Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Alleged Boss of ‘Scattered Spider’ Hacking Group Arrested

Source: Krebs on Security

A 22-year-old man from the United Kingdom arrested this week in Spain is allegedly the ringleader of Scattered Spider, a cybercrime group suspected of hacking into Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations over the past two years. Read more.

New ARM ‘TIKTAG’ attack impacts Google Chrome, Linux systems


A new speculative execution attack named “TIKTAG” targets ARM’s Memory Tagging Extension (MTE) to leak data with over a 95% chance of success, allowing hackers to bypass the security feature. Read more.

Dipping into Danger: The WARMCOOKIE backdoor

Source: Elastic Security Labs

WARMCOOKIE appears to be an initial backdoor tool used to scout out victim networks and deploy additional payloads. Each sample is compiled with a hard-coded C2 IP address and RC4 key. Read more.

Operation Celestial Force employs mobile and desktop malware to target Indian entities


Cisco Talos is disclosing a new malware campaign called “Operation Celestial Force” running since at least 2018. It is still active today, employing the use of GravityRAT, an Android-based malware, along with a Windows-based malware loader we track as “HeavyLift.” Read more.

Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day

Source: Symantec

The Cardinal cybercrime group (aka Storm-1811, UNC4393), which operates the Black Basta ransomware, may have been exploiting a recently patched Windows privilege escalation vulnerability as a zero-day. Read more.

QR code SQL injection and other vulnerabilities in a popular biometric terminal


Biometric terminals are quite an intriguing target for a pentester. Vulnerabilities in these devices, positioned at the nexus of the physical and network perimeters, pose risks that can be considered when analyzing the security of both these perimeters. Read more.

SSLoad Malware Employs MSI Installer To Kick-Start Delivery Chain

Source: GBHackers

Malware distributors use MSI installers as Windows OS already trusts them to run with administrative rights by bypassing security controls. For this reason, MSI files are a convenient means of spreading ransomware, spyware, and other malware that can be passed off as genuine software installations. Read more.

Vietnamese Entities Targeted by China-Linked Mustang Panda in Cyber Espionage

Source: CYBLE

Cyble Research and Intelligence Labs (CRIL) recently came across a campaign employing Windows shortcut (LNK) files associated with the Mustang Panda APT group. Read more.

New Agent Tesla Campaign Targeting Spanish-Speaking People


In-depth research on this campaign shows that it also leverages multiple techniques to deliver the Agent Tesla core module, such as using known MS Office vulnerabilities, JavaScript code, PowerShell code, fileless modules, and more, to protect itself from being analyzed by security researchers. Read more.

Hundreds of Websites Targeted by Fake Google Chrome Update Pop-Ups

Source: SUCURI Blog

The infection process for this new fake browser update campaign begins with the injection of malicious code into vulnerable websites. Once the website is compromised, visitors are presented with the following misleading popup message a few seconds after the webpage loads. Read more.