close
close
Your Network of Tomorrow
Your Network of Tomorrow
Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.
          Experience Netskope
          Get Hands-on With the Netskope Platform
          Here's your chance to experience the Netskope One single-cloud platform first-hand. Sign up for self-paced, hands-on labs, join us for monthly live product demos, take a free test drive of Netskope Private Access, or join us for a live, instructor-led workshops.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            A Leader in SSE. Now a Leader in Single-Vendor SASE.
            Netskope debuts as a Leader in the Gartner® Magic Quadrant™ for Single-Vendor SASE
              Securing Generative AI for Dummies
              Securing Generative AI for Dummies
              Learn how your organization can balance the innovative potential of generative AI with robust data security practices.
                Modern data loss prevention (DLP) for Dummies eBook
                Modern Data Loss Prevention (DLP) for Dummies
                Get tips and tricks for transitioning to a cloud-delivered DLP.
                  Modern SD-WAN for SASE Dummies Book
                  Modern SD-WAN for SASE Dummies
                  Stop playing catch up with your networking architecture
                    Understanding where the risk lies
                    Advanced Analytics transforms the way security operations teams apply data-driven insights to implement better policies. With Advanced Analytics, you can identify trends, zero in on areas of concern and use the data to take action.
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        The 6 Most Compelling Use Cases for Complete Legacy VPN Replacement
                        Netskope One Private Access is the only solution that allows you to retire your VPN for good.
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                          Colgate-Palmolive Safeguards its "Intellectual Property” with Smart and Adaptable Data Protection
                            Netskope GovCloud
                            Netskope achieves FedRAMP High Authorization
                            Choose Netskope GovCloud to accelerate your agency’s transformation.
                              Let's Do Great Things Together
                              Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.
                                Netskope solutions
                                Netskope Cloud Exchange
                                Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.
                                  Netskope Technical Support
                                  Netskope Technical Support
                                  Our qualified support engineers are located worldwide and have diverse backgrounds in cloud security, networking, virtualization, content delivery, and software development, ensuring timely and quality technical assistance
                                    Netskope video
                                    Netskope Training
                                    Netskope training will help you become a cloud security expert. We are here to help you secure your digital transformation journey and make the most of your cloud, web, and private applications.

                                      Threat Labs News Roundup: March 2023

                                      Apr 10 2023

                                      Summary

                                      The purpose of the Netskope Threat Labs News Roundup series is to provide enterprise security teams an actionable brief on the top cybersecurity news from around the world. The brief includes summaries and links to the top news items spanning cloud-enabled threats, malware, and ransomware.

                                      Top Stories

                                      BlackLotus bootkit targeting Windows 11

                                      Researchers found that an UEFI bootkit known as BlackLotus is able to successfully bypass the UEFI Secure Boot on fully updated Windows 11 systems, being sold on forums for $5,000. Details

                                      CVE-2023-21716 PoC released by security researcher

                                      After the Microsoft Word RCE vulnerability (CVE-2023-21716) was fixed by Microsoft, the security researcher that discovered the vulnerability released a proof-of-concept (PoC) on Twitter. Details

                                      Emotet returns after brief hiatus

                                      After a brief hiatus, a new Emotet campaign was spotted, where attackers behind Emotet have added a technique known as binary padding to bypass detection. Details

                                      Microsoft Outlook Zero-day Exploited by APT28

                                      Microsoft warns about the Microsoft Outlook vulnerability (CVE-2023-23397) being exploited by APT28 (a.k.a. Fancy Bear, Pawn Storm), an APT group linked to Russia’s military intelligence service GRU. Details

                                      Microsoft releases update for Acropalypse

                                      Microsoft released an emergency security update to address a vulnerability known as Acropalypse (CVE-2023-28303), fixing an issue in the Snipping tool of Windows 10 and 11. Details

                                      OpenAI confirms data breach on ChatGPT

                                      OpenAI has confirmed a bug in ChatGPT that resulted in a data breach, where users could see data belonging to other users. Details

                                      Cybersecurity Events in Ukraine

                                      Russia bans foreign messaging apps

                                      The Russian agency Roskomnadzor has warned that the use of foreign messaging applications, such as Discord, WhatsApp, and Teams, is being banned in Russian government and state agencies. Details

                                      Russian disinformation campaign uncovered

                                      Researchers have found a social engineering campaign that involves duping high-profile individuals who support Ukraine into making comments and performing embarrassing acts on videos, and then using those videos in misinformation campaigns. Details

                                      Russian attackers shifting to cyber espionage

                                      The State Service of Special Communication and Information Protection (SSSCIP) of Ukraine says that Russian attackers that failed to achieve their goals in 2022 are shifting from disruptive attacks to cyber espionage. Details

                                      Russia-linked APT group targeting governments

                                      Researchers found that a Russia-linked APT group named Winter Vivern is targeting government entities in Ukraine, Poland, Italy, and India in recent campaigns. Details

                                      Russian spy ring dismantled by Polish counter-intelligence

                                      A Russian spy ring that gathered intelligence on military equipment deliveries to Ukraine and was preparing acts of sabotage on behalf of Russia has been dismantled by Polish counter-intelligence. Details

                                      Ukraine’s critical sectors attacked by new APT

                                      Researchers found that a new APT group named Bad Magic has been targeting Ukraine’s government, agriculture, and transportation organizations located in Crimea, Lugansk, and Donetsk. Details

                                      Russia worldwide cyberwar plans exposed

                                      A Russian contractor leaked thousands of confidential documents that expose Russia military and intelligence agencies’ plans for using their tools in cyber attacks to conduct critical infrastructure disruptions, disinformation campaigns, and more. Details

                                      Cloud-enabled Threats

                                      RedLine Stealer abusing dropbox to target hospitality industry

                                      Researchers found a RedLine Stealer campaign targeting the hospitality industry, where attackers use spear phishing emails to lure victims into downloading the malware from Dropbox. Details

                                      PyPI malware abusing Discord and Transfer.sh

                                      A malicious package hosted in Python Package Index (PyPI) was found delivering an information stealer and remote access trojan, abusing Discord to fetch the payload and transfer.sh for data exfiltration. Details

                                      Attackers abusing AWS to steal confidential data

                                      A new campaign dubbed as SCARLETEEL was discovered, where attackers are exploiting vulnerable public web applications hosted on AWS to steal proprietary software and credentials. Details

                                      Abusing Google Cloud Platform for data exfiltration

                                      Researchers have found that an attacker could exploit Google Cloud Platform (GCP) to exfiltrate sensitive data due to lack of visibility in Google storage logs. Details

                                      Rhadamanthys and RedLine stealers delivered through Google Ads

                                      New campaigns that are abusing Google Ads to deliver Rhadamanthys and RedLine infostealers were found, using a technique to mimic websites associated with Notepad++ and Blender 3D software. Details

                                      BATLOADER abusing Google Ads to deliver multiple malware

                                      BATLOADER has been observed abusing Google Ads to deliver Vidar Stealer and Ursnif payloads, spoofing multiple legitimate apps such as Adobe, ChatGPT, Spotify, Tableau, and Zoom. Details

                                      YouTube abused to spread multiple malware

                                      Researchers found that attackers are using AI-generated YouTube videos containing fake tutorials to spread multiple stealers, such as Raccoon, RedLine, and Vidar. Details

                                      Adobe Acrobat Sign abused to deliver RedLine

                                      A new campaign was found where attackers are abusing Adobe’s online document signing service to spread RedLine stealer. Details

                                      Ransomware

                                      FBI and CISA warns about Royal ransomware

                                      The FBI and CISA have released a joint advisory about the increase of Royal ransomware attacks targeting critical U.S. infrastructure sectors, including healthcare, education and communication. Details

                                      Play ransomware claims attack on City of Oakland

                                      The Play ransomware group has claimed responsibility for the attack on the City of Oakland that disrupted IT systems in February 2023. Details

                                      LockBit demanding $2 million as ransom

                                      The LockBit ransomware group is demanding $2 million as ransom in return for the Pierce Transit stolen data, which was breached in February 2023. Details

                                      Members of DoppelPaymer ransomware arrested

                                      Germany and Ukraine authorities have arrested suspected core members of the DoppelPaymer ransomware group. Details

                                      IceFire ransomware now targeting Linux

                                      A new version of the recently discovered IceFire ransomware was discovered by researchers, able to encrypt files in Linux-based systems. Details 

                                      Clop ransomware extorting GoAnywhere zero-day victims

                                      The Clop ransomware group is extorting victims of the zero-day vulnerability in GoAnywhere file sharing software, where they claim to have stolen data from 130 companies. Details

                                      Microsoft fixes zero-day used in Magniber ransomware attacks

                                      The vulnerability tracked as CVE-2023-24880 that was being used by attackers to deploy Magniber ransomware payloads is now fixed by Microsoft. Details

                                      BrianLian ransomware moving away from encryption

                                      The BrianLian ransomware group is updating its operation by moving away from encryption and focusing on pure data-theft and extortion tactics. Details

                                      Clop ransomware claims responsibility for attack on City of Toronto

                                      The Clop RaaS group is claiming responsibility for a ransomware attack on the City of Toronto, where they used the GoAnywhere zero-day vulnerability. Details

                                      author image
                                      Gustavo Palazolo
                                      Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.
                                      Gustavo Palazolo is an expert in malware analysis, reverse engineering and security research, working many years in projects related to electronic fraud protection.

                                      Stay informed!

                                      Subscribe for the latest from the Netskope Blog