Land Registry agency in Greece suffers limited-scope data breach
The Land Registry agency in Greece announced a limited-scope data breach following 400 cyberattacks targeting its IT infrastructure over the past week. Attackers compromised employee terminals, stealing 1.2 GB of data, roughly 0.0006% of the agency's total data, primarily consisting of administrative documents.
The stolen data does not include citizens' personal information and is not expected to impact the agency's operations. Attackers attempted to create a malicious user to infiltrate the central database but failed, and their subsequent attempt to exfiltrate a backup was blocked.
The agency's investigation, aided by the Cybersecurity Directorate, found no evidence of ransomware. As a precaution, all employees' passwords have been reset, and two-factor authentication has been mandated to protect accounts from unauthorized access.
Hacker groups PINEAPPLE and FLUXROOT exploit Google Cloud serverless projects for credential phishing
A financially motivated actor based in Latin America, codenamed FLUXROOT, has been leveraging Google Cloud serverless projects for credential phishing, exploiting the cloud computing model's flexibility and ease of use.
FLUXROOT used Google Cloud container URLs to host phishing pages targeting login information for Mercado Pago, a popular online payment platform in LATAM. The group is known for distributing the Grandoreiro banking trojan and using legitimate cloud services like Microsoft Azure and Dropbox for their campaigns.
Google's cloud infrastructure has also been abused by another actor, PINEAPPLE, to spread Astaroth malware targeting Brazilian users. Google has mitigated these threats by taking down malicious projects and updating its Safe Browsing Lists, highlighting the challenge of detecting malicious activities that blend into normal network operations.
Beijing-based hacker group Daggerfly targets Taiwan and U.S. NGO with MgBot and MACMA malware
A Beijing-affiliated hacking group, Daggerfly, has targeted organizations in Taiwan and a U.S. nongovernmental organization (NGO) in China with an upgraded set of malware tools.
Researchers reported that Daggerfly exploited a vulnerability in an Apache HTTP server to deliver their MgBot malware, indicating the group also engages in internal espionage. Known since 2012 and previously targeting African telecom providers, Daggerfly has quickly updated its toolset to maintain espionage activities.
The latest attacks include a new malware family based on MgBot and an improved version of the macOS malware, MACMA, which can harvest sensitive information and execute commands. This is the first explicit link between MACMA and Daggerfly, with further connections seen in overlapping source code and shared command-and-control servers.
MacOS users targeted by North Korean hackers with updated BeaverTail stealer malware
Cybersecurity researchers have identified an updated variant of BeaverTail, a stealer malware used by DPRK-affiliated attackers in cyber espionage campaigns targeting job seekers. This variant is delivered through an Apple macOS disk image named "MiroTalk.dmg," mimicking the legitimate video call service but instead deploying BeaverTail.
Initially documented in November 2023, BeaverTail targets software developers through fake job interviews and is now distributed via this new vector. The malware steals sensitive information from web browsers and cryptowallets and can deliver additional payloads like the Python backdoor InvisibleFerret.
North Korean attackers likely lured victims into downloading the infected MiroTalk by posing as potential employers. Analysis shows the malware targets cryptocurrency wallets, iCloud Keychain, and web browsers, and downloads more malicious scripts from a remote server. Lately, researchers discovered a Windows version of the malicious MiroTalk installer ("MiroTalk.msi"), indicating that the campaign is targeting both macOS and Windows users.
The Superior Court of Los Angeles County shuts down after network breach
The largest trial court in the United States, the Superior Court of Los Angeles County, closed all 36 courthouse locations to restore systems affected by a ransomware attack. The court has over 4,800 employees and operates 41 court facilities in 26 cities across the County of Los Angeles, serving a population of over 10 million.
The attack impacted the entire network, including external systems like the MyJuryDuty Portal and internal case management systems. An official statement noted that many network systems were still inaccessible, necessitating the closure to restore essential networks.
The attack, disclosed on Saturday July 20, began the previous day, and forced the Court to disable all network systems to contain the breach. The Court found no evidence of compromised data and is working with various law enforcement agencies to investigate the incident and assess its impact.