Articles of interest from the week of September 2, 2024

'Voldemort' Malware Curses Orgs Using Global Tax Authorities

The global malware campaign (that must not be named?) is targeting organizations by impersonating tax authorities, and using custom tools like Google Sheets for command and control. (Dark Reading)

“He who should not be named has made a new but oh-so-familiar Horcrux. Sophisticated phishing campaigns continue to increase the risk of BEC along with a slew of other identity security issues…as if we didn’t already loathe taxes. Although Professor Dumbledore is no longer around, steadfast allies in the form of security best practices are still the best defense against the dark arts. Namely, of attack vectors like this 'Voldemort' malware campaign. Clear protocols for handling and verifying sensitive information and training all employees on email best practices help eliminate human error as the needle moves in the threat landscape. Companies that utilize robust email filtering systems, enforce mandatory MFA, and employ SPF, DMARC, DKIM, and BIMI authentications have the best shot of not falling victim to the curse.” – Candace Respress, Senior SOC Analyst at Ingalls Information Security

Owners of 1-Time Passcode Theft Service Plead Guilty

In a significant development in the fight against cybercrime, the operators behind a notorious one-time passcode theft service have pleaded guilty. This service, which compromised countless online accounts by bypassing two-factor authentication, was a major player in the underground market. Discover the intricate details of the operation, how it was taken down, and what this means for the future of online security. (KrebsOnSecurity)

Peach Sandstorm Deploys New Custom Tickler Malware in Long-Running Intelligence Gathering Operations

Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates. This activity is consistent with the threat actor’s persistent intelligence-gathering objectives and represents the latest evolution of their long-standing cyber operations. (Microsoft)

VMware Patches High-Severity Code Execution Flaw in Fusion

On Tuesday, virtualization software technology vendor VMware pushed out a security update for its Fusion hypervisor to address a high-severity vulnerability that exposes users to code execution exploits. (SecurityWeek)

Researchers Find SQL Injection To Bypass Airport TSA Security Checks

Security researchers have found a vulnerability in a key air transport security system that allowed unauthorized individuals to potentially bypass airport security screenings and gain access to aircraft cockpits. (BleepingComputer)

Nashville Man Arrested for Running “Laptop Farm” To Get Jobs for North Koreans

Federal authorities have arrested a Nashville man on charges he hosted laptops at his residences in a scheme to deceive US companies into hiring foreign remote IT workers who funneled hundreds of thousands of dollars in income to fund North Korea’s weapons program. (Ars Technica)

New 0-Day Attacks Linked to China’s ‘Volt Typhoon’

Malicious hackers are exploiting a zero-day vulnerability in Versa Director, a software product used by many Internet and IT service providers. Researchers believe the activity is linked to Volt Typhoon, a Chinese cyber espionage group focused on infiltrating critical U.S. networks and laying the groundwork for the ability to disrupt communications between the United States and Asia during any future armed conflict with China, (KrebsOnSecurity)

A New macOS Data Stealer Is Going After Apple Users

A new threat is targeting Apple users and is designed to slip past defenses, putting your privacy at serious risk. Learn how this malware operates, who’s at risk, and what you can do to protect your data. (TechRadar)