In one day, Akira ransomware gang leaks data of record number of victims
The Akira ransomware gang, active since March 2023, published 35 new victims on its darknet leak site in a single day, with more entries reportedly being added.
Akira operates as a ransomware-as-a-service platform, enabling affiliates to extort victims by stealing and encrypting data, and has amassed $42 million from 250 attacks in its first year. Cybersecurity experts believe the group consists of seasoned ransomware actors due to its rapid rise and high-profile incidents, including an attack on Tietoevry. Its leak site, styled like an ‘80s monochrome command line interface, features sections for extortion updates and publishing stolen data.
The researchers noted that 32 of the listed victims were entirely new, marking an unprecedented surge, possibly due to new affiliates or previously delayed leaks. This brings Akira to fourth place with 225 victims in total since the beginning of 2024, after LockBit, RansomHub, and Play.
Infostealers spread by fake AI video generators to infect Windows, macOS
Fake AI image and video generators are spreading Lumma Stealer and AMOS malware to infect Windows and macOS devices, targeting cryptocurrency wallets, credentials, and browsing data. Lumma Stealer focuses on Windows, while AMOS targets macOS, both extracting sensitive information from browsers like Chrome, Edge, and Firefox. The stolen data is archived and sent to attackers for use in further attacks or sale on cybercrime marketplaces.
Threat actors have created fake websites impersonating an AI editor called EditPro, promoted via ads and deepfake videos on platforms like X. These sites appear professional, complete with cookie banners, but downloading the "EditProAI" application installs malware instead. Windows malware is signed with a likely stolen certificate, and both versions use a panel at "proai[.]club" to transmit stolen data.
Victims are advised to treat all saved credentials and cryptocurrency wallets as compromised, reset passwords with unique combinations, and enable multi-factor authentication on sensitive accounts. Information-stealing malware like this has surged globally, often using fake updates, zero-day exploits, or bogus solutions on GitHub and StackOverflow.
WhiteSnake and Meduza information stealers delivered by new BabbleLoader malware
Researchers have uncovered BabbleLoader, a highly evasive malware loader delivering information stealers like WhiteSnake and Meduza.
This loader employs sophisticated anti-detection techniques, such as runtime function resolution, junk code, and metamorphic transformations, to evade antivirus and sandbox defenses. Targeting English and Russian-speaking users, it disguises itself as cracked or accounting software, making it particularly effective against individuals in finance and administration.
BabbleLoader's constant structural variation forces AI-based detection systems to continuously try to adapt, often leading to missed threats or false positives.
Data breach of U.K.-based fintech firm Finastra being investigated
U.K.-based fintech giant Finastra, with a revenue of $1.7 billion, is investigating a data breach involving an internal file-transfer application, following an attacker’s claim of stealing sensitive data. The breach, disclosed to customers, prompted an immediate investigation with a third-party cybersecurity firm, leading to the isolation of the affected platform. Finastra stated that no ransomware or malware was deployed, no lateral movement was detected, and customer operations remained unaffected.
The company suspects the breach stemmed from compromised credentials and is prioritizing identifying the root cause. Not all customers used the impacted file-transfer platform, and Finastra is working to determine which clients, if any, were affected. Finastra states they are maintaining accuracy and transparency in their communications. An attacker using the alias "abyss0" claimed on dark web forums to have stolen 400 GB of data, but their sales threads have since disappeared, potentially indicating a sale or withdrawal.
Finastra, serving 8,000 financial institutions globally, emphasized that the affected platform is not its primary file-transfer tool. The company says it remains in contact with customers, sharing indicators of compromise and addressing concerns while continuing to investigate.
MLB star’s Lamborghini and $250K stolen in separate business email compromise attacks
A Lamborghini Huracan owned by MLB player Kris Bryant was reportedly stolen during transport to Las Vegas. Attackers exploited a “business email compromise” (BEC) scheme, rerouting the vehicle to a different destination. The car, reported missing on October 2, triggered a multiagency investigation led by Colorado’s Cherry Hills Village Police Department.
Using license plate recognition cameras, authorities tracked the truck and trailer to Las Vegas, recovering the Lamborghini on October 7 and arresting multiple suspects. The investigation uncovered two additional stolen vehicles, fake VIN packages, key fobs and fraudulent registration documents.
In a separate case, U.S.-based iLearningEngines, an AI training software provider, reported a cyberattack that resulted in the theft of $250,000, through a misdirected wire payment, likely via business email compromise. The attacker also deleted emails and accessed unspecified files on the company’s network. iLearningEngines warned that the breach could significantly impact its operations for the quarter ending December 31, 2024, due to ongoing recovery expenses. The company, which serves over 1,000 enterprise clients and which went public in April 2024, has not yet disclosed further details about the incident.