Back 
Summary
The purpose of the Netskope Threat Labs News Roundup series is to provide enterprise security teams an actionable brief on the top cybersecurity news from around the world. The brief includes summaries and links to the top news items spanning cloud-enabled threats, malware, and ransomware.
Top Stories
BlackLotus bootkit targeting Windows 11
Researchers found that an UEFI bootkit known as BlackLotus is able to successfully bypass the UEFI Secure Boot on fully updated Windows 11 systems, being sold on forums for $5,000. Details
CVE-2023-21716 PoC released by security researcher
After the Microsoft Word RCE vulnerability (CVE-2023-21716) was fixed by Microsoft, the security researcher that discovered the vulnerability released a proof-of-concept (PoC) on Twitter. Details
Emotet returns after brief hiatus
After a brief hiatus, a new Emotet campaign was spotted, where attackers behind Emotet have added a technique known as binary padding to bypass detection. Details
Microsoft Outlook Zero-day Exploited by APT28
Microsoft warns about the Microsoft Outlook vulnerability (CVE-2023-23397) being exploited by APT28 (a.k.a. Fancy Bear, Pawn Storm), an APT group linked to Russia’s military intelligence service GRU. Details
Microsoft releases update for Acropalypse
Microsoft released an emergency security update to address a vulnerability known as Acropalypse (CVE-2023-28303), fixing an issue in the Snipping tool of Windows 10 and 11. Details
OpenAI confirms data breach on ChatGPT
OpenAI has confirmed a bug in ChatGPT that resulted in a data breach, where users could see data belonging to other users. Details
Cybersecurity Events in Ukraine
Russia bans foreign messaging apps
The Russian agency Roskomnadzor has warned that the use of foreign messaging applications, such as Discord, WhatsApp, and Teams, is being banned in Russian government and state agencies. Details
Russian disinformation campaign uncovered
Researchers have found a social engineering campaign that involves duping high-profile individuals who support Ukraine into making comments and performing embarrassing acts on videos, and then using those videos in misinformation campaigns. Details
Russian attackers shifting to cyber espionage
The State Service of Special Communication and Information Protection (SSSCIP) of Ukraine says that Russian attackers that failed to achieve their goals in 2022 are shifting from disruptive attacks to cyber espionage. Details
Russia-linked APT group targeting governments
Researchers found that a Russia-linked APT group named Winter Vivern is targeting government entities in Ukraine, Poland, Italy, and India in recent campaigns. Details
Russian spy ring dismantled by Polish counter-intelligence
A Russian spy ring that gathered intelligence on military equipment deliveries to Ukraine and was preparing acts of sabotage on behalf of Russia has been dismantled by Polish counter-intelligence. Details
Ukraine’s critical sectors attacked by new APT
Researchers found that a new APT group named Bad Magic has been targeting Ukraine’s government, agriculture, and transportation organizations located in Crimea, Lugansk, and Donetsk. Details
Russia worldwide cyberwar plans exposed
A Russian contractor leaked thousands of confidential documents that expose Russia military and intelligence agencies’ plans for using their tools in cyber attacks to conduct critical infrastructure disruptions, disinformation campaigns, and more. Details
Cloud-enabled Threats
RedLine Stealer abusing dropbox to target hospitality industry
Researchers found a RedLine Stealer campaign targeting the hospitality industry, where attackers use spear phishing emails to lure victims into downloading the malware from Dropbox. Details
PyPI malware abusing Discord and Transfer.sh
A malicious package hosted in Python Package Index (PyPI) was found delivering an information stealer and remote access trojan, abusing Discord to fetch the payload and transfer.sh for data exfiltration. Details
Attackers abusing AWS to steal confidential data
A new campaign dubbed as SCARLETEEL was discovered, where attackers are exploiting vulnerable public web applications hosted on AWS to steal proprietary software and credentials. Details
Abusing Google Cloud Platform for data exfiltration
Researchers have found that an attacker could exploit Google Cloud Platform (GCP) to exfiltrate sensitive data due to lack of visibility in Google storage logs. Details
Rhadamanthys and RedLine stealers delivered through Google Ads
New campaigns that are abusing Google Ads to deliver Rhadamanthys and RedLine infostealers were found, using a technique to mimic websites associated with Notepad++ and Blender 3D software. Details
BATLOADER abusing Google Ads to deliver multiple malware
BATLOADER has been observed abusing Google Ads to deliver Vidar Stealer and Ursnif payloads, spoofing multiple legitimate apps such as Adobe, ChatGPT, Spotify, Tableau, and Zoom. Details
YouTube abused to spread multiple malware
Researchers found that attackers are using AI-generated YouTube videos containing fake tutorials to spread multiple stealers, such as Raccoon, RedLine, and Vidar. Details
Adobe Acrobat Sign abused to deliver RedLine
A new campaign was found where attackers are abusing Adobe’s online document signing service to spread RedLine stealer. Details
Ransomware
FBI and CISA warns about Royal ransomware
The FBI and CISA have released a joint advisory about the increase of Royal ransomware attacks targeting critical U.S. infrastructure sectors, including healthcare, education and communication. Details
Play ransomware claims attack on City of Oakland
The Play ransomware group has claimed responsibility for the attack on the City of Oakland that disrupted IT systems in February 2023. Details
LockBit demanding $2 million as ransom
The LockBit ransomware group is demanding $2 million as ransom in return for the Pierce Transit stolen data, which was breached in February 2023. Details
Members of DoppelPaymer ransomware arrested
Germany and Ukraine authorities have arrested suspected core members of the DoppelPaymer ransomware group. Details
IceFire ransomware now targeting Linux
A new version of the recently discovered IceFire ransomware was discovered by researchers, able to encrypt files in Linux-based systems. Details
Clop ransomware extorting GoAnywhere zero-day victims
The Clop ransomware group is extorting victims of the zero-day vulnerability in GoAnywhere file sharing software, where they claim to have stolen data from 130 companies. Details
Microsoft fixes zero-day used in Magniber ransomware attacks
The vulnerability tracked as CVE-2023-24880 that was being used by attackers to deploy Magniber ransomware payloads is now fixed by Microsoft. Details
BrianLian ransomware moving away from encryption
The BrianLian ransomware group is updating its operation by moving away from encryption and focusing on pure data-theft and extortion tactics. Details
Clop ransomware claims responsibility for attack on City of Toronto
The Clop RaaS group is claiming responsibility for a ransomware attack on the City of Toronto, where they used the GoAnywhere zero-day vulnerability. Details
Read the blog