In a new joint advisory, cybersecurity and intelligence agencies from the U.S. and other countries are urging users of Ubiquiti EdgeRouter to take protective measures, weeks after a botnet comprising infected routers was felled by law enforcement as part of an operation codenamed Dying Ember.
The botnet, named MooBot, is said to have been used by a Russia-linked threat actor known as

Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28's MooBot Threat

Two months ago, the FBI “disrupted” the BlackCat ransomware group. They're already back—and their latest attack is causing delays at pharmacies across the US.

Six days before Christmas, the US Department of Justice loudly announced a win in the ongoing fight against the scourge of ransomware: An FBI-led, international operation had targeted the notorious hacking group known as BlackCat or AlphV, releasing decryption keys to foil its ransom attempts against hundreds of victims and seizing the dark web sites it had used to threaten and extort them. “In disrupting the BlackCat ransomware group, the Justice Department has once again hacked the hackers,” deputy attorney general Lisa Monaco declared in a statement.

Two months and one week later, however, those hackers don't appear particularly “disrupted.” For the last seven days and counting, BlackCat has held hostage the medical firm Change Healthcare, crippling its software in hospitals and pharmacies across the United States, leading to delays in drug prescriptions for an untold number of patients.

The ongoing outage at Change Healthcare, first reported to be a BlackCat attack by Reuters, represents a particularly grim incident in the ransomware epidemic not just due to its severity, its length, and the potential toll on victims' health. Ransomware-tracking analysts say it also illustrates how even law enforcement's wins against ransomware groups appear to be increasingly short-lived, as the hackers that law enforcement target in carefully coordinated busts simply rebuild and restart their attacks with impunity.

“Because we can't arrest the core operators that are in Russia or in areas that are uncooperative with law enforcement, we can't stop them,” says Allan Liska, a ransomware-focused researcher for cybersecurity firm Recorded Future. Instead, Liska says, law enforcement often has had to settle for spending months or years arranging takedowns that target infrastructure or aid victims, but without laying hands on the attacks' perpetrators. “The threat actors just need to regroup, get drunk for a weekend, and then start right back up,” Liska says.

In another, more recent bust, the UK's National Crime Agency last week led a broad takedown effort against the notorious Lockbit ransomware group, hijacking its infrastructure, seizing many of its cryptocurrency wallets, taking down its dark web sites, and even obtaining information about its operators and partners. Yet less than a week later, Lockbit has already launched a fresh dark web site where it continues to extort its victims, showing countdown timers for each one that indicate the remaining days or hours before it dumps their stolen data online.

None of that means law enforcement's BlackCat or Lockbit operations haven't had some effect. BlackCat listed 28 victims on its dark web site for February so far, a significant drop from the 60-plus Recorded Future counted on its site in December prior to the FBI's takedown. (Change Healthcare isn't currently listed among BlackCat's current victims on its site, though the hackers reportedly took credit for the attack, according to ransomware-tracking site Breaches.net. Change Healthcare also didn't respond to WIRED's request for comment on the cyberattack.)

Lockbit, for its part, may be hiding the extent of its disruption behind the bluster of its new leak site, argues Brett Callow, a ransomware analyst at security firm Emsisoft. He says that the group is likely downplaying last week's bust in part to avoid losing the trust of its affiliate partners, the hackers who penetrate victim networks on Lockbit's behalf and might be spooked by the possibility that Lockbit has been compromised by law enforcement.

Nonetheless, Callow says, ransomware actors “do seem to be bouncing back faster.” That's only to be expected, he argues, when the hackers aren't in custody and the money to be made provides the resources and the incentive to simply get back to work, even after seizures or disruptions. In 2023, he notes, cryptocurrency tracing firm Chainalysis pegged total ransoms paid by victims at a record-breaking $1.1 billion. “It's inevitable that groups are going to try harder to maintain their share of that massively profitable industry,” Callow says.

When the FBI targeted BlackCat in December, for instance, the group immediately posted on a newly launched dark web site a message to its partners, promising a higher rate of payment and removing all restrictions on potential victims, other than those in the former Soviet Union, a typical rule for Russia-based cybercriminals. The message suggested its affiliate hackers could now target “hospitals, nuclear power plants, anything and anywhere.” (In fact, the rule change was at least in part a scare tactic, says Recorded Future's Liska—BlackCat had targeted hospitals before.)

Ransomware groups' quick recoveries from recent law enforcement operations contrast with earlier cases when actual arrests were made—almost always arrests of ransomware group members or partners outside of Russia. Those cases, like the arrest of a suspect in Florida who was allegedly associated with the Scattered Spider group that targeted MGM Casinos last year, had far more permanent effects.

Even some past takedowns that _didn't_ include arrests, however, have put longer-lasting dents in the ransomware economy. The FBI's hijacking of infrastructure belonging to the Hive ransomware group early last year led to a nearly year-long disappearance of the group before it resurfaced under the name Hunters International, says Jackie Burns Koven, Chainalysis's head of cyber threat intelligence. Chainalysis estimates the Hive operation averted more than $210 million in total ransoms paid.

Ransomware groups may be rebuilding faster over time in part due to the increasing sophistication of the ransomware economy, Burns Koven says. Hackers who have been targeted in disruption operations can now quickly purchase access to malware or other tools, crime-friendly hosting providers, or even buy their way into breached organizations from other hackers who act as “access brokers.” But Burns Koven also notes that law enforcement operations help to degrade that economy by creating divisions between hackers. In the wake of the Lockbit takedown, for instance, the cybercriminal marketplace Breached Forum banned the sale of ransomware tools and services in an apparent attempt to avoid law enforcement's scrutiny. “What these operations do is degrade trust among members and cause operational friction,” she says.

All of that suggests that law enforcement disruption campaigns serve a purpose. But they won't solve the ransomware problem on their own, argues Emsisoft's Callow. The larger solution, he says, will have to include improved security for potential victim organizations, sanctions on ransomware actors and those associated with them, tighter regulations on cryptocurrency, and perhaps even laws banning ransomware payments—a controversial proposal.

“Disruption efforts alone aren’t likely to represent a solution to the ransomware problem. Rather, they need to be part of a multi-pronged strategy,” says Callow. “Tightening the screws on every single bit of the ransomware ecosystem.”

Change Healthcare Ransomware Attack: BlackCat Hackers Quickly Returned After FBI Bust

By Waqas
macOS users watch out for the new variant aiming at your crypto funds!
This is a post from HackRead.com Read the original post: New Variant of AMOS Stealer Targets Safari Cookies and Crypto Wallets

The new Atomic variant uses Python and Apple Script code to target browser and system files, obtain user account passwords, and identify sandbox or emulator execution.

Bitdefender researchers have discovered a new variant of the AMOS Stealer (or Atomic Stealer), one of the most prevalent threats for macOS users in the last year. According to Bitdefender, the new variant was discovered while revisiting old or new malware samples to improve detection capabilities for macOS cyber-security products.

When researchers isolated several suspicious macOS disk image files, which were surprisingly small for their size (1.3 MB), they became suspicious of the emergence of a new variant of the AMOS Stealer.

Screenshot from VirusTotal (Bitdefender)

The new variant combines functionalities of numerous malware families, including information stealers, keyloggers, and cryptocurrency mining tools, allowing it to steal sensitive data while its advanced stealth makes it harder for users to identify/remove the infection.

Further probing revealed that this variant shares similarities with the second variant of RustDoor. “Both seem to focus on collecting sensitive files from the victim’s computer, with the current one being a more developed version of the script used by RustDoor,” researchers noted.

However, the new variant has additional features. It collects the Cookies.binarycookies file, which stores Safari browser cookies, obtains files with targeted extensions from specific locations and uses the system\_profiler utility to gather information about the compromised computer. 

The attackers aim to obtain hardware-related details, operating system versions and connected displays and graphic cards. They add sensitive information to the archive, including passwords, encryption keys, and certificates, indicating their growing interest in cryptocurrency platforms.

This version has an unusual technique of combining Python with Apple Scripting where the filegrabber() function executes a large block of Apple script using the osascript -e command. DMG files contain FAT binary and Mach-O files for Intel and ARM architectures, used by threat actors to steal data.

When opened, as noted by researchers in a blog post, the Crack Installer application prompts the user to open the file. The Python script collects sensitive data from multiple sources, including crypto-wallet extensions, browser data, and user account passwords.

The Chromium () function collects files from targeted Chromium-based browsers, including web data, login data, and cookies. It also targets cryptocurrency browser extensions and Mach-O binaries. The parseFF() function targets Firefox and collects files associated with all profiles.

Moreover, the script targets installed crypto wallets like Electrum, Coinomi, Exodus or Atomic. The collected data is stored in a ZIP archive, which is sent to a C2 server using a POST request. The archive structure is confirmed by the C2 server.

The variant is largely undetected at the moment. Bitdefender has released Indicators of Compromise to help organizations and practitioners detect and mitigate this threat.

1.  **BlueNoroff APT Targeting macOS with ObjCShellz Malware**
2.  **Lazarus Group uses KandyKorn macOS malware for crypto theft**
3.  **Cracked macOS Software Laced with New Trojan Proxy Malware**
4.  **New macOS Backdoor Steals Data, Linked to Ransomware Gangs**
5.  **New Malware Turns Windows and macOS Devices into Proxy Nodes**

New Variant of AMOS Stealer Targets Safari Cookies and Crypto Wallets

Subrion CMS 4.2.1 is vulnerable to Cross Site Scripting (XSS) via adminer.php.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-25399

**Subrion CMS vulnerable to Cross Site Scripting**

Moderate severity GitHub Reviewed Published Feb 27, 2024 to the GitHub Advisory Database • Updated Feb 27, 2024

**Package**

composer intelliants/subrion (Composer)

**Affected versions**

<= 4.2.1

**Description**

Published to the GitHub Advisory Database

Feb 27, 2024

Last updated

Feb 27, 2024

GHSA-q4qh-8pxw-r48q: Subrion CMS vulnerable to Cross Site Scripting 

Talos has observed a phishing spam campaign targeting potential victims in Mexico, luring users to download a new obfuscated information stealer we’re calling TimbreStealer, which has been active since at least November 2023.

TimbreStealer campaign targets Mexican users with financial lures

Meet the guy who taught US intelligence agencies how to make the most of the ad tech ecosystem, "the largest information-gathering enterprise ever conceived by man."

How the Pentagon Learned to Use Targeted Ads to Find Its Targets—and Vladimir Putin

Processing alerts quickly and efficiently is the cornerstone of a Security Operations Center (SOC) professional's role. Threat intelligence platforms can significantly enhance their ability to do so. Let's find out what these platforms are and how they can empower analysts.
The Challenge: Alert Overload
The modern SOC faces a relentless barrage of security alerts generated by SIEMs and EDRs.

From Alert to Action: How to Speed Up Your SOC Investigations

The German BSI has published its 2023 state of IT security report which names identity theft as the main threat for consumers.

The German Federal Office for Information Security (BSI) has published a report on The State of IT Security in Germany in 2023, and the number one threat for consumers is… identity theft.

The thing is, you can protect your devices and your online privacy as much as possible, but what happens when some organization which you have trusted with your personal information gets breached?

The report states:

> “For consumers, the issue of data leaks was prominent in the reporting period (2023). In many cases, these were related to ransomware attacks, in which cybercriminals exfiltrated large amounts of data from organizations in order to later threaten to publish it unless a ransom or hush money was paid.“

In addition to data breaches, there is the danger of information stealers that allow cybercriminals to obtain various types of personal data, such as login details for various online services, and financial information. The stolen data may also include website cookies and biometric data that can be used by criminals to defraud the victim.

Cybercriminals are also getting better at using these data. For example, the report mentions that on one of the largest underground marketplaces for identity data, cybercriminals offered interested parties a browser plug-in that made it possible to import stolen credentials directly into the web browser, allowing criminals to assume the victim’s digital identity with just a few clicks.

We’ve previously talked about the dangers of data brokers that, by trading and buying, are accumulating massive troves of personal data. Now, with the mass availability of Artificial Intelligence tools, it becomes so much easier to correlate all these data sets and piece together a complete profile of everyone affected.

As you can see, it’s usually not the victim’s fault that their data become available to cybercriminals. In many cases, there isn’t even that much that they could have done about it. Some services simply are not available in the offline world anymore, and we have no choice than to trust an organization with our information.

So, all we can do is make sure we come prepared to act when a data breach affects us, and keep an eye on how much we share and how much others will be able to find out about us.

**What to do in the event of a data breach**

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA).** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Set up identity monitoring.** Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

If you want to find out how much of your own data is currently exposed online, you can try our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

 Identity theft is number one threat for consumers, says report 

Cybersecurity and intelligence agencies from the Five Eyes nations have released a joint advisory detailing the evolving tactics of the Russian state-sponsored threat actor known as APT29.
The hacking outfit, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes, is assessed to be affiliated with the Foreign Intelligence Service (SVR) of the

Five Eyes Agencies Expose APT29's Evolving Cloud Attack Tactics

This week on the Lock and Code podcast, we speak with Joseph Cox about how an OnlyFake-generated fake ID fooled a cryptocurrency exchange.

_This week on the Lock and Code podcast…_

For decades, fake IDs had roughly three purposes: Buying booze before legally allowed, getting into age-restricted clubs, and, we can only assume, completing nation-state spycraft for embedded informants and double agents.

In 2024, that’s changed, as the uses for fake IDs have become enmeshed with the internet.

Want to sign up for a cryptocurrency exchange where you’ll use traditional funds to purchase and exchange digital currency? You’ll likely need to submit a _photo_ of your real ID so that the cryptocurrency platform can ensure you’re a real user. What about if you want to watch porn online in the US state of Louisiana? It’s a niche example, but because of a law passed in 2022, you will likely need to submit, again, a _photo_ of your state driver’s license to a separate ID verification mobile app that then connects with porn sites to authorize your request.

The discrepancies in these end-uses are stark; cryptocurrency and porn don’t have too much in common with Red Bull vodkas and, to pick just one example, a Guatemalan coup. But there’s something else happening here that reveals the subtle differences between yesteryear’s fake IDs and today’s, which is that modern ID verification doesn’t need a physical ID card or passport to work—it can sometimes function only with an _image_.

Last month, the technology reporting outfit 404 Media investigated an online service called OnlyFake that claimed to use artificial intelligence to pump out _images_ of fake IDs. By filling out some bogus personal information, like a made-up birthdate, height, and weight, OnlyFake would provide convincing images of real forms of ID, be they driver’s licenses in California or passports from the US, the UK, Mexico, Canada, Japan, and more. Those images, in turn, could then be used to fraudulently pass identification checks on certain websites.

When 404 Media co-founder and reporter Joseph Cox learned about OnlyFake, he tested whether an image of a fake passport he generated could be used to authenticate his identity with an online cryptocurrency exchange.

In short, it did.

By creating a fraudulent British passport through OnlyFake, Joseph Cox—or as his fake ID said, “David Creeks”—managed to verify his false identity when creating an account with the cryptocurrency market OKX.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Cox about the believability of his fake IDs, the AI claims and limitations of OnlyFake, what’s in store for the future of the site— which went dark after Cox’s report—and what other types of fraud are now dangerously within reach for countless threat actors.

> Making fake IDs, even photos of fake IDs, is a very particular skill set—it’s like a trade in the criminal underground. You don’t need that anymore.
> 
> Joseph Cox, 404 Media co-founder

Tune in today to listen to the full conversation.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.**

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Tag

#intel