The Good 

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. 

• The Transportation Security Administration (TSA) proposed rules to formalize existing cybersecurity directives for pipeline and railroad operators. The rules would mandate reporting cyber incidents, creating TSA-overseen cyber risk management plans, and are estimated to cost $2.1 billion over 10 years. In response to growing nation-state cyber threats to transportation infrastructure, TSA seeks to enhance resilience while allowing industry input until February 5, 2025, to balance flexibility with evolving security needs.
• Meta took down over two million accounts connected to pig butchering scams in Southeast Asia and the UAE. These scams often start on messaging platforms or dating sites, targeting victims to invest in sham cryptocurrency platforms. Criminal groups in Southeast Asia and the UAE, relying on trafficked workers, are behind these scams. 
• Microsoft disrupted the ONNX phishing service, identifying an Egyptian man, Abanoub Nady, as its alleged operator and seizing 240 related domains. With support from the Linux Foundation and a civil court order, Microsoft redirected the malicious infrastructure, permanently halting these phishing activities. Separately, the DOJ took down PopeyeTools, a marketplace for stolen credit card data, charging three administrators from Pakistan and Afghanistan. The site facilitated cybercrime activities, generating over $1.7 million in revenue, and cryptocurrency worth $283,000 was also seized. Both actions reflect ongoing efforts to combat financial fraud and phishing.
• Law enforcement agencies in Africa conducted Operation Serengeti in collaboration with Interpol and Afripol, leading to the arrest of over a thousand individuals involved in cybercriminal activities. The operation targeted ransomware, business email compromise, digital extortion, and online scams, resulting in the takedown of over 134,000 malicious networks. The arrested suspects and infrastructures were linked to approximately 35,000 victims who suffered nearly $193 million in losses. The operation also recovered around $44 million.
• Italy conducted the annual Blueprint Operational Level Exercise (Blue OLEx) to test EU institutions' readiness for cyber-attacks. The exercise involved senior cybersecurity officials from EU member states and the Commission, focusing on improving responses to incidents and crises. Blue OLEx emphasized executive-level cooperation through the Cyber Crisis Liaison Organization Network (EU-CyCLONe), established by the NIS2 Directive. The event was hosted by the Italian Cybersecurity Agency (ACN).
• The World Economic Forum's Partnership against Cybercrime released a framework to enhance collaboration between the cybersecurity industry and the public sector. The framework emphasizes the need for incentives, good governance, and resources to support operational collaborations. It highlights the importance of clear missions, impact, peer-to-peer learning, and public recognition as incentives for organizations to collaborate. 

The Bad

TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network.

• Insikt Group identified a cyber-espionage campaign conducted by the Russia-aligned threat group TAG-110, targeting organizations in Central Asia, East Asia, and Europe. The group uses custom malware tools HATVIBE and CHERRYSPY to primarily attack government entities, human rights groups, and educational institutions. TAG-110's tactics align with the historical activities of UAC-0063, attributed to Russian APT group BlueDelta (APT28). The campaign aims to gather intelligence on geopolitical developments and maintain influence in post-Soviet states.
• The Ngioweb malware was utilized to create a significant botnet used for residential proxy services like NSOCKS, VN5Socks, and Shopsocks5. The botnet consists of over 35,000 working bots, with a large portion located in the U.S. It targets IoT devices and small office/home office routers, using automated scripts to infiltrate and deploy the malware. The infected devices are then sold as proxies on a marketplace. NSOCKS, which offers SOCKS5 proxies globally, is a particular concern as it enables malicious actors to conduct DDoS attacks and target specific entities.
• Water Barghest's sophisticated operation has been found exploiting and monetizing IoT devices while maintaining a low profile. The group’s botnet had compromised over 20,000 devices and now uses automated scripts to detect and infect vulnerable IoT devices from public internet scan databases such as Shodan. Once compromised, the gang deploys Ngioweb malware, runs in memory, and connects to C2 servers. The gang targets IoT devices from Cisco, DrayTek, Netgear, Synology, Zyxel,  etc using n-day flaws and one zero-day exploit. 
• Telegram is becoming a popular platform for spreading malware, with Lumma Stealer being distributed through the messaging app. Two Telegram channels with thousands of subscribers are distributing Lumma Stealer disguised as benign apps like CCleaner. The first channel is VIP HitMaster Program with over 42,000 subscribers and the second is named MegaProgram + with 8660 subscribers. The malware connects to a Steam account for command and control, making it harder to detect.
• Thousands of Palo Alto Networks firewalls have been compromised in attacks exploiting two security vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in PAN-OS. These vulnerabilities allow attackers to bypass authentication and gain administrator privileges, enabling them to tamper with configurations and exploit other vulnerabilities. The CISA has added these vulnerabilities to its KEV Catalog. Approximately 2,000 firewalls have been compromised globally, with the majority in the U.S. and India.
• CYFIRMA analyzed SpyNote, an Android malware that poses a significant threat by allowing extensive control over infected devices. The malware hides itself as a fake antivirus named Avast Mobile Security for Android to deceive users. The malware targets cryptocurrencies, steals data from other apps, and collects user credentials. It monitors network traffic to connect to a C2 server for data theft. There are over 10,000 identified samples of SpyNote, with recent infections linked to the threat actor EVLF distributing it through platforms like Telegram. 
• The Iranian Dream Job campaign conducted by TA455 targeted the aerospace industry by offering fake jobs and distributing the SnailResin malware. The campaign has been active since at least September 2023 and uses fake recruiting websites and LinkedIn profiles to distribute malicious files. The attackers use a detailed PDF guide to encourage victims to download a ZIP file containing the malware. The campaign is suspected to be involved in espionage targeting aerospace, aviation, and defense industries in Middle Eastern countries.
• Microsoft released fixes for 89 CVE-listed security flaws in its products, with two zero-day vulnerabilities actively under attack. One flaw, CVE-2024-49039, allows privilege escalation through Windows Task Scheduler, while the second flaw, CVE-2024-43451, impacts NTLM hashes. Azure CycleCloud users should be aware of CVE-2024-43602, which permits remote code execution. Additionally, a serious flaw, CVE-2024-43498, affects . NET and Visual Studio, and another critical vulnerability, CVE-2024-43639, involves a cryptographic protocol vulnerability in Windows Kerberos. 
• The WIRTE APT group, associated with the Hamas-affiliated group Gaza Cybergang, has continued its attacks in the Middle East. It has expanded its focus from espionage to disruptive attacks while targeting entities in the Palestinian Authority, Jordan, Iraq, Egypt, and Saudi Arabia. Researchers uncovered a connection between the malware used by WIRTE and SameCoin, a wiper malware that attacked Israeli targets in 2024. The APT group has also included hack-and-leak operations and is using cyber capabilities to shape narratives.
• The CISA issued a warning about two new vulnerabilities in the Palo Alto Networks Expedition software, which are being actively exploited. They have been added to the KEV catalog. The vulnerabilities are OS Command Injection (CVE-2024-9463) and SQL Injection (CVE-2024-9465), which can allow unauthorized access to run commands as root or expose database contents, potentially revealing sensitive information like usernames, passwords, configurations, and keys. Palo Alto Networks addressed these in an update on October 9. 

New Threats

LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

• A new cyberespionage group, LIMINAL PANDA, linked to China, has been targeting telecommunications entities in South Asia and Africa since 2020 to gather intelligence. The attackers have deep knowledge of telecommunications networks and protocols, using bespoke tools for access, command-and-control, and data exfiltration. Some custom malware in LIMINAL PANDA's arsenal include SIGTRANslator, CordScan, and PingPong, which allow for data transmission, network scanning, and backdoor access, respectively. 
• A new version of NodeStealer has emerged to extract sensitive information from victims' Facebook Ads Manager accounts and steal credit card data from web browsers, potentially opening doors for malicious advertising. The updated NodeStealer uses various techniques, such as unlocking browser database files through Windows Restart Manager and generating Python scripts with batch files. Additionally, some NodeStealer samples unlock SQLite database files to access credit card data, with this information being sent through Telegram, a platform commonly used by cybercriminals.
• A new stealthy malware loader called BabbleLoader is being used to deliver information stealer families such as WhiteSnake and Meduza. BabbleLoader is designed to bypass antivirus and sandbox environments by employing advanced evasion techniques. The loader targets English and Russian speakers, singling out users looking for generic cracked software and business professionals in finance and administration by passing it off as accounting software. 
• The WorkflowKit Race Vulnerability (CVE-2024-27821) exposes users to potential data breaches or remote code execution by allowing malicious apps to intercept and modify shortcut files during import. This flaw arises from a race condition in WorkflowKit’s shortcut extraction process. Apple addressed the issue in macOS 14.5 by implementing enhanced sandbox restrictions to prevent unauthorized access to temporary directories.
• Apple released emergency security updates to fix two zero-day vulnerabilities that were exploited in attacks on Intel-based Mac systems. The vulnerabilities, found in macOS Sequoia JavaScriptCore (CVE-2024-44308) and WebKit (CVE-2024-44309) components, allowed for remote code execution and cross-site scripting attacks. The updates also addressed the same components in other Apple operating systems.
• Tech support scammers are employing a new email scheme that pretends to inform recipients about the death of someone they know. The emails begin with the subject line “Sad announcement” and include the name of a familiar individual, making it seem like it’s from that person. The emails have various formats but follow a pattern that quickly grabs the reader’s interest with phrases implying shared photos or memories. Each email contains links that lead to domains, mostly short-lived and registered with NameCheap, that are aimed at tricking users. 
• The new Glove Stealer malware was found to bypass Google Chrome's Application-Bound encryption to steal browser cookies. The malware is simple and lacks protection mechanisms, suggesting it is in the early stages of development. The threat actors behind the malware use social engineering tactics to trick victims into installing it. The malware can extract cookies from Firefox and Chromium-based browsers, as well as steal cryptocurrency wallets, 2FA tokens, passwords, and emails. 
• APT41, a threat group from China, is using a sophisticated Windows-based surveillance toolkit in a cyberespionage campaign targeting organizations in South Asia. The toolkit, called DeepData Framework, consists of 12 separate plugins optimized for malicious functions. These plugins steal communications from various messaging apps, system information, browsing history, cookies, passwords, audio files, and more.
• Threat actors are using a new method on macOS to spread a malware called RustyAttr, which is linked to the Lazarus Group from North Korea. The malware is built using the Tauri framework and includes an extended attribute that runs a shell script. When executed, a decoy distraction is displayed. The shell script executes a Rust backend via a malicious JavaScript loaded on a fake webpage. 
• Unit 42 researchers discovered a group of North Korean IT workers, referred to as CL-STA-0237, involved in phishing attacks using malware-infected video conference apps, operating primarily from Laos. This group exploited a U.S.-based IT services company to apply for jobs and succeeded in getting hired by a major tech company in 2022. The team found newly registered domains linked to a known IP address associated with the MiroTalk fake job campaign, revealing that CL-STA-0237 exploited information and controlled multiple accounts belonging to the U.S.-based IT company.