Weekly Summary Cyberattacks 05-11 Dec

Sophisticated phishing campaign detected to steal data on Android devices

A cybersecurity team has identified an advanced phishing campaign targeting Android mobile devices with the aim of distributing malware. This attack delivers a new variant of the Antidot Trojan, known as AppLite Banker, which allows cybercriminals to steal banking credentials, cryptocurrency data and other critical access. Using a wide variety of tactics, the malware is designed to target users in countries such as Spain and the United States. The attackers employ social engineering methods, using emails spoofing job offers to get victims to access fake pages and download compromised applications. In addition, the campaign includes advanced techniques such as manipulating ZIP files to bypass detection systems and using fake interfaces to steal banking and cryptocurrency application information.

Hacktivists step up cyber-attacks on Russia using PhantomCore backdoor   

The hacktivist group known as Head Mare has stepped up its attacks against Russia with a new campaign using the PhantomCore malware. According to the analysis, the attackers use malicious ZIP files with Russian-language lures to distribute the backdoor. The malware collects information from the affected system, such as IP address and Windows version, and connects to a command and control (C&C) server to execute additional instructions. The method includes an executable file disguised as a compressed archive and an LNK link that triggers malicious commands. In this campaign, the group has opted for a version of the malware compiled in C++, instead of GoLang, and integrates the Boost.Beast library to facilitate communication with the C&C server.

Security vulnerabilities in DeepSeek and Claude AI chatbots detected through command injection attacks   

Cybersecurity researchers have discovered flaws in the DeepSeek and Claude AI artificial intelligence chatbots that allowed attackers to take control of user accounts through command injections. In the case of DeepSeek, the vulnerability exploited local storage to capture session tokens. A specially crafted prompt decoded a Base64 string, executing XSS code to gain access to victims' accounts. On the other hand, Claude AI, developed by Anthropic, presented similar risks in its ‘Computer Use’ functionality, designed to perform actions on a computer. This function was manipulated to execute malicious commands autonomously and establish connections to servers controlled by attackers.

New ‘Termite’ ransomware threatens enterprise cybersecurity  

Researchers have identified a new ransomware variant called ‘Termite,’ responsible for a recent attack on the Blue Yonder supply chain management platform. According to experts, Termite is a reconfiguration of the notorious Babuk ransomware and has already affected at least seven victims across different regions. The ransomware employs advanced techniques to maximize its impact, such as ensuring execution during system shutdown, terminating key services, and deleting backups to prevent file recovery. Additionally, it encrypts critical data and appends the extension ‘.termite,’ leaving ransom notes with instructions for payment. It can also propagate through network shares, further increasing its reach. To mitigate risks, experts recommend performing regular backups, avoiding suspicious links, and using reliable security software.  

International agencies strengthen telecommunications network security against cyberespionage   

A group of cybersecurity agencies, including CISA, NSA, FBI, and their counterparts in Australia, Canada and New Zealand, have issued a joint guide to protect communications infrastructures from cyberespionage, especially threats associated with Chinese actors. The initiative stresses the importance of improving network visibility and strengthening critical network devices, such as routers and firewalls, through centralized management practices, regular audits and system segmentation. It also stresses the use of separate management networks and strict access controls to minimize risks. Key recommendations include implementing multi-factor authentication, strengthening VPN configurations and actively monitoring for unusual activity on accounts and devices.