security)

Bug Bounty Program at Microsoft: Through its official bug bounty program, Microsoft has given $16.6 million to security experts. 343 researchers from 55 countries around the world have been given this money. In the past year, the biggest award given to a single person was $200,000. Microsoft blog post.

Mailcow email server vulnerability: Security researcher Mayor Patrik has shared a proof-of-concept (PoC) for a serious flaw in Mailcow (CVE-2024-41958) that lets attackers get around two-factor authentication (2FA) on accounts that are supposed to be safe. This bug could let people into accounts that use 2FA without permission.

The Dark Skippy Attack: A security expert has shown a brand-new way to break into bitcoin wallets that are based on hardware. The name of it is Dark Skippy. The attack hides bad code in transaction signatures in order to get back the wallet's seed phrase. It's important to note that Dark Skippy only needs two bad signatures to work. This makes it effective, but hard to use because the device has to have malicious software on it. Something new is trying to get into wallets, and this attack shows how hardware wallets can be broken. (Dark Skippy Official Site)

^{Advanced Cyber Threats}

New Apt Actor240524 Found: NSFocus researchers have identified a new APT group, dubbed Actor240524, believed to be involved in espionage operations targeting Azerbaijan and Israel. The group was detected on July 1, 2024, through NSFOCUS’s Global Threat Hunting System, which revealed an attack campaign aimed at Azerbaijani and Israeli diplomats. The researchers found that Actor240524 utilizes spear-phishing emails to deploy new Trojan programs, named ABCloader and ABCsync. Analysis showed that the attack techniques, vectors, and tools used by Actor240524 are unique and do not align with known APT groups, leading to the attribution of this new threat actor. (NSFocus Global Research)

MuddyWater IDF Campaign: The Iranian APT group MuddyWater has started a hacking campaign against Israelis by pretending to be the Israel Defense Forces (IDF). On August 4, 2024, emails were sent to Israelis threatening a military attack by Iran and telling them to click on a harmful link. The emails, which are said to offer "citizen safety" tips, are part of a larger campaign by MuddyWater to play on people's fears after the July 31 killing of Hamas leader Ismail Haniyeh in Tehran. A group called MuddyWater, which is connected to the Iranian Ministry of Intelligence and Security (MOIS), is used in the campaign's strategies and infrastructure. (FDD Analysis)

Kimsuky University Attack Campaign: The North Korea-linked threat actor Kimsuky, also known as APT43, ARCHIPELAGO, Black Banshee, Emerald Sleet, Springtail, and Velvet Chollima, has been identified as the perpetrator behind a recent attack campaign targeting university staff, researchers, and professors. The campaign, which came to light in late July 2024, is believed to be focused on intelligence gathering. After cybersecurity company Resilience discovered an operational security flaw by the attackers, the activities became public. Kimsuky is part of the broader suite of North Korean cyber operations aimed at gathering sensitive information. (Cyber Resilience Report)

Thanks for reading.

Until next time!

Lucas Invaders-labs

p.s. If you liked this newsletter, consider share it with your friends and colleagues here.