Newsroom Sues NSO Group for Pegasus Spyware Compromise
Nearly two dozen journalists and other staffers working for El Faro, a digital newspaper based in El Salvador, are suing NSO Group for unleashing Pegasus spyware — malware they say was used to steal their most sensitive information, putting their safety in danger. Along with ASO Group Technologies, its Israeli parent company, Q Cyber Technologies…
Microsoft Links Prestige Ransomware Attacks to Russian State-Sponsored Hackers
Initially detailed in October, the Prestige ransomware has been used in attacks against transportation and related logistics organizations in Ukraine and Poland, with some of the victims previously infected with the destructive HermeticWiper malware (FoxBlade). At the time, Microsoft said that the attacks did not appear to be related to known ransomware campaigns, despite the…
Microsoft Patches MotW Zero-Day Exploited for Malware Delivery
Windows adds the MotW to files coming from untrusted locations, including browser downloads and email attachments. When trying to open files with the MotW, users are warned about the potential risks or, in the case of Office, macros are blocked to prevent malicious code execution. However, there are ways to bypass MotW defenses. Researcher Will…
Microsoft Scrambles to Thwart New Zero-Day Attacks
For the second consecutive month, the world’s largest software maker rushed out patches to cover vulnerabilities that were already exploited as zero-days in the wild, including a pair of belated fixes for Microsoft Exchange Server security defects targeted by a state-sponsored threat actor for several months. As part of its scheduled Patch Tuesday update process,…
Microsoft: China Flaw Disclosure Law Part of Zero-Day Exploit Surge
The world’s largest software maker is warning that China-based nation state threat actors are taking advantage of a one-year-old law to “stockpile” zero-days for use in sustained malware attacks. According to a new report released Friday by Microsoft, China’s government hacking groups have become “particularly proficient at discovering and developing zero-day exploits” after strict mandates…
CISA Tells Organizations to Patch Linux Kernel Vulnerability Exploited by Malware
The vulnerability is tracked as CVE-2021-3493 and it’s related to the OverlayFS file system implementation in the Linux kernel. It allows an unprivileged local user to gain root privileges, but it only appears to affect Ubuntu. CVE-2021-3493 has been exploited in the wild by a stealthy Linux malware named Shikitega, which researchers at AT&T Alien…
China’s Winnti Group Seen Targeting Governments in Sri Lanka, Hong Kong
Active since at least 2007 and also tracked as APT41, Barium, Blackfly, Double Dragon, Wicked Panda, and Wicked Spider, the Winnti Group is believed to be formed of multiple subgroups engaging in both cyberespionage and financially motivated operations. As part of a campaign ongoing since early August, the threat actor has been deploying various payloads…
New ‘Prestige’ Ransomware Targets Transportation Industry in Ukraine, Poland
Initially observed last week, the activity surrounding the new malware family, which labels itself Prestige, does not appear to be connected with any of the ransomware or threat groups that Microsoft currently tracks, and is currently referred to as DEV-0960. However, the tech giant warns of potential overlaps with previously observed Russian state-sponsored activity through…
Zoom for macOS Contains High-Risk Security Flaw
The vulnerability, which carries a CVSS severity score of 7.3/10, is documented as a debugging port misconfiguration that is opened by the Zoom client on macOS machines. Details from Zoom’s advisory: Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with 5.10.6 and prior to 5.12.0 contains a debugging port misconfiguration. When…
Seven ‘Creepy’ Backdoors Used by Lebanese Cyberspy Group in Israel Attacks
Polonium was initially detailed by Microsoft in June 2022, but evidence suggests that the group has been active since at least September 2021, mainly focusing on cyberespionage. Operating out of Lebanon, the APT is believed to be working with threat actors affiliated with Iran in the targeting of more than 20 communications, engineering, insurance, information…
