As Cyber Vigilance turns 5 and we enter a brand new month, let's take a look at this week's Cyber Weekly Digest, highlighting our top cyber security news picks of the week. This week we take a look at how a new cyber threat is using bogus MSIX Windows app packages to spread a dangerous malware called GHOSTPULSE, a LastPass breach linked to a whopping $4.4m in Cryptocurrency theft and how Spyware is being disguised as a dating app! Keep reading to stay up to date on the latest cyber security news.
1. Hackers Use MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware
On Monday, a new cyber attack campaign had been observed using spurious MSIX Windows app package files for popular software such as Google Chrome, Microsoft Edge, Brave, Grammarly, and Cisco Webex to distribute a novel malware loader dubbed GHOSTPULSE. This malware acts as a loader, employing another technique known as 'process doppelgänging' to kick start the execution of the final malware, which includes SectopRAT, Rhadamanthys, Vidar, Lumma, and NetSupport RAT.
Hackers stole $4.4 million in cryptocurrency on October 25th using private keys and passphrases stored in stolen LastPass databases, according to research by crypto fraud researchers who have been researching similar incidents. According to research it is believed that the threat actors are cracking these stolen password vaults to gain access to stored cryptocurrency wallet passphrases, credentials, and private keys.
Once they gain access to this information, they can load the wallets onto their own devices and drain them of all funds. If you are a LastPass user who had an account during the August and December 2022 breaches, it is strongly suggested that you reset all of your passwords!
The threat actor known as Arid Viper (aka APT-C-23, Desert Falcon, or TAG-63) has been attributed as behind an Android spyware campaign targeting Arabic-speaking users with a counterfeit dating app designed to harvest data from infected handsets. The malware, once installed, hides itself on a victim machine by turning off system or security notifications from the operating system and also disables notifications on Samsung mobile devices and on any Android phone with the APK package name containing the word "security" to fly under the radar. It's also designed to request for intrusive permissions to record audio and video, read contacts, access call logs, intercept SMS messages, alter Wi-Fi settings, terminate background apps, take pictures, and create system alerts!
Cybersecurity researchers are warning of suspected exploitation of a recently disclosed critical security flaw in the Apache ActiveMQ open-source message broker service that could result in remote code execution. In light of the active exploitation of the flaw, users are recommended to update to the fixed version of ActiveMQ as soon as possible and scan their networks for indicators of compromise.
Mozi malware botnet activity faded away in August after a mysterious unknown party sent a payload on September 27, 2023, that triggered a kill switch to deactivate all bots.
Mozi is a well-known DDoS malware botnet that emerged in 2019, primarily targeting IoT devices such as routers, digital video recorders, and other internet-connected gadgets. Despite the good news of one of the most prolific botnets going offline, there are, unfortunately, many more DDoS malware botnets scanning the web daily for vulnerable IoTs. Therefore, users should patch their devices using the latest firmware version, use strong passwords, and isolate them from critical networks.