A government-aligned attacker tried using a Microsoft vulnerability to attack U.S. and E.U. Researchers have added state-sponsored hackers to the list of adversaries attempting to exploit Microsoft’s now-patched Follina vulnerability. According to researchers at Proofpoint, statesponsored hackers have attempted to abuse the Follina vulnerability in Microsoft Office, aiming an email-based exploit at U.S. and E.U. Proofpoint researchers spotted the attacks and believe the adversaries have ties to a government, which it did not identify. The malicious attachment targets the remote code execution bug CVE-2022-30190 , dubbed Follina. Read more about it: here

While tracking the mobile banking trojan FluBot, F5 Labs recently discovered a new strain of Android malware which we have dubbed “MaliBot”. While its main targets are online banking customers in Spain and Italy, its ability to steal credentials, cookies, and bypass multi-factor authentication (MFA) codes, means that Android users all over the world must be vigilant. Some of MaliBot’s key characteristics include: ... Read more about it: here

Germany's Green political party was the victim to a large-scale cyberattack last week. The attackers gained access to the party's IT infrastructure and the party's internal platform called "Green network". The members of the political party use this platform to exchange about the ongoing negotiations within the coalition. Members’ email accounts were impacted as well as some of the party’s leaders. During the attack, several emails were allegedly forwarded to an external server. No malicious actor has yet claimed responsibility for the attack. However, without having technical details of the attack, it could be that a state-sponsored malicious actor was behind the attack. An investigation was conducted by the Federal Office for It Security (BSI) and a private company specializing in cybersecurity to obtain more information about the attack. Read more about it: here

The Ukraine’s computer emergency response team (CERTUA), in collaboration with researchers from ESET and Microsoft, last week foiled a cyberattack on an energy company that would have disconnected several high-voltage substations from a section of the country’s electric grid on April 8. The attack, by Russia’s infamous Sandworm group, involved the use of a new, more customized version of Industroyer, a malware tool that the threat actor first used in Dec. 2016 to cause a temporary power outage in Ukraine’s capital Kyiv. In addition to the ICS-capable malware, the latest attack also featured destructive disk-wiping tools for the energy company’s Windows, Linux, and Solaris operating system environments that were designed to complicate recovery efforts.   Read more about it: here

Iberdrola, a Spanish energy provider, has suffered a data breach affecting over one million customers, local reports suggest. The company is headquartered in Bilbao and is the parent company of Scottish Power. They have reported that the attack took place on March 15 this year. The breach reportedly resulted in the theft of customer ID numbers, phone numbers and home and email addresses. Fortunately, it does not seem as if financial information was stolen. Read more about it here.

Activists from the hacker group Anonymous attacked the energy company Rosneft Germany and claimed they stole 20 terabytes of data. According to SPIEGEL information, the Berlin public prosecutor's office has initiated proceedings because of the hacker attack and has commissioned the Federal Criminal Police Office (BKA) to carry out further investigations. Read more about it here.

Security researchers are urging pro-Ukrainian actors to be wary of downloading DDoS tools to attack Russia, as they may be booby-trapped with info-stealing malware. In late February, Ukrainian vice prime minister, Mykhailo Fedorov, called for a volunteer “IT army” of hackers to DDoS Russian targets. However, Cisco Talos claimed that opportunistic cyber-criminals are looking to exploit the subsequent widespread outpouring of support for the Eastern European nation. Specifically, it detected posts on Telegram offering DDoS tools which were actually loaded with malware. One such tool, dubbed “Liberator,” is offered by a group calling itself “disBalancer.” Although legitimate, it has been spoofed by others, said Cisco. Read more about it here. 

The Governmental Computer Emergency Response Team of Ukraine CERT-UA received a notification from the coordinating entities about the mass distribution of e-mails on behalf of the state bodies of Ukraine with instructions on how to increase the level of information security. The body of the letter contains a link to the website hxxps: // forkscenter [.] Fr /, from which it is proposed to download "critical updates" in the form of a file "BitdefenderWindowsUpdatePackage.exe" of about 60 MB. Read more about it here. 

The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory (CSA) to warn organizations that Russian state-sponsored cyber actors have gained network access through exploitation of default MFA protocols and a known vulnerability. Read more about it here.

An international law enforcement operation has seized the servers of VPNLab.net, a virtual private network provider that advertised its services on the criminal underground and catered to various cybercrime groups, including ransomware gangs. CYBER THREAT INTELLIGENCE –NEWSLETTER – 2021/01/19 Europol said it seized 15 servers operated by the VPNLab team in Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the US, and the UK. No arrests were announced, but the company’s services were rendered inoperable, and its main website now shows a Europol seizure banner.   Read more about it here.