Microsoft, attraverso la sua divisione di sicurezza, mette in guardia da Octo Tempest, un nuovo gruppo di criminali informatici, che sembra particolarmente interessato alle informazioni finanziarie delle vittime a cui punta.

Gli hacker, affiliati al gruppo BlackCat, che un anno fa ha rivendicato un attacco alla rete di Gse, il gestore italiano dei servizi energetici, sfruttano varie tecniche per accedere alle reti e installare i loro virus.

“Octo Tempest è un collettivo motivato finanziariamente, di lingua inglese, noto per aver lanciato campagne ad ampio raggio” scrive l’azienda sul blog ufficiale Microsoft Security. “Il gruppo è stato osservato dall’inizio del 2022, con attacchi a compagnie di telecomunicazioni mobili e di esternalizzazione dei processi aziendali. Octo Tempest ha monetizzato le proprie intrusioni vendendo, per cominciare, i dati delle schede sim delle vittime ad altri criminali ed eseguendo la movimentazione di denaro dai conti colpiti a portafogli di criptovalute”.

Stando alle indagini di Microsoft, i partecipanti alla cosiddetta “gang” hanno una vasta conoscenza informatica. Spesso ottengono l’accesso iniziale ai sistemi con tecniche di ingegneria sociale, cercando di ottenere più informazioni possibili con messaggi di posta elettronica o via chat, indirizzati ai profili tecnici dell’organizzazione.

Una volta ottenuto l’accesso, gli hacker iniziano la fase di ricognizione, esplorando l’infrastruttura e cercando di raggiungere posizioni sempre più elevate, fingendosi gli utenti dei quali violano, di volta in volta, gli account.

Microsoft invita le imprese a eseguire controlli più approfonditi sugli accessi alle sue reti, eventualmente limitando i file più sensibili solo a determinati dipendenti. “Ridurre il numero di utenti a cui vengono assegnati ruoli critici in modo permanente è fondamentale per difendersi” spiega la nota.

https://www.key4biz.it/cybercrime-perche-octo-tempest-e-lapt-finanziario-piu-pericoloso%ef%bf%bc%ef%bf%bc/465160/

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar.

We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.

Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.

Here are this week’s stories:  

HTTP DDoS attacks on the rise

Cloudflare says it has mitigated thousands of hyper-volumetric HTTP DDoS attacks during the third quarter of the year, which contributed to a 65% quarter-on-quarter increase in HTTP DDoS attack traffic, with gaming and gambling organizations being hit the most. Q3 also marked a surge in DDoS attacks targeting Israeli newspaper and media websites, financial institutions, and government domains. 

ENISA Threat Landscape 2023 report

The European Union Agency for Cybersecurity (ENISA) has published the eleventh installment of its threat landscape report, identifying DDoS attacks and ransomware as the top threats. The landscape, the agency notes, has been greatly influenced by the Russia-Ukraine war, with numerous hacktivist groups joining the fray. More and more threat actors are professionalizing their as-a-service program. 

FTC details efforts to combat cross-border fraud and ransomware attacks

The Federal Trade Commission has submitted two reports to the US Congress. The first details the commission’s efforts to implement the SAFE WEB act in combating cross-border fraud, while the second addresses questions about its activities regarding China, Russia, North Korea, and Iran, as well as its contribution to combating ransomware and other cyberattacks originating from outside the US.

Cyber.org receives $6.8 million in funding for K-12 cyber education

The US cybersecurity agency CISA has awarded $6.8 million in funding to the nonprofit Cyber.org, to support the educational growth of K-12 students. The funding will help deliver the resources and training that educators and caregivers need to provide cybersecurity content to students.

Clearview AI successfully appeals UK privacy fine

Clearview AI, a company that allows clients to search a database of billions of internet-harvested images, has won an appeal against a £7.5 million (roughly $9.1 million) fine, BBC reports. Last year, the UK’s Information Commissioner’s Office (ICO) fined Clearview AI for unlawfully storing facial images, but the company has demonstrated that it only works with national security and law enforcement bodies. 

Microsoft launches early access program for Security Copilot

Microsoft this week kicked off the early access program for Security Copilot, an AI assistant for security teams. Leveraging large language models and Microsoft’s global threat intelligence, Security Copilot is meant to help security teams more efficiently fight adversaries and get actionable recommendations. It also provides direct access to Microsoft Defender Threat Intelligence.

MitM attack on the largest Russian XMPP (Jabber) messaging service

A man-in-the-middle (MitM) attack on jabber.ru (aka xmpp.ru) service’s servers, hosted by German providers Hetzner and Linode, is believed to have been set up as lawful interception. Using TLS certificates issued by Let’s Encrypt, the attacker hijacked encrypted STARTTLS connections on port 5222. The interception was identified after one certificate expired. 

Caliptra security assessment uncovers 26 vulnerabilities

NCC Group has published details on a recent security assessment of Caliptra, an open source silicon IP block for datacenter-focused server-class ASICs. The investigation identified 26 vulnerabilities, all of which have been addressed by the Caliptra team.

FDD warns of Chinese company’s ascension in the electric vehicle industry

The Foundation for Defense of the Democrats says that the rise of Fujian-based Contemporary Amperex Technology Co. Ltd. (CATL) as the largest manufacturer of lithium-ion batteries reflects China’s intention to dominate the electric vehicle market. The FDD warns that CATL could leverage its position to monitor vehicles and disable charging networks, potentially threatening the US energy grid. 

Former NSA employee faces lifetime prison sentence for espionage attempt

Former NSA employee Jareh Sebastian Dalke, 31, of Colorado Springs, admitted in court this week to having access to and being willing to share classified documents to an FBI covert operative posing as a Russian agent. Arrested in September 2022, after he transmitted the classified documents, and scheduled for sentencing in April 2024, he faces life in prison, the US Department of Justice announced. 

Related: In Other News: Energy Services Firm Hacked, Tech CEO Gets Prison Time, X Glitch Leads to CIA Channel Hijack

Related: In Other News: Ex-Uber Security Chief Appeal, New Offerings From Tech Giants, Crypto Bounty

https://www.securityweek.com/in-other-news-ex-nsa-employee-spying-for-russia-eu-threat-landscape-cyber-education-funding/

Zhang Hongliang, a former restaurant manager in central China, took various gigs in and outside China to support his family after losing his job during the COVID-19 pandemic.

In March, a job offer to teach Chinese cooking at a restaurant led him into a cyber scam compound in Myanmar, where he was instead ordered to lure Chinese into giving up their savings for fake investment schemes via social media platforms.

Zhang is one of tens of thousands of people, mostly but not all Chinese, who have become ensnared in cyber scam networks run by powerful Chinese criminal syndicates in Southeast Asia. Regional and Chinese authorities have netted thousands of people in a crackdown, but experts say they are failing to root out the local elites and criminal networks that are bound to keep running the schemes.

When scam operations are shut down in one place they often just resurface elsewhere. The problem is an embarrassment for Beijing and is discouraging ordinary Chinese from traveling to Southeast Asia out of fear they might be duped or kidnapped and caught up in a cyber scam operation.

In recent years, media reports have uncovered instances of young people being lured to places in Cambodia or Myanmar for high-paying jobs, only to be forced to work as scammers. Rescue organizations say people are regularly beaten or face physical punishments such as being forced to run laps if they don’t perform well.

In August, China, Thailand, Laos and Myanmar agreed to set up a joint police operations center to tackle cyber scams in the region. On Oct. 10, China’s Ministry of Public Security announced that its “Summer Operation” had successfully brought back 2,317 scam suspects from northern Myanmar to China.

China calls such people suspects, though experts say most of them are victims who were forced to work for the criminals. They question how they will be treated once back in China.

The schemes based in countries like Myanmar, Laos and Cambodia are run by Chinese bosses hand-in-hand with local elites. Many are based in places where China has financed big construction projects through leader Xi Jinping’s signature Belt and Road Initiative.

Myanmar’s border regions long have been a magnet for criminals — historically including drug producers and traffickers — because of lax law enforcement. Such places are generally under the control of ethnic minority armed groups, either opposed to or allied with Myanmar’s central government. Some also cooperate with organized crime gangs.

“From the vantage point of the Chinese government, it’s a source of extreme embarrassment that you have so many of these Chinese criminals operating all across Southeast Asia,” said Jason Tower, an expert on transnational crime with the United States Institute of Peace.

The syndicates also are known for “pig butchering” cons, where scammers entice individuals, often halfway across the world, to invest their money in bogus schemes after duping them into digital romances.

The scammers divide their targets into two categories: Chinese and non-Chinese. They use scripts, images of models and influencers and translation software to trick the people they contact by phone or online into parting with their money. Victims can be anywhere in the world.

The criminals have “ridden on the shoulders of the Belt and Road Initiative,” said Tower, who outlined links between the criminals and Chinese state enterprises, think tanks and government officials in a 2020 report written for the United States Institute of Peace.

Zhang was working in Thailand and on a visa run to Laos when he met the man who lured him to the scam compound in Myanmar. Giving what he said was his last name, Gao, he claimed to be a broker and travel agent for Chinese living in Thailand. Zhang and his wife wanted extra money to pay for in vitro fertilization to have another child. Gao suggested he go work in Myawaddy, in eastern Myanmar’s Kayin state, teaching a local chef how to cook Chinese dishes in Gao’s new restaurant. The pay would be double what Zhang made in China.

Zhang was wary. Since a 2021 coup, military-controlled Myanmar has been embroiled in civil conflict. But Gao reassured him that he wouldn’t be doing anything illegal and said the restaurant would have plenty of customers since many cyber scam businesses were operating in the area.

That might have raised a red flag but it was only once he got to Myanmar that Zhang realized his predicament. He asked to go back home, saying there was a family emergency. His family helped him scrape together some 40,000 yuan ($5,472) to pay off the debt Gao claimed he owed him, and he slipped away one night, swimming across the Moei River into Thailand, where he turned himself in to Thai police, who contacted the Chinese Embassy.

Zhang showed the AP copies of his deportation notice from the Thai Immigration police and a temporary ID card. He returned to China in late June and was questioned by Chinese police but not detained. He has been sharing his story on Douyin, the Chinese version of TikTok, to alert others to the risks and says people often contact him about relatives trapped in cyber scam compounds.

“We all went out with this wonderful sense of hope, but then reality slammed us in the face,” he said.

In total, China has detained some 4,000 suspects and returned them back to China.

The Ministry of Public Security has claimed “breakthrough results” through operations in coordination with Myanmar authorities. On Monday, they announced they had repatriated another 2,349 people. The ministry did not respond to a faxed request for comment.

One 31-year old former chef who was smuggled into Myanmar’s Wa State earlier this year said he saw his company hand over four people to Chinese police with little fanfare in September. Other companies did the same, said the man, who was smuggled into Myanmar and later rescued by a non-profit organization. He declined to be named out of fear of government retribution, and The Associated Press could not independently verify his account.

Overall, the enforcement actions don’t seem very comprehensive, experts say. The groups now based in Myanmar originally were located in Cambodia. When Cambodia cracked down on online gambling rings and illegal casinos in 2019, many of the groups just moved to less well policed places in Myanmar. Some were taken over by rival gangs.

China’s efforts to repair its image have so far not made much headway, said Thitinan Pongsudhirak, a professor of political science at Thailand’s Chulalongkorn University.

“You can crack down on these symptoms and the manifestations … that you can see in the borderland areas,” he said, “but they’ll come back unless you really have a sustained effort.”

Related: UN Warns Hundreds of Thousands in Southeast Asia Roped Into Online Scams

Related: Spain Arrests Hackers in Crackdown on Major Criminal Organization

Related: Crackdown on African Cybercrime Leads to Arrests, Infrastructure Takedown

https://www.securityweek.com/china-crackdown-on-cyber-scams-in-southeast-asia-nets-thousands-but-leaves-networks-intact/

SecurityWeek is publishing a weekly cybersecurity roundup that provides a concise compilation of noteworthy stories that might have slipped under the radar.

We provide a valuable summary of stories that may not warrant an entire article, but are nonetheless important for a comprehensive understanding of the cybersecurity landscape.

Each week, we will curate and present a collection of noteworthy developments, ranging from the latest vulnerability discoveries and emerging attack techniques to significant policy changes and industry reports.

Here are this week’s stories:

Tech CEO Sentenced to prison for wire fraud

Micfo LLC CEO Amir Golestan has been sentenced to five years in prison for using a network of shell companies to deceive ARIN and obtain the rights to more than 735,000 IP addresses, with an estimated value between $10 million and $14 million. The “sentence sends an important message of deterrence to other parties contemplating fraudulent schemes to obtain or transfer Internet resources”, ARIN said. 

Energy industry services firm hacked 

Weymouth, Massachusetts-based BHI Energy has revealed that the PII and PHI of more than 91,000 individuals was exposed in a June 2023 cyber incident. Compromised data includes names, addresses, dates of birth, Social Security numbers, and potential medical and claims information related to the company’s health plan. BHI provides services and staffing solutions to the industrial, oil & gas, and power generation markets.

Eastern European charged, extradited to US for selling computer credentials

Sandu Diaconu, 31, of Moldova, has been charged in the US for operating an online portal for selling stolen credentials, the E-Root Marketplace. Authorities believe that more than 350,000 credentials for RDP and SSH access were listed for sale on the marketplace. Diaconu, who was extradited from the UK, faces up to 20 years in prison for computer fraud, wire fraud, and money laundering conspiracy.

Indian national pleads guilty in US court to computer-hacking scheme

Sukhdev Vaid, 24, of India, has pleaded guilty in a US court to participating in a computer-hacking scheme to steal $150,000 from a 73-year-old US woman. Vaid and co-conspirators hacked her computer, made it look as if it was infected with malware, and directed her to call a number for customer support, where she was instructed to withdraw money from her bank account and give it to the fraudsters for safekeeping. Co-conspirator Eddly Joseph pleaded guilty to the scheme in August.

Admin credential leak flaw in Synology NAS DSM

A weak random number generator in Synology’s DiskStation Manager (DSM) platform running on its NAS products allowed attackers to reconstruct the administrator password and take over the admin account, Claroty reports. The vulnerability, tracked as CVE-2023-2729, will not be addressed on certain SRM versions. 

Amazon passkey implementation leaves room for improvement

Tech startup Corbado analyzes Amazon’s implementation of passkeys across devices and browsers, flagging issues leading to domain redirection, user confusion, and unnecessary verification steps. The firm also finds the implementation lacking features such as Conditional UI and native app support. 

X (formerly Twitter) glitch leads to CIA channel hijack

A bug on the CIA’s account on X (formerly Twitter) has allowed a security researcher to redirect potential contacts to a different domain than CIA’s official Telegram channel for informants, BBC reports. The link, added to CIA’s X account recently, was truncated by the social media platform in a manner that led to an unused Telegram username, which the researcher registered. Anyone clicking the link on X would then land on the researcher’s channel.

‘Admin’ still the most popular password

An analysis of more than 1.8 million passwords shows that ‘admin’ remains the most popular, CTEM solutions provider Outpost24 says. Default passwords are still widely accepted and IT administrators prove as predictable when selecting a password as end-users are, despite an industry push to stronger passwords.

Cybercriminals targeting plastic surgery

The FBI warns (PDF) of the increased interest that cybercriminals are showing in plastic surgery offices and patients to steal PII and sensitive medical records, and to extort victims. Using phishing, the attackers deploy malware to plastic surgery offices, harvest the data of plastic surgery patients, and then contact doctors and victims to pressure them into making extortion payments. 

Eastern European industrial companies targeted with updated MATA malware

Spear-phishing emails targeting industrial companies in Eastern Europe were seen deploying new malware belonging to the MATA cluster, which was previously associated with North Korea-linked hacking group Lazarus, Kaspersky reports (PDF). The attacks used new versions of MATA (such as MataDoor and a Linux variant), USB drives to infect air-gapped networks, information stealers, and security bypass tools. 

Attackers infect secure USB drives at APAC governments

As part of a long-running campaign, a highly-skilled threat actor has been observed infecting secure USB drives at government organizations in the APAC region. The infected drives allowed the attackers to infect air-gapped systems, execute commands, and harvest information that was passed to other machines using the same USB drives as a carrier. 

https://www.securityweek.com/in-other-news-energy-services-firm-hacked-tech-ceo-gets-prison-time-x-glitch-leads-to-cia-channel-hijack/

The dark web site that the RagnarLocker ransomware group used for naming and shaming victims was seized on Thursday as part of a coordinated law enforcement effort.

Active since 2020, RagnarLocker has been involved in numerous attacks, with at least 52 entities across 10 critical infrastructure sectors falling victims to this ransomware family, according to data from the Federal Bureau of Investigation (FBI).

Unlike other ransomware operations, RagnarLocker was not promoted as ransomware-as-a-service, but was operated by a private group that cooperated with other cybercriminals only when needed.

On the infected machines, RagnarLocker would gather and exfiltrate system information, iterate through all drives, terminate services that could interfere with the encryption process, and then encrypt all files of interest, avoiding folders and files that might impede the systems operation.

The same as other ransomware groups, the RagnarLocker cybergang would exfiltrate victims’ data to use it for extortion. In some cases, the group would only steal data for extortion, without deploying file-encrypting ransomware.

The cybergang then listed the alleged victims of its attacks on a Tor-hosted leak site, threatening to release it publicly unless a ransom was paid.

Starting Thursday, a message displayed in English on the RagnarLocker ransomware operation’s Tor-based website informs visitors that “this service has been seized as part of a coordinated international law enforcement action against the RagnarLocker group.”

Authorities in a dozen countries were involved in this effort, including law enforcement agencies in France, Germany, Italy, Latvia, the Netherlands, Slovakia, Spain, and the US, coordinated by Europol.

This year, law enforcement operations also led to the shutdown of other nefarious dark web site, including the Hive ransomware portal in January, the Genesis Market cybercrime marketplace in April, and the drugs marketplace Piilopuoti in September.

Related: Deep Dive Into Ragnar Locker Ransomware Targeting Critical Industries

Related: Law Enforcement Blowback Powering Anti-Ransomware Success

Related: Tor-Based Drug Marketplace Piilopuoti Shut Down by Law Enforcement

Related: Feedback Friday: Industry Reactions to Hive Ransomware Takedown

https://www.securityweek.com/authorities-seize-control-of-ragnarlocker-ransomware-dark-web-site/

Fraud detection and defense startup Spec this week announced that it has raised $15 million in a Series A funding round that brings the total raised by the company to more than $29 million.

The new investment round was led by SignalFire, with additional funding from Legion Capital and Rally Ventures.

Founded in 2020, the San Jose, California-based company focuses on protecting online transactions from fraudulent attacks.

According to Spec, its no-code orchestration platform can prevent modern attacks, including those powered by AI, from blocking, bypassing, or manipulating fraud defenses. It scans user sessions to monitor the activity and respond to attacks in real time.

The solution helps organizations identify and remediate vulnerabilities in their fraud defenses, prevent reverse engineering, improve defenses with actionable insights, and monitor and manage fraud vendor solutions.

Spec’s platform also integrates with popular fraud, ecommerce, and customer experience applications, allowing rapid deployment without having to write additional code.

The new funding will allow Spec to advance its platform, expand its threat labs, and work with partners on specialized fraud prevention solutions.

“As we look ahead, our commitment to serving enterprises in retail, ticketing, and marketplaces remains stronger than ever. This funding accelerates our efforts to deliver unparalleled security solutions for these amazing businesses,” Spec co-founder and CEO Nate Kharrl said.

Related: CipherStash Raises $3 Million for Encryption-in-Use Technology

Related: Fraud Prevention Firm Fingerprint Raises $33 Million

Related: Anonybit Raises $3 Million for Biometric Authentication Platform

Related: Generative AI Startup Nexusflow Raises $10.6 Million

https://www.securityweek.com/fraud-detection-firm-spec-raises-15-million/

Healthcare solutions giant Henry Schein recently disclosed a cybersecurity incident that disrupted some of its business operations and may have resulted in a data breach.

The company revealed on October 15 that its manufacturing and distribution businesses had been hit by a cyberattack a day earlier.

Henry Schein said it took some of its systems offline to contain the incident, which caused temporary disruption to business operations, but the practice management software used by customers has not been impacted. 

However, at the time of writing, the company’s website is still inaccessible, informing visitors of technical difficulties. 

“The Company has engaged outside cybersecurity and forensic information technology experts to help investigate any data impact and respond to this situation. Henry Schein also has notified relevant law enforcement authorities,” the company said in a brief statement.

The company has not shared any other details on the cyberattack, but its brief description suggests that it may have involved ransomware. SecurityWeek has checked the leak websites of several major ransomware groups, but has found no mention of Henry Schein at the time of writing.

We have reached out to Henry Schein for more information and will update this article if the firm responds. 

Headquartered in Melville, New York, Henry Schein provides business, clinical, supply chain and technology solutions to dental and other medical organizations. The company has 23,000 employees and its solutions are used by more than one million customers globally.

Related: 1 Million Impacted by Data Breach at NextGen Healthcare

Related: IBM Discloses Data Breach Impacting Janssen Healthcare Platform

Related: Personal Information of 11 Million Patients Stolen in Data Breach at HCA Healthcare

https://www.securityweek.com/operations-of-healthcare-solutions-giant-henry-schein-disrupted-by-cyberattack/

Finland on Wednesday charged a hacker, accused of the theft of tens of thousands of records from psychotherapy patients, with over 21,000 counts of extortion, the national prosecutor announced.

“The suspect is held on remand and has denied being guilty of the offenses,” the National Prosecution Authority said in a statement.

The prosecutor is seeking a seven-year prison sentence for the defendant, Aleksanteri Kivimaki, who was formerly identified as Julius Kivimaki.

In the 2018 breach of the Finnish firm Vastaamo, which oversaw dozens of psychotherapy centers throughout the Nordic nation, the private treatment records of tens of thousands of patients were stolen.

After stealing the records, Kivimaki initially sought to extort over 360,000 euros ($381,000) in bitcoin Vastaamo in exchange for not leaking the records, according to the prosecutor.

When Vastaamo refused to pay, Kivimaki started leaking the records as a means of putting pressure on the company.

According to the prosecution, Kivimaki also sent extortion letters to patients demanding sums ranging from 200 to 500 euros to prevent the disclosure of records of their therapy sessions.

Kivimaki was also charged with 9,598 counts of dissemination of information infringing on personal privacy.

Following a European arrest warrant issued by the Finnish police in October 2022, he was arrested in the Paris region on February 3.

Kivimaki has previously been convicted on various charges of cybercrime, fraud, and money laundering, as well as 50,700 data breaches carried out in conjunction with a hacker group in over a hundred countries.

The trial is scheduled to begin on November 13 and is expected to last until February of next year.

https://www.securityweek.com/finland-charges-psychotherapy-hacker-with-extortion/

Malware hunters in Google’s Threat Analysis Group (TAG) say government-backed hacking groups from different countries are feasting on a well-documented security flaw in the popular WinRAR file archiving utility more than three months after patches were released.

The WinRAR code execution vulnerability, tracked as CVE-2023-38831, was fixed in July after zero-day exploitation was detected but now, three months later, Google says APT groups linked to Russia and China are still using the exploit with success.

“Cybercrime groups began exploiting the vulnerability in early 2023, when the bug was still unknown to defenders. A patch is now available, but many users still seem to be vulnerable,” Google’s Kate Morgan said in a note documenting the APT discoveries. “After a vulnerability has been patched, malicious actors will continue to rely on n-days and use slow patching rates to their advantage.”

Morgan said the flaw, which allows attackers to execute arbitrary code when a user attempts to view a benign file (such as an ordinary PNG file) within a ZIP archive, has been known since at least April 2023 and immediately attracted the interest of threat actors.

“Hours after the blog post [about zero-day exploitation] was released, proof of concepts and exploit generators were uploaded to public GitHub repositories. Shortly after that, TAG began to observe testing activity from both financially motivated and APT actors experimenting with CVE-2023-38831,” Morgan added.

In one case, Google TAG detected the Russia-linked Sandworm delivering decoy PDF documents and malicious ZIP files exploiting the WinRAR bug.  Sandworm, aligned with Russian Armed Forces’ Main Directorate of the General Staff (GRU) Unit, used the exploit to deliver a commodity infostealer that is able to collect and exfiltrate browser credentials and session information from infected machines. 

Morgan documented another incident where APT28, another hacking team linked to Russian GRU, used a free hosting provider to serve CVE-2023-38831 to target users in Ukraine. 

Google said it also caught government-backed groups linked to China launching WinRAR exploits in targeted attacks against users in Papua New Guinea.

“The widespread exploitation of the WinRAR bug highlights that exploits for known vulnerabilities can be highly effective, despite a patch being available. Even the most sophisticated attackers will only do what is necessary to accomplish their goals,” Morgan warned.

Software security defects in the WinRAR tool are constantly being targeted by cybercriminals and APT groups.  SecurityWeek has reported on multiple WinRAR exploitation incidents recently, including usage by financially motivated hackers against traders and .gov-backed advanced threat actors.

Related: Traders Targeted by Cybercriminals in Attack Exploiting WinRAR Zero-Day

Related: WinRAR Vulnerability Exploited to Deliver New Malware

Related: Recently Patched WinRAR Flaw Exploited in APT Attacks

Related: Hackers Exploit WinRAR Vulnerability to Deliver Malware

https://www.securityweek.com/three-months-after-patch-gov-backed-actors-exploiting-winrar-flaw/

Darwinium, a San Francisco startup in the fraud prevention space, has nabbed $18 million in new capital to build technology to help businesses deal with the deluge of bots, scams and online abuse.

The company, which has roots in Australia, said the $18 million Series A round was led by U.S. Venture Partners (USVP).  Darwinium’s seed-stage investors Blackbird, Airtree Ventures and Accomplice also took new equity positions.

Since its launch in 2021, Darwinium has raised $26 million to work on a digital security and fraud prevention platform running on the perimeter edge.

The company is boasting that its platform combines digital security with fraud prevention to create a single view of customer journeys across the web, mobile apps and APIs and provide fraud analytics with customer journey orchestration tooling.

Darwinium argues that its unique integration point — running on the perimeter edge via Content Delivery Networks (CDNs) — gives businesses a continuous view of user behavior, from pre-authentication, through account creation, login, change-of-details, and payments, all via one deployment. 

“Moving fraud and risk decisions to the perimeter edge is privacy preserving and low latency. It also removes the reliance on ‘point-in-time’ API-based solutions that are vulnerable to exploitation via operational silos and disjointed risk assessments,” the company added.

Darwinium said customers are using its platform to separate human and bot traffic, add downstream context from upstream user behavior, protect customers from account takeover and identity spoofing, identify scams and social engineering behaviors, block content and promo abuse, and detect fraudulent payments.

Last November, Darwinium announced a $10 million seed round and said its product had already been adopted by organizations in the banking, ecommerce, gaming, payments, and travel sectors.

The company is founded by Alisdair Faulkner, who previously founded and scored an exit with ThreatMetrix, a fraud detection firm that was acquired for $817 million in 2018.

Related: Darwinium Raises $10 Million for Customer Protection Platform

Related: Descope Targets Customer Identity Market with Massive $53M Seed Round

Related: Investors Place Early $4 Million Bet on Stack Identity

Related: Prove Identity Snags $40M Funding for ID Verification Tech

https://www.securityweek.com/darwinium-raises-18-million-for-edge-based-fraud-prevention-tech/