Bringing cybersecurity globally to critical and complex key activities
A new phishing kit called Xiū gǒu is being used in attacks targeting users in Australia, Japan, Spain, the United Kingdom and the United States since September 2024. With more than 2,000 identified fake websites, Xiū gǒu targets sectors such as utilities, messaging, banking and digital services. Cybercriminals employ the kit to deploy phishing sites that use Cloudflare’s anti-bot and hosting protection, making them difficult to detect. The kit, developed by a Chinese-speaking actor, uses technologies such as Golang and Vue.js and is designed to exfiltrate credentials via Telegram. The attacks are distributed via Rich Communications Services (RCS) messages, which alert about parking tickets or package delivery issues, encouraging victims to click on shortened links to resolve the supposed problem.
A new banking malware, known as ToxicPanda, has infected more than 1,500 Android devices to make fraudulent money transfers without users noticing. This malware allows cybercriminals to take control of compromised bank accounts through a technique called on-device fraud (ODF), bypassing banks’ identity verification and authentication measures. Most of the infections have been reported in Italy, followed by Portugal, Hong Kong, Spain and Peru, which is considered an unusual case as a Chinese-speaking threat actor is targeting users in Europe and Latin America. ToxicPanda, a simplified version of the TgToxic malware, uses Android accessibility services to obtain advanced permissions, intercept one-time passwords (OTP) and bypass two-factor authentication. In addition, it masquerades as popular apps such as Google Chrome and Visa, distributing itself through fake pages that mimic official app stores.
On December 13, 2022, a cyber intrusion attack was detected in the computer systems of the municipalities of Mörbylånga and Borgholm in Sweden. In response, a crisis management unit was reportedly activated, but the attack still caused the municipality's network connection to the internet to be disabled. Mörbylånga's website and email are down. However, the Borgholm website is managed externally, so it is up and running and the emails are working. For the moment, no details on the type of attack or the systems affected have been released. However, given the post attack reaction of the municipality it is possible that it is a ransomware attack. Read more about it : here
On 8 December 2022, the pro-Russian hacktivist group Noname057 claimed to have launched a DDoS attack on the websites of the Greek Ministry of Defence, the Ministry of Defence of the Czech Republic and the Ministry of Defence of Croatia. The attack is part of the KillNet sphere's campaign of attacks in their cyber war of attrition against European governments. Read more about it : here
According to a report on 15 December 2022, the Vjw0rm malware is currently being used in a phishing campaign targeting Italy. The emails in these attacks impersonate a beauty product vendor and hide the malware in a js file in a "rar" attachment named "$38,570 detailed invoice payment". Vjw0rm is a hybrid modular/RAT worm that has three main capabilities: information theft, denial of service (DOS) and self-propagation. In the latter case, it copies itself throughout the operating system and boot folder and can spread via removable devices such as USB sticks. Read more about it : here
On 6 December 2022, the Play Ransomware group added several organisations and companies to its list of victims, three of which are European. Among the claims are "Skoda Praha", an energy company in the Czech Republic, Husinec, a municipality in the Czech Republic and Wrota Mazowza, a mapping service in Poland. The release dates of the data were announced for between the 14th and 16th, without indicating the type of data that had been stolen. The Wrota Mazowza website is unavailable, suggesting a more violent attack. Read more about it : here
On 23 November 2022, the University of Applied Sciences in the city of Ulm, Germany, made public a cyber attack and data theft that targeted it on 12 November. The university and its network were disconnected from the internet after a cyber attack alert. Cybercriminals allegedly broke into the university's databases and it turned out that the names and email addresses of university members had been accessed without authorisation. Read more about it : here
On December 15, 2022, the cybercriminal ransomware group ViceSociety claimed responsibility for an attack on the "Universidad Catolica Portuguesa", a concordat of universities whose centre is located in Lisbon. The other universities in the concordat are located in Braga, Porto and Viseu. ViceSociety claims to have stolen a number of data, but does not specify whether the victim's networks were affected by the attack. For the moment, no statement seems to have been published by the university itself, its website being accessible but not broadcasting any news about the attack. Read more about it : here
On 8 December 2022, the criminal group Kelvin Security claimed to have carried out a cyber attack on the website of Alessia Mosca, a former Italian politician. They claim to have stolen private messages, user information, passwords and personal data from the site's databases. The attack reportedly left no trace of compromise. The private messages may contain sensitive confidential information about the organisations where she has worked, such as the Italian government, the European Parliament and the MEPs. Finally, the personal data collected on the site could be used to target other people in further phishing campaigns. Read more about it : here
According to news reports of 28 November 2022, on 15 November 2002, cyber-attackers attacked the computer systems of the Saint-Doulchard oncology centre in France and then demanded a ransom. Medical and radiotherapy activities at the centre were suspended from 15 to 18 November due to lack of computer resources. Eventually, chemotherapy treatments were resumed, but not radiotherapy. According to the medical centre, no personal patient data was stolen. Read more about it : here