Welcome to our weekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our weekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Russian APT29 conducts phishing attacks through Microsoft Teams

Source: Security Affairs

Microsoft Threat Intelligence reported that Russia-linked cyberespionage group APT29 (aka SVR group, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes) carried out Microsoft Teams phishing attacks aimed at dozens of organizations and government agencies worldwide. Read more.

Hackers Abuse AWS SSM Agent to Perform Various Malicious Activities

Source: GBHackers

With the help of this new technique, threat actors run SSM agents as RAT on systems that are based on Windows and Linux. While this enables them to control the endpoints through a separate AWS account. Read more.

eSentire Threat Intelligence Malware Analysis: Raccoon Stealer v2, Part 2

Source: eSentire

This malware analysis delves deeper into the technical details of how the Raccoon Stealer malware operates and our security recommendations to protect your organization from being exploited. Read more.

New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3

Source: Trustwave

Trustwave SpiderLabs discovered a new version of the Rilide Stealer extension targeting Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, and Opera. This malware uses a creative way to work around the Chrome Extension Manifest V3 from Google which is aimed at blocking the installation of malicious extensions for chromium browsers. Read more.

BlueCharlie, Previously Tracked as TAG-53, Continues to Deploy New Infrastructure in 2023

Source: Recorded Future

BlueCharlie, a Russia-linked threat group active since 2017, focuses on information gathering for espionage and hack-and-leak operations. BlueCharlie has evolved its tactics, techniques, and procedures (TTPs) and built new infrastructure, indicating sophistication in adapting to public disclosures and improving operations security. Read more.

Malicious PyPI package ‘VMConnect’ imitates VMware vSphere connector module

Source: sonatype

Assigned sonatype-2023-3387 and discovered by Sonatype’s automated detection systems last week, ‘VMConnect’ contains much the same code as its legitimate counterpart and has been downloaded 225 times, according to pepy.tech. Read more.

Targeted npm Malware Attempts to Steal Company Source Code and Secrets

Source: Phylum

This attack was particularly interesting for us, as the attacker’s practice of pushing changes to unique npm packages allowed us to observe the evolution of their strategy, gaining insights into their motives and methods. Read more.

Beware of overly permissive Azure AD cross-tenant synchronization policies

Source: CSO

One of these techniques was recently devised and documented by researchers from security firm Vectra AI and involves abusing an Azure Active Directory (AD) feature called cross-tenant synchronization (CTS) that allows organizations to synchronize users and groups across different Azure AD instances for those users to gain access to Microsoft and non-Microsoft applications linked to different tenants. Read more.

EternalBlue Explained: An In-Depth Analysis of the Notorious Windows Flaw

Source: Stealth Security

To grasp the core of the EternalBlue vulnerability, we must understand the SMB protocol. It relies on port 445 to enable network communications, and this is where the flaw resides. Read more.

Russia’s ‘Midnight Blizzard’ Hackers Launch Flurry of Microsoft Teams Attacks

Source: DARK Reading

The Nobelium APT is launching highly targeted Teams-based phishing attacks on government and industrial targets using compromised Microsoft 365 tenants, with the aim of data theft and cyber espionage. Read more.

“PhishForce” — Vulnerability Uncovered in Salesforce’s Email Services Exploited for Phishing Facebook Accounts In-The-Wild

Source: Guardio

One such technique involves hiding malicious email traffic within legitimate and trustworthy email gateway services. Those are regularly sent out in overwhelming volume we are all so used to — from advertisement campaigns and product newsletters to your sprint dev ticket updates. Read more.

Sha zhu pan scam uses AI chat tool to target iPhone and Android users

Source: Sophos

This includes a category we labelled as “CryptoRom” when we initially investigated it in 2020, because of its two distinguishing characteristics—a focus on fake cryptocurrency trading and the luring of targets through feigned romantic interest in them. Read more.

Demystifying Mysterious Team Bangladesh

Source: GROUP-IB

In most cases, cybercriminals attempt to leave as few traces and details about their origin as possible. However, there is one exception: hacktivists. Unlike traditional cybercriminals or nation-state threat actors who try to remain unnoticed, hacktivists aim to draw as much attention to their cause as possible, be it political, religious, or both. Read more.

NodeStealer 2.0 – The Python Version: Stealing Facebook Business Accounts

Source: Unit 42

Facebook business accounts were targeted with a phishing lure offering tools such as spreadsheet templates for business. This is part of a growing trend of threat actors targeting Facebook business accounts – for advertising fraud and other purposes – which emerged around July 2022 with the discovery of the Ducktail infostealer. Read more.