Cyber-attack hits Iran’s transport ministry and railways

Websites of Iran’s transport and urbanization ministry went out of service on Saturday after a “cyber-disruption” in computer systems, the official IRNA news agency reported. This follows an outage on Friday, in which Iran’s railways also appeared to come under cyber-attack, with messages about train delays or cancellations posted on display boards at stations across the country. Electronic tracking of trains across Iran reportedly failed. Although a spokesperson has denied that any outages took place, a report from the Fars news agency, now-deleted, said the incident followed “a widespread disruption in … computer systems that is probably due to a cyber-attack.”

(The Guardian)

Hackers use a new technique to disable macro security warnings in weaponized docs

Whereas most malspam campaigns use weaponized Microsoft Office documents or social engineering techniques to trick recipients into enabling the macros, experts from McAfee Labs warn of a new threat that uses non-malicious documents to disable security warnings prior to executing macro code on the recipient’s PC. It starts with a spam message carrying a Microsoft Word document that once opened, downloads a password-protected Microsoft Excel file from a remote server. Once the victim has enabled the macros embedded in the Word document, Word reads the content of the cells from the Excel spreadsheet and uses it to create a new macro for the same XLS file which then executes the Zloader payload using rundll32.exe.

(Security Affairs)

MacOS targeted in WildPressure APT malware campaign

Threat actors known as WildPressure have added a macOS malware variant to their latest campaign targeting energy sector businesses, while enlisting compromised WordPress websites to carry out attacks. Novel malware, initially identified in March 2020 and dubbed Milum, has now been retooled with a PyInstaller bundle containing a trojan dropper compatible with Windows and macOS systems, according to researchers. Compromised endpoints allow the advanced persistent threat (APT) group to download and upload files and execute commands.


FBI warns cryptocurrency owners, exchanges of ongoing attacks

The Federal Bureau of Investigation (FBI) warns cryptocurrency owners, exchanges, and third-party payment platforms of threat actors actively targeting virtual assets in attacks that can lead to significant financial losses. Attackers are using several tactics to steal and launder cryptocurrency, including technical support fraud, SIM swapping (aka SIM hijacking), and taking control of their accounts via identity theft or account takeovers. The FBI issued the warning via a TLP:GREEN Private Industry Notification (PIN) designed to provide cybersecurity professionals with timely defense information.

(Bleeping Computer)

Thanks to our episode sponsor,

Still in the news is REvil’s ransomware attack on Kaseya VSA servers. Varonis is here to help mitigate the blast radius of such attacks. Want a step-by-step guide on what you should be looking for? Visit to help make sure your data is protected.

Critical flaws reported in Sage X3 software

Researchers from Rapid7 have identified four security vulnerabilities in the Sage X3 enterprise resource planning (ERP) product, two of which could be chained together to enable adversaries to execute malicious commands and take control of vulnerable systems. Rapid7 notified Sage Group of their findings in February and the vendor has since rolled out fixes in recent Sage X3 versions that were shipped in March. The researchers noted, “Sage X3 installations should not be exposed directly to the internet, and should instead be made available via a secure VPN connection where required. Following this operational advice effectively mitigates all four vulnerabilities, though customers are still urged to update according to their usual patch cycle schedules.”

(The Hacker News)

Chinese state-sponsored activity group targets Taiwan tech firms

In this most recent activity, the group likely used compromised GlassFish servers and Cobalt Strike in initial access operations before switching to the bespoke Winnti, ShadowPad, and Spyder backdoors for long-term access using dedicated actor-provisioned command and control infrastructure, according to Recorded Future. Among the organizations targeted is the Industrial Technology Research Institute (ITRI) in Taiwan which is a technology research and development institution that has set up and incubated multiple Taiwanese technology firms. In recent years, Chinese groups have targeted multiple organizations across Taiwan’s semiconductor industry to obtain source code, software development kits, and chip designs.

(Recorded Future)

Magecart hackers hide stolen credit card data in images for evasive exfiltration

Cybercrime actors working as part of the Magecart group have latched on to a new technique of obfuscating the malware code within comment blocks and encoding stolen credit card data into images and other files hosted on servers. To further mask the presence of malicious code in the PHP files used, the adversaries use a concatenation technique where code is combined with additional chunks of text that do not do anything but add a layer of obfuscation making it somewhat more difficult to detect.

(The Hacker News)

Spike in “chain gang” destructive attacks on ATMs

Potentially as a way to highlight the oft underreported successes in cybersecurity, Brian Krebs this week released an article on so-called chain gangs, groups of well-trained teams who rip ATMs physically out of the floors of gas stations and malls, using stolen construction equipment. A representative from Travelers insurance stated that the attacks are spreading state to state and that in the year ending June 2021 they saw a 257 percent increase in the number of insurance claims related to ATM smash-and-grabs. The relative ease of physical destruction of ATMs as compared to cybercrime is also helped by the fact that they are treated by law enforcement as property crimes, and whereas bank robbery is a felony, robbing an unattended ATM is not.

(Krebs On Security)