Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Justice Department Seizes Four Web Domains Used to Create Over 40,000 Spoofed Websites and Store the Personal Information of More Than a Million Victims

Source: Office of Public Affairs

According to court records, the United States obtained authorization to seize the domains as part of an investigation of the spoofing service operated through the Lab-host.ru domain (LabHost), which resolves to a Russian internet infrastructure company. Read more.

Akira takes in $42 million in ransom payments, now targets Linux servers

Source: SC Media

CISA said the advisory’s main goal was to help organizations mitigate these attacks by disseminating known Akira ransomware tactics, techniques and procedures, as well as indicators of compromise identified through FBI investigations as recent as February 2024. Read more.

Large-scale brute-force activity targeting VPNs, SSH services with commonly used login credentials


Depending on the target environment, successful attacks of this type may lead to unauthorized network access, account lockouts, or denial-of-service conditions. The traffic related to these attacks has increased with time and is likely to continue to rise. Read more.

United Nations agency investigates ransomware attack, data theft


While the UN agency has yet to link the attack to a specific threat group, the 8Base ransomware gang added a new UNDP entry to its dark web data leak website on March 27. The attackers say that the documents their operators managed to exfiltrate during the breach contain large amounts of sensitive information. Read more.

Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack

Source: The Hacker News

The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as “intricate” and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software. Read more.

Malvertising campaign targeting IT teams with MadMxShell

Source: Zscaler

The newly discovered backdoor uses several techniques such as multiple stages of DLL sideloading, abusing the DNS protocol for communicating with the command-and-control (C2) server, and evading memory forensics security solutions. We named this backdoor “MadMxShell” for its use of DNS MX queries for C2 communication and its very short interval between C2 requests. Read more.

OfflRouter virus causes Ukrainian users to upload confidential documents to VirusTotal


Eventually, we discovered over 100 uploaded documents with potentially confidential information about government and police activities in Ukraine. The analysis of the code showed unexpected results – instead of lures used by advanced actors, the uploaded documents were infected with a multi-component VBA macro virus OfflRouter, created in 2015. Read more.

SoumniBot: the new Android banker’s unique techniques


That said, we recently discovered a new banker, SoumniBot, which targets Korean users and is notable for an unconventional approach to evading analysis and detection, namely obfuscation of the Android manifest. Read more.

Widely-Used PuTTY SSH Client Found Vulnerable to Key Recovery Attack

Source: The Hacker News

The maintainers of the PuTTY Secure Shell (SSH) and Telnet client are alerting users of a critical vulnerability impacting versions from 0.68 through 0.80 that could be exploited to achieve full recovery of NIST P-521 (ecdsa-sha2-nistp521) private keys. Read more.

Cisco Duo warns third-party data breach exposed SMS MFA logs


Cisco Duo’s security team warns that hackers stole some customers’ VoIP and SMS logs for multi-factor authentication (MFA) messages in a cyberattack on their telephony provider. Read more.