Bringing cybersecurity globally to critical and complex key activities
A new phishing kit called Xiū gǒu is being used in attacks targeting users in Australia, Japan, Spain, the United Kingdom and the United States since September 2024. With more than 2,000 identified fake websites, Xiū gǒu targets sectors such as utilities, messaging, banking and digital services. Cybercriminals employ the kit to deploy phishing sites that use Cloudflare’s anti-bot and hosting protection, making them difficult to detect. The kit, developed by a Chinese-speaking actor, uses technologies such as Golang and Vue.js and is designed to exfiltrate credentials via Telegram. The attacks are distributed via Rich Communications Services (RCS) messages, which alert about parking tickets or package delivery issues, encouraging victims to click on shortened links to resolve the supposed problem.
A new banking malware, known as ToxicPanda, has infected more than 1,500 Android devices to make fraudulent money transfers without users noticing. This malware allows cybercriminals to take control of compromised bank accounts through a technique called on-device fraud (ODF), bypassing banks’ identity verification and authentication measures. Most of the infections have been reported in Italy, followed by Portugal, Hong Kong, Spain and Peru, which is considered an unusual case as a Chinese-speaking threat actor is targeting users in Europe and Latin America. ToxicPanda, a simplified version of the TgToxic malware, uses Android accessibility services to obtain advanced permissions, intercept one-time passwords (OTP) and bypass two-factor authentication. In addition, it masquerades as popular apps such as Google Chrome and Visa, distributing itself through fake pages that mimic official app stores.
On 8 December 2022, the criminal group Kelvin Security claimed to have carried out a cyber attack on the website of Alessia Mosca, a former Italian politician. They claim to have stolen private messages, user information, passwords and personal data from the site's databases. The attack reportedly left no trace of compromise. The private messages may contain sensitive confidential information about the organisations where she has worked, such as the Italian government, the European Parliament and the MEPs. Finally, the personal data collected on the site could be used to target other people in further phishing campaigns. Read more about it : here
According to news reports of 28 November 2022, on 15 November 2002, cyber-attackers attacked the computer systems of the Saint-Doulchard oncology centre in France and then demanded a ransom. Medical and radiotherapy activities at the centre were suspended from 15 to 18 November due to lack of computer resources. Eventually, chemotherapy treatments were resumed, but not radiotherapy. According to the medical centre, no personal patient data was stolen. Read more about it : here
On December 22, 2022, the German industrial company Technolite based in Grossenlüder felt victim of a cyber attack. Most of the employees were sent home because they are currently unable to work on the internal networks and the entire IT department of the company was affected by the attack. It is possible that this was a ransomware attack, which is common in this type of industry. However, no claims have been published for the moment. The impact of this attack seems to be serious. Indeed, on a technical level, the internal computer systems of the company are a priori completely blocked, which suggests a ransomware type attack. The operational activities of the company are probably stopped, its employees having been sent home, possibly causing financial losses, as some orders cannot be honoured. In addition, during the attack it is possible that data was stolen by the attacker. The next step is for a cyber group to claim responsibility for the attack.
On December 6, 2022, the French ambulance agency "les trois cantons" located in the commune of Peyrehorade, France, was attacked. The employees reported that a ransom note had been sent to them and that all their databases had disappeared. To compensate for this loss, the agency printed out its diary up to and including Saturday 10 December so as not to lose its appointments. Nevertheless, they would have lost their entire database, including their client contacts. Read more about it : here
According to a report dated 6 December 2022, the attack on the French hospital André Mignot located in Versailles was carried out using ransomware containing the same computer traces as the well-known LockBit Black ransomware. In addition, the Tor addresses of the storefront and negotiation sites listed in the ransom notes are indeed those of the LockBit 3.0 franchise, but none of the decryption credentials are recognised. It is likely that this attack was carried out by another group than LockBit, but that it used the same tools, leaving the same trace. Indeed, in September, it was noted that following an internal conflict within the group, the LockBit builder had been leaked on the net and thus made freely available to anyone wishing to build their own ransomware with this technical base. It is therefore likely that one of these projects was successful and that a new actor attempted a large-scale attack with this LockBit-based ransomware. Read more about it : here
On 9 December 2022, the websites of the French cities of Caen and Rouen, in France, were hit by a cyber attack. Indeed, according to a press release from the regional council, since the night of 8 December, the local authority has noticed that a certain number of servers have been abnormally saturated. In addition, all access to the computer network has been blocked in order to prevent the threat from spreading. For the time being, the council has announced that this attack will not affect the services offered by the town halls of the affected cities. Read more about it : here
On 6 December 2022, the cybercriminal ransomware group Hive added the French retail chain Intersport to its list of victims. The group claims to have carried out the attack on 23 November. No details are given on the nature of the stolen data or whether it was actually revealed. Intersport has not made any statement on this new claim by the group. Intersport had said in November: "Dear customers, we are currently facing a cyber attack on Intersport's servers that prevents us from accessing our cash registers, loyalty card service and gift card service. Read more about it : here
According to a report on December 13, 2022, a new Formbook campaign is underway using Libyan oil companies to spread. The campaign is said to use phishing emails and has already hit Italy. The malicious emails contain 4 images and a pdf. When opening the pdf, the recipient is asked to open a link that downloads an executable which turns out to be malware. The email used is a forged email from a Libyan oil company and the link attached to it points to a URL from which the exe file "Req for Quote" is downloaded. Then Formbook, thanks to the keylogger function, is able to acquire everything the user types. Read more about it : here