The internet’s weakest links are turning into a cyber army with an Iranian twist. The new Eleven11bot botnet, loosely tied to Iran, has hijacked tens of thousands of IoT devices to unleash massive DDoS attacks on telecoms and gaming servers across the world.

Booking a trip shouldn’t come with a side of malware, but here we are. A slick new campaign is sneaking LummaStealer onto devices worldwide through fake CAPTCHAs on booking websites, leveraging malvertising to snag victims in places like the Philippines and Germany with this info-stealing menace.

Snail mail just got a sinister upgrade in the scam department. Fraudsters posing as the BianLian ransomware gang are mailing tailored ransom notes, demanding Bitcoin payments to keep “stolen” data under wraps. However, it’s a bluff and not a breach.

Top Malware Reported in the Last 24 Hours

Malicious Go packages drop malware

Socket discovered an ongoing malicious campaign targeting the Go ecosystem with typosquatted modules. These modules are designed to deploy loader malware on Linux and Apple macOS systems. The threat actor has published at least seven packages impersonating widely used Go libraries, including one targeting financial-sector developers. These packages share repeated malicious filenames and consistent obfuscation techniques. The counterfeit packages contain code to achieve remote code execution by running an obfuscated shell command to retrieve and run a script hosted on a remote server. 

Eleven11bot: New botnet compromises 86,000 devices

A new botnet, Eleven11bot, has infected over 86,000 IoT devices, primarily security cameras and network video recorders, to conduct DDoS attacks. The botnet, which is loosely linked to Iran, has already targeted telecommunication service providers and online gaming servers. The Shadowserver Foundation reported that most infected devices are in the U.S., the U.K, Mexico, Canada, and Australia. The botnet's attacks have reached several hundred million packets per second in volume, often lasting for multiple days. The malware spreads by brute-forcing weak admin credentials, leveraging default credentials for specific IoT models, and scanning networks for exposed Telnet and SSH ports. 

LummaStealer expands attack surface

A new malicious campaign has been discovered that uses a sophisticated attack on booking websites to deliver LummaStealer samples via fake CAPTCHAs. This info-stealer operates under a MaaS model and is now focusing on malvertising, using booking websites as a new approach for spreading malware. The campaign affects users worldwide, with observed victims in countries such as the Philippines and Germany. 

Operation Sea Elephant cyberespionage campaign 

An advanced cyber-espionage campaign, named Operation Sea Elephant, has been found primarily targeting research institutions, universities, and government organizations in South Asia. The campaign, allegedly orchestrated by the CNC group, utilizes custom plug-ins and malware for surveillance, data theft, and lateral movement within networks. The attack begins with targeted phishing emails containing malicious attachments, exploiting trusted relationships within academic and research communities. Once a target is compromised, the malware spreads laterally by hijacking WeChat and QQ accounts to distribute trojanized programs. The CNC group employs various custom plug-ins for specific attack objectives, including RCE backdoors, a GitHub API-based trojan (windowsfilters.exe), a keylogger, a USB worm (YoudaoGui.exe), and file theft modules.

Top Vulnerabilities Reported in the Last 24 Hours

Vulnerability in Webex for BroadWorks

Cisco warned customers about a low-severity vulnerability in Webex for BroadWorks, which could potentially allow unauthenticated attackers to remotely access data and credentials. This issue is due to sensitive information being exposed in the SIP headers and affects Cisco BroadWorks and Cisco Webex for BroadWorks instances running in Windows environments. Cisco has already pushed a configuration change to address the flaw and advises customers to restart their Cisco Webex app to receive the fix. As a temporary workaround, admins are advised to configure secure transport for SIP communication to encrypt data in transit. 

PoC released for HPE Insight RS bug

A critical vulnerability, CVE-2024-53676, has been discovered in HPE Insight RS. The vulnerability has a CVSS score of 9.8 and could allow unauthenticated remote attackers to execute arbitrary code on affected systems due to improper path validation in the processAtatchmentDataStream method. The flaw enables attackers to bypass directory restrictions and upload malicious files outside the intended directory, potentially leading to remote code execution. HPE has released Insight Remote Support v7.14.0.629 to address these security concerns.

Top Scams Reported in the Last 24 Hours

A postal scam and fake BianLian ransom notes

Scammers are sending fake ransom notes to U.S. companies via traditional mail, impersonating the BianLian ransomware gang. These notes are tailored to the recipient company's industry and claim that sensitive data has been stolen. The scammers demand a Bitcoin payment within 10 days to prevent the data from being leaked. However, these demands are believed to be illegitimate, as there are no signs of an actual breach. The ransom notes are an evolution of email extortion scams, now targeting corporate CEOs. 

PayPal scam exploits Docusign API

Scammers are using the Docusign API to send phishing emails that appear to be from PayPal, notifying users of unauthorized transactions and prompting them to contact a fake fraud prevention team. These emails bypass security filters because they come from genuine Docusign accounts. Red flags include the use of a Gmail address in the "From" field and a non-existent "To" address.