In today’s cybersecurity news…
Dutch Police take down Zservers
Last Wednesday on Cyber Security Headlines, we reported that the U.S., UK, and Australia sanctioned a Russian bulletproof hosting service (BHS), Zservers, and two Russian administrators for supporting LockBit’s ransomware operations. Authorities said Zservers advertised its services on cybercriminal forums to avoid investigations and takedowns. Now, Dutch police have announced that, after more than a year-long investigation, it has seized 127 servers from the Russian hosting provider. Authorities so far have discovered hacking tools from Conti and Lockbit and continue to investigate the remaining data stored on the seized servers.
Chase to block Zelle payments to sellers on social media
JPMorgan Chase Bank (Chase) says that, starting March 23, it will begin delaying, declining, or blocking Zelle payments to social media contacts. Zelle is a popular digital payment network that integrates with mobile apps of many U.S. banks. Chase updated its user policy, saying Zelle should not be used to buy goods from retailers or merchants, “including on or through social media or social media marketplaces or messaging apps.” Nearly 50% of all Zelle or wire transfer scams reported by Chase customers between June and December 2024 originated on social media. Chase’s policy change also comes on the heels of a lawsuit brought by the U.S. Consumer Financial Protection Bureau (CFPB) against Zelle’s operator and three of its owner banks (Bank of America, JPMorgan Chase, and Wells Fargo) in December, for rushing the service to market without adequate consumer safeguards.
Finastra notifies victims of October data breach
The London-based financial software provider serves more than 8,100 financial institutions in 130 countries, including 45 of the world’s top 50 banks. Finastra is now warning an undisclosed number of customers via breach notifications that an unauthorized actor accessed an internally-hosted Secure File Transfer Platform (SFTP) system between October 31 and November 8. Although Finastra characterized the risk posed by the data leak as low, the company is providing two years of free credit monitoring and identity restoration services to those affected. The breach is believed to be linked to a (now-deleted) post by a threat actor (“abyss0”) on BreachForums claiming to be selling 400GB of data stolen from Finastra’s network.
South Korea removes Deepseek from app stores
South Korea’s Personal Information Protection Commission announced that the DeepSeek app has been pulled from the Apple App Store and Google Play as of Saturday night. The move follows several South Korean government agencies banning employees from downloading the chatbot as well as numerous reports highlighting security and privacy weaknesses with DeepSeek’s platform. Taiwan and Australia have also banned DeepSeek from all government devices. South Korea’s data protection watchdog said the AI model will become available when “improvements and remedies” are made to ensure it complies with the country’s personal data protection laws. Despite the suspension of new downloads, people who already have DeepSeek on their phones will be able to continue using it or they can access it via DeepSeek’s website.
(BBC)
Huge thanks to our sponsor, Scrut Automation
New Golang-based backdoor relies on Telegram
Netskope Threat Labs found a new backdoor targeting cloud apps to evade detection and using Telegram for command-and-control (C2). The malicious code connects to Telegram using an open-source Go package to retrieve updates and listen for Powershell commands. The researchers said the malware appears to be under development with three of four supported commands now functional and that a chat prompt is written in Russian. Netskope says the malware is very user friendly and that its targeting of cloud apps creates complexity for defenders. The report also details the malware’s indicators of compromise (IoCs).
Pro-Russia hackers target Italian banks and airports
Early Monday morning, a pro-Russia hacker group, NoName057(16), launched a wave of DDoS (distributed denial-of-service) attacks that disrupted websites of major airports in Milan, as well as the Transport Authority, two major ports, and the Intesa San Paolo bank. The Italian National Cybersecurity Agency (ACN) swiftly mitigated disruptions and said there were no significant impacts to operations. NoName057(16) linked their actions to Italian President Sergio Mattarella’s comments during a speech in Marseille last Friday, with Mattarella comparing Russia’s actions in Ukraine to the Third Reich. NoName057(16) said in a Telegram post, “For such comparisons, Russophobe Mattarella and Italy will receive DDoS ‘rockets’ on their websites.” The Russian Foreign Ministry also warned that such remarks would not go “without consequences.”
Microsoft spots macOS malware variant used for crypto theft
Microsoft’s Threat Intelligence team has spotted a new variant of the XCSSET macOS malware being used to target victim digital wallets and data from their Notes app. The malware has been around for about 5 years and is typically distributed through infected Xcode projects. The current improvements are the first ones observed since 2022, and include more robust obfuscation techniques, added persistence checks, and new Xcode infection methods. Microsoft recommends inspecting and verifying Xcode projects and codebases cloned from unofficial repositories.
Microsoft to remove Location History feature
Microsoft announced the deprecation of the Location History feature from Windows, which can be accessed by applications like the Cortana. The API behind the feature provides apps with locally stored location data collected in the previous 24 hours. Removing the feature means that the data will no longer be saved locally and the setting will disappear from the operating system (Windows 10 and 11). Microsoft has yet to provide the reasons behind deprecating Location History. Developers will need to update their applications to migrate away from the API. Users can deactivate use of their location data at any time through Privacy & Security settings.