CyberWatch - August 2, 2023

At a Glance

Ransomware, Malware & Phishing

1. The Alarming Rise of Infostealers: How to Detect this Silent Threat
2. 8 million people hit by data breach at US govt contractor Maximus
3. Decoy Dog: New Breed of Malware Posing Serious Threats to Enterprise Networks
4. Hackers Abusing Windows Search Feature to Install Remote Access Trojans
5. IcedID Malware Adapts and Expands Threat with Updated BackConnect Module  
6. Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT
7. AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service
8. BreachForums data base and private chats for sale in hacker data breach
9. Linux version of Abyss Locker ransomware targets VMware ESXi servers

Vulnerabilities

1. CISA issues new warning on actively exploited Ivanti MobileIron bugs
2. Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable
3. Zimbra Patches Exploited Zero-Day Vulnerability

Ransomware, Malware & Phishing

The Alarming Rise of Infostealers: How to Detect this Silent Threat

Analysis: Uptycs, in a recent study, has highlighted a concerning surge in information-stealing (infostealer) malware incidents during Q1 2023. These infostealers, including RedLine and Vidar, are designed to pilfer sensitive data such as login credentials and passwords. What's particularly alarming is that these malicious actors are now leveraging Telegram for command, control, and data exfiltration, making them harder to detect and counter. Even prominent companies like Uber have fallen victim to these attacks, with threat actors utilizing the Racoon stealer to compromise their systems.

The study emphasizes the urgent need for organizations to adopt a unified and comprehensive approach to bolster their cybersecurity defenses against these evolving threats. To stay ahead, businesses are urged to prioritize understanding threat actor patterns and tactics, remaining up-to-date with trending threat intelligence, and actively hunting for any indicators of compromise that might have slipped past existing defenses.

Access Point recommends the following:

1. Employ Uptycs' Innovative Platform: Businesses should adopt Uptycs' innovative platform, including the Uptycs Detection Cloud, to bolster their cybersecurity defenses with prioritized threat responses, powerful search capabilities, and comprehensive threat insights, resulting in a more cohesive and robust enterprise-wide security posture against evolving threats and information-stealing malware.

8 million people hit by data breach at US govt contractor Maximus

Analysis: U.S. government services contractor Maximus has disclosed a data breach, resulting in the theft of personal data from 8 to 11 million individuals during recent MOVEit Transfer data-theft attacks. The company, responsible for managing and administering U.S. government-sponsored programs, attributed the breach to a zero-day flaw (CVE-2023-34362) in the MOVEit file transfer application. The Cl0p ransomware gang widely exploited this vulnerability to breach numerous high-profile companies worldwide, including Maximus.

While the attackers were confined to the MOVEit environment and did not progress further into the corporate network, they gained access to a substantial amount of sensitive information, including social security numbers, protected health information, and other personal details of the affected individuals. In response, Maximus is sending data breach notifications to those impacted. The Cl0p gang has added Maximus to its dark web data leak site, claiming to have stolen 169GB of data from the breach. As more victims fall prey to the MOVEit zero-day flaw, the Cl0p gang is resorting to more aggressive extortion tactics, launching clearweb sites to leak stolen data from specific companies and putting additional pressure on the victims.

Access Point recommends the following:

1. Keep Software Updated: Regularly update software and applications with the latest security patches to minimize the risk of exploiting known vulnerabilities.
2. Conduct Security Assessments: Perform regular security assessments and audits to identify and address potential vulnerabilities before they are exploited.
3. Implement Access Controls and Segmentation: Implement strong access controls and network segmentation to limit lateral movement in the event of a breach and prevent unauthorized access to sensitive data.
4. Encrypt Sensitive Data: Encrypt sensitive data to protect it from unauthorized access, even in the event of a breach.
5. Employee Training: Train employees to recognize and report potential security threats, especially phishing attempts, to mitigate the risk of unauthorized access or data breaches.

Decoy Dog: New Breed of Malware Posing Serious Threats to Enterprise Networks

Analysis: The newly discovered malware, Decoy Dog, is a formidable advancement over its predecessor, the Pupy RAT, which is an open-source remote access trojan. Decoy Dog introduces potent new features, including the capability to transfer victims to another controller, ensuring prolonged communication with compromised systems while remaining undetected. It can execute arbitrary Java code and connect to emergency controllers through a mechanism similar to a traditional DNS domain generation algorithm. Infoblox detected this sophisticated toolkit in April 2023 and identified targeted attacks specifically directed at enterprise networks. The origins of Decoy Dog remain uncertain, but it is believed to be the work of nation-state hackers who rapidly adapt their attack infrastructure in response to disclosures. To counter the threat posed by Decoy Dog and similar malware, organizations must prioritize DNS security, as monitoring and analyzing DNS activities can help detect anomalous behavior and prevent command-and-control (C2) communications. Implementing robust DNS security measures is crucial to enhance overall organizational security.

Access Point recommends the following:

1. Strengthen DNS Security: Organizations should prioritize strengthening DNS security to protect against threats like Decoy Dog. Employing DNS monitoring and analysis tools can assist in identifying and thwarting suspicious activities related to C2 communications.
2. Regular Security Audits: Conduct regular security audits to identify potential vulnerabilities in the network infrastructure and ensure timely detection and mitigation of any security gaps.
3. Stay Updated on Threat Intelligence: Keeping abreast of the latest threat intelligence and industry developments will help organizations better understand emerging malware like Decoy Dog and be better prepared to respond effectively.

Hackers Abusing Windows Search Feature to Install Remote Access Trojans

Analysis: Unknown malicious actors have recently been exploiting a legitimate Windows search feature by misusing the "search-ms:" URI protocol handler and the "search:" application protocol. This attack technique involves directing users to websites that exploit the "search-ms" functionality through JavaScript hosted on the page or HTML attachments. Deceptive emails containing hyperlinks or HTML attachments with URLs redirect users to compromised sites, where JavaScript executes searches on an attacker-controlled server. The search results appear disguised as trusted icons, concealing the fact that remote files are being provided. Clicking on these files may trigger the execution of malicious code, leading to the installation of harmful malware like AsyncRAT and Remcos RAT. The adversaries behind this method aim to evade traditional security defenses and distribute malware effectively. To protect against such threats, users must exercise caution, refrain from clicking on suspicious URLs, and avoid downloading files from unknown sources.

Access Point recommends the following:

1. Be Vigilant with URLs and Downloads: Users should be cautious and refrain from clicking on URLs or downloading files from unknown or suspicious sources, as these may lead to compromising their systems.
2. Implement Security Measures: Employ security measures such as email filtering, web filtering, and endpoint protection to detect and block malicious URLs and attachments effectively.
3. Regular Security Awareness Training: Conduct regular security awareness training for employees to educate them about the risks of social engineering attacks and how to identify and avoid falling victim to such deceptive techniques.

IcedID Malware Adapts and Expands Threat with Updated BackConnect Module  

Analysis: The IcedID malware, previously known as BokBot, has undergone significant updates, shifting its focus from being a banking trojan to a ransomware delivery facilitator. The threat actors have recently updated the BackConnect (BC) module, which enables post-compromise activities on infected systems. This module relies on a proprietary command-and-control (C2) protocol and a VNC component for remote access, making it challenging to detect. The number of BC C2 servers has increased, and average server uptime has reduced, indicating concurrent access by the same IcedID operator or affiliate to multiple victims.

Additionally, victims may unknowingly act as proxies in spamming operations, spreading further IcedID campaigns through BC's SOCKS capabilities. Although some IcedID forks without banking fraud and BackConnect modules have emerged, they have not been recently detected, potentially indicating short-lived experiments.

Access Point recommends the following:

1. Comprehensive Security Solutions: Employ advanced threat detection and network monitoring solutions to detect and respond to IcedID and BackConnect activity promptly.
2. Regular System Updates: Regularly update and patch systems to mitigate vulnerabilities that threat actors may exploit for intrusion.
3. User Education: Educate users about the risks of phishing emails and emphasize the importance of not opening attachments or clicking on links from unknown or suspicious sources.
4. Access Controls and Multi-Factor Authentication (MFA): Implement strong access controls, multi-factor authentication, and privileged access management to prevent unauthorized access and lateral movement within the network.
5. Robust Spam Filtering: Employ a robust spam filtering solution to prevent malicious emails, including those used for IcedID distribution, from reaching users' inboxes.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Initial Access: Phishing Spearphishing Attachment - T1566.002
• Execution: Command and Scripting Interpreter - PowerShell - T1059.001
• Defense Evasion: Indicator Removal on Host - File Deletion - T1070.004
• Collection: Data from Local System - Automated Collection - T1119.002
• Command and Control – T1094

Fruity Trojan Uses Deceptive Software Installers to Spread Remcos RAT

Analysis: Threat actors are employing fake websites to distribute a downloader malware named Fruity, using trojanized software installers as bait. By disguising the malware within seemingly legitimate CPU fine-tuning tools and PC hardware monitoring apps, users are tricked into downloading the ZIP installer package containing Fruity. Once executed, the installer surreptitiously drops the Python-based Fruity trojan, which employs steganography to conceal two executable (.dll) libraries and shellcode within an image file. Designed to bypass antivirus detection, Fruity then installs the Remcos RAT payload using process doppelgänging, a technique to evade security measures. While the initial access vector for this campaign is unspecified, phishing, drive-by downloads, or malicious ads could be involved. Users are urged to download software solely from trusted sources to mitigate the risk of infection effectively.

In another related disclosure, Bitdefender revealed details of a malspam campaign distributing the Agent Tesla malware, which is adept at harvesting sensitive data from compromised endpoints. Concurrently, a rise in malvertising operations, such as the Nitrogen campaign, has been observed, deploying fraudulent ISO archives via bogus ads impersonating legitimate download pages for popular applications like AnyDesk, WinSCP, Cisco AnyConnect, Slack, and TreeSize. The goal of these campaigns is to propagate infections, obtain credentials, establish persistence, exfiltrate data, and ultimately extort victims.

Access Point recommends the following:

1. Download Software from Trusted Sources: Users should only download software from reputable and verified sources to minimize the risk of unwittingly installing malware.
2. Regularly Update Operating Systems and Applications: Keeping both the operating system and applications up to date is crucial to patch known vulnerabilities and prevent exploitation.
3. Employ Antivirus and Security Software: Having up-to-date antivirus and security software can significantly aid in detecting and preventing malware infections.
4. Exercise Caution with Links and Downloads: Be cautious when clicking on links or downloading files from unknown or suspicious websites to avoid falling victim to malicious campaigns.
5. Regular Data Backups: Regularly back up important data to an external and secure location to mitigate the impact of potential ransomware attacks.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Initial Access: Drive-by Compromise - Malicious Website - T1189.004
• Initial Access: Phishing - Spearphishing Link - T1566.002
• Defense Evasion: Masquerading - Match Legitimate Name or Location - T1036.005
• Defense Evasion: Hiding Artifacts - Steganography - T1564.003
• Defense Evasion: Obfuscated Files or Information - Indicator Removal on Host - T1027
• Execution: User Execution - Malicious File - T1204
• Defense Evasion: Virtualization/Sandbox Evasion - Process Doppelgänging - T1497.003
• Collection: Data Staged - Data from Local System – T1074

AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service

Analysis: The AVRecon botnet, discovered by Lumen Black Lotus Labs, has been conducting a widespread campaign using compromised small office/home office (SOHO) routers since at least May 2021. This malware possesses dangerous capabilities, allowing it to execute additional commands and steal victims' bandwidth, creating residential proxy services. These proxies conceal malicious activities such as password spraying, web-traffic proxying, and ad fraud. The botnet's scale has surpassed that of QakBot, with over 41,000 infected nodes across 20 countries worldwide.

Further investigations by KrebsOnSecurity and Spur[.]us have revealed that AVRecon is the driving force behind a 12-year-old service named SocksEscort. This service offers cybercriminals access to hacked residential and small business devices, enabling them to mask their true online location. The connection between SocksEscort and AVRecon is supported by direct correlations between their command-and-control (C2) servers. Additionally, SocksEscort exhibits similarities with a Moldovan company named Server Management LLC, which offers the HideIPVPN mobile VPN solution on the Apple Store.

In response to recent disclosures, the AVRecon attackers null-routed their infrastructure, demonstrating their intent to retain control over the botnet for further monetization by enrolling users in the SocksEscort "proxy as a service." Due to infrequent patching against security issues and the lack of support for endpoint detection and response (EDR) solutions, routers and edge appliances have become attractive attack vectors. AVRecon's ability to spawn a shell on compromised machines escalates the threat, allowing threat actors to obscure malicious traffic or deploy additional modules for post-exploitation purposes.

Access Point recommends the following:

1. Regular Firmware Updates: Organizations should prioritize regularly updating router firmware to address security vulnerabilities and minimize the risk of compromise.
2. Strong Passwords: Implement strong and unique passwords for router access to prevent unauthorized entry by threat actors.
3. Router Firewalls and Intrusion Detection: Enable and configure router firewalls and intrusion detection features to proactively defend against potential threats.
4. Network Traffic Monitoring: Regularly monitor network traffic for unusual patterns and activities, enabling early detection of suspicious behavior.
5. Power Cycling Routers: Mitigate potential infections by periodically power-cycling routers to refresh system state and clear any potential malware.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Initial Access: Exploit Public-Facing Application - T1190
• Execution: Command and Scripting Interpreter - T1059
• Defense Evasion: Indicator Removal on Host - T1070
• Defense Evasion: File Deletion - T1107
• Defense Evasion: Rootkit - T1014
• Defense Evasion: Obfuscated Files or Information - T1027
• Persistence: Hooking - T1179
• Credential Access: Credential Dumping - T1003
• Discovery: Query Registry - T1012
• Collection: Data from Local System - T1074
• Command and Control: Standard Cryptographic Protocol - T1032

BreachForums data base and private chats for sale in hacker data breach

Analysis: The Breached cybercrime forum, known for its involvement in hosting, leaking, and selling stolen data, experienced a data breach in November 2022, exposing over 212,000 records. The compromised data includes usernames, IP and email addresses, private messages, and passwords stored as argon2 hashes. Following the arrest of the site's administrator in March 2023, the forum was shut down. However, a new clone called BFv2 emerged, and the Breached database is now being sold by a data breach seller named Shiny Hunters. The database, valued for its private messages and payment transactions, is offered to potential buyers at a price ranging from $100,000 to $150,000. BleepingComputer has verified the authenticity of the database, and the seller has threatened a potential public release as part of an ongoing effort to harm the community.

The data breach of the Breached forum has attracted the attention of cybersecurity researchers and threat actors alike, as it contains valuable information that could be used for malicious purposes. This incident serves as a reminder for consumers to remain vigilant about the security of their personal information.

Access Point recommends the following:

1. Adopt robust security measures: Use strong and unique passwords for all online accounts to reduce the risk of unauthorized access. Regularly update passwords and avoid reusing them across multiple platforms. Employing a password manager can help manage and generate secure passwords effectively.
2. Enable multi-factor authentication (MFA): Implement MFA wherever possible to add an extra layer of protection to your accounts. This method requires users to provide two or more forms of identification before granting access, making it significantly harder for cybercriminals to breach your accounts.
3. Be cautious with sensitive data sharing: Avoid sharing sensitive information, such as financial details or personal data, on vulnerable online platforms or suspicious websites. Always verify the legitimacy of websites before providing any sensitive information.
4. Utilize secure communication channels: When handling sensitive information, use secure communication channels such as encrypted messaging apps or email services to protect data from interception by unauthorized parties.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Initial Access: Phishing - T1566
• Execution: Command and Scripting Interpreter - T1059
• Execution: Exploitation for Client Execution - T1203
• Execution: Brute Force - T1110
• Execution: Process Injection -T1055
• Execution: Hijack Execution Flow - T1574
• Credential Access: Credential Dumping - T1003
• Discovery: Network Share Discovery - T1135
• Collection: Data from Local System - T1005
• Collection: Data Staged - T1074
• Command and Control: Encrypted Channel - T1573
• Command and Control: Standard Application Layer Protocol - T1071
• Impact: Data Encrypted for Impact – T1486

Linux version of Abyss Locker ransomware targets VMware ESXi servers

Analysis: The Abyss Locker ransomware operation has recently developed a Linux encryptor specifically targeting VMware ESXi virtual machines in attacks on enterprises. As virtual machines gain popularity for resource management and disaster recovery, ransomware gangs are increasingly focusing on attacking this platform. Abyss Locker, a relatively new ransomware operation, gains unauthorized access to corporate networks, steals data for double-extortion purposes, and encrypts devices on the network. They operate a Tor data leak site to threaten the public release of stolen files if the ransom demands are not met.

Security researchers have discovered that the encryptor utilizes the 'esxcli' command-line VMware ESXi management tool to list and terminate all available virtual machines, allowing for proper encryption of virtual disks, snapshots, and metadata. The ransomware also encrypts other files on the device, appending the .crypt extension to their filenames, making recovery challenging for victims.

Access Point recommends the following:

1. Regular Software Updates and Patching: Regularly update and patch all software and systems, including the ESXi platform, to protect against known vulnerabilities and exploits.
2. Proper Access Controls: Ensure proper access controls are in place to limit privileged access to critical systems and sensitive data.
3. Secure Backups: Back up critical data regularly and store backups offline to prevent ransomware from affecting them in case of an attack.
4. Network Segmentation: Implement network segmentation to limit the lateral movement of threats within the network, reducing the impact of a potential breach.
5. Advanced Endpoint Protection: Employ advanced endpoint protection solutions and intrusion detection systems to detect and prevent ransomware activity.

MITRE ATT&CK Technique Numbers associated with this campaign include:

• Initial Access: External Remote Services - T1133
• Execution: Command and Scripting Interpreter - T1059
• Defense Evasion: Indicator Removal on Host - T1070
• Impact: Data Encrypted for Impact - T1486
• Collection: Data from Local System - T1005
• Collection: Data Staged - T1074
• Command and Control: Encrypted Channel - T1573

Vulnerabilities

CISA issues new warning on actively exploited Ivanti MobileIron bugs

Analysis: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding state hackers exploiting vulnerabilities in Ivanti's Endpoint Manager Mobile (EPMM), previously known as MobileIron Core. These Mobile Device Management (MDM) systems are attractive targets for threat actors due to the extensive access they provide to multiple mobile devices. CISA is particularly concerned about the potential widespread exploitation of these vulnerabilities in both government and private sector networks.

The two flaws being exploited are CVE-2023-35078 and CVE-2023-35081. The first flaw is a critical authentication bypass vulnerability that was exploited as a zero-day in attacks targeting Norwegian government entities. It can be coupled with the second flaw, a directory traversal vulnerability, which allows threat actors with admin privileges to deploy web shells. By exploiting CVE-2023-35078, attackers can create administrative accounts and access specific API paths, potentially leading to the theft of personally identifiable information (PII), such as names, phone numbers, and other mobile device details.

CISA, in collaboration with Norway's National Cyber Security Centre (NCSC-NO), has issued a joint advisory, and U.S. federal agencies have been instructed to patch these vulnerabilities by specific deadlines. Security teams and administrators are urged to immediately upgrade Ivanti EPMM (MobileIron) to the latest version to protect their systems from ongoing attacks. Furthermore, they should consider MDM systems as high-value assets (HVAs) and implement additional restrictions and monitoring to mitigate the risks associated with potential breaches. By taking these measures, organizations can enhance their cybersecurity posture and safeguard their networks and sensitive data.

Access Point recommends the following:

1. Prompt Upgrade: Security teams and administrators should immediately upgrade Ivanti EPMM (MobileIron) to the latest version to secure their systems from potential exploitation.
2. Treat MDM Systems as High-Value Assets: Consider MDM systems as high-value assets (HVAs) and implement additional restrictions and monitoring to mitigate the risks associated with potential breaches, given the elevated access these systems provide to numerous managed devices.

Multiple Flaws Found in Ninja Forms Plugin Leave 800,000 Sites Vulnerable

Analysis: Security company Patchstack recently disclosed multiple vulnerabilities in the popular Ninja Forms plugin for WordPress, affecting over 800,000 websites. The vulnerabilities, known as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, and they pose significant risks to website security. Malicious actors could exploit these flaws to escalate privileges and compromise sensitive data.

CVE-2023-37979 is a POST-based reflected cross-site scripting (XSS) vulnerability with a CVSS score of 7.1. It allows unauthenticated users to execute privilege escalation attacks by tricking privileged users into visiting a specially crafted website. On the other hand, CVE-2023-38386 and CVE-2023-38393 are broken access control flaws affecting the form submissions export feature, allowing unauthorized individuals with Subscriber and Contributor roles to export all submissions from Ninja Forms and access sensitive data.

To safeguard their websites against potential threats, Access Point recommends users of the Ninja Forms plugin to update to version 3.6.26, which includes patches to address these security issues.

In addition to the Ninja Forms vulnerabilities, Patchstack also revealed other WordPress component flaws. They identified a reflected XSS vulnerability in the Freemius WordPress software development kit (SDK) before version 2.5.10 (CVE-2023-33999), enabling attackers to gain elevated privileges. Furthermore, Patchstack discovered a critical bug in the HT Mega plugin (CVE-2023-37999) present in versions 2.2.0 and earlier, allowing any unauthenticated user to escalate their privilege to that of any role on the affected WordPress site.

Given these findings, website administrators are strongly advised to stay vigilant about the security of their WordPress installations. Promptly applying updates and patches is essential to mitigate potential risks and ensure the safety of sensitive data.

Zimbra Patches Exploited Zero-Day Vulnerability

Analysis: Zimbra, a widely-used email and collaboration solution, recently addressed a critical cross-site scripting (XSS) vulnerability, identified as CVE-2023-37580, in its Collaboration Suite. The flaw, which affected version 8.8.15, was actively exploited in malicious attacks, prompting immediate action from Zimbra. Clement Lecigne from Google's Threat Analysis Group confirmed the exploitation in live environments.

To mitigate the security risks posed by the vulnerability, Zimbra released software updates for versions 8.8.15, 9.0.0, and 10.0.x of their Collaboration Suite. The patch for CVE-2023-37580 was included in version 8.8.15 patch 41. The update also addressed two other vulnerabilities: CVE-2023-38750, which could expose internal JSP and XML files, and CVE-2023-0464, a bug related to X.509 certificate chain verification in OpenSSL.

The US Cybersecurity and Infrastructure Security Agency (CISA) took prompt action and added CVE-2023-37580 to its Known Exploited Vulnerabilities Catalog. CISA emphasizes the critical nature of such vulnerabilities and requires federal agencies to follow Binding Operational Directive (BOD) 22-01, which mandates addressing vulnerabilities on CISA's 'Must Patch' list within three weeks. For this specific case, patches should be applied by August 17, 2023.

Access Point recommends the following:

1. Apply Software Updates: Users should ensure that they promptly apply the available software updates for versions 8.8.15, 9.0.0, and 10.0.x of Zimbra Collaboration Suite. These updates contain essential security patches to address the identified vulnerabilities.
2. Address XSS Vulnerability (CVE-2023-37580): The XSS vulnerability impacting version 8.8.15 (CVE-2023-37580) is actively being exploited in malicious attacks. It demands immediate attention to prevent potential breaches and data compromises.
3. Mitigate Other Vulnerabilities: Vulnerabilities CVE-2023-38750 and CVE-2023-0464 affect multiple versions of Zimbra Collaboration Suite. Users should take steps to address these flaws as well to mitigate potential risks to their systems and data.
4. Comply with CISA Directive: Organizations, particularly federal agencies, are strongly advised to adhere to the US Cybersecurity and Infrastructure Security Agency's (CISA) directive. As per BOD 22-01, vulnerabilities on CISA's 'Must Patch' list, including CVE-2023-37580, should be patched within three weeks. The deadline for applying the necessary patches is August 17, 2023.

Sources

https://thehackernews.com/2023/07/the-alarming-rise-of-infostealers-how.html

https://thehackernews.com/2023/07/decoy-dog-new-breed-of-malware-posing.html

https://thehackernews.com/2023/07/hackers-abusing-windows-search-feature.html

https://thehackernews.com/2023/07/icedid-malware-adapts-and-expands.html

https://thehackernews.com/2023/07/fruity-trojan-uses-deceptive-software.html

https://thehackernews.com/2023/07/avrecon-botnet-leveraging-compromised.html

https://www.bleepingcomputer.com/news/security/8-million-people-hit-by-data-breach-at-us-govt-contractor-maximus/

https://www.bleepingcomputer.com/news/security/breachforums-database-and-private-chats-for-sale-in-hacker-data-breach/

https://www.bleepingcomputer.com/news/security/linux-version-of-abyss-locker-ransomware-targets-vmware-esxi-servers/

https://www.bleepingcomputer.com/news/security/cisa-issues-new-warning-on-actively-exploited-ivanti-mobileiron-bugs/

https://thehackernews.com/2023/07/multiple-flaws-found-in-ninja-forms.html

https://www.securityweek.com/zimbra-patches-exploited-zero-day-vulnerability/