Cyber Security RESOURCES

On Friday March 28, 2025 CISA released a report with analysis of a new malware variant CISA has identified and named as RESURGE. RESURGE is a persistent malware that shares similar characteristics to the malware SPAWNCHIMERA. Please review the information that is taken directly from CISA and compiled by DefenseStorm Director of Cyber Threat Intelligence to learn more about RESURGE, its capabilities, and attack vectors.

Business Email Compromise (BEC) is a sophisticated email scam where cybercriminals trick victims into transferring funds or sharing sensitive data. Learn more about common BEC attack types, how they work, and essential strategies for protection.

Microsoft 365 accounts are facing an extensive password spraying attack by a Chinese botnet, which possesses the ability to bypass multifactor authentication (MFA). This botnet comprises over 130,000 compromised devices, utilizing stolen credentials from infostealer accounts and then systematically attempting to log into M365 accounts globally.

As the excitement of Black Friday and Cyber Monday draws shoppers in with unbeatable deals and discounts, it’s important to remember that the online shopping frenzy also brings increased cybersecurity risks.

CISA is alerting the public to be cautious of potential cyber scams following hurricanes. After major natural disasters, fraudulent emails and social media messages—often containing harmful links or attachments—are common.

In April 2024, a known threat actor calling themselves USDoD claimed to possess and sell approximately 2.9 billion records from National Public Data, which included individuals’ personal data from people in the US, UK, and Canada.

News is emerging about AT&T’s disclosure of what they term as ‘Unlawful Access of Customer Data.’  The majority of AT&T customer data was illegally downloaded from their workspace on a third-party cloud platform from May 2022 through October 31, 2022 and on January 2, 2023.

In late June 2024, LockBit cybercriminal group claimed responsibility for having breached a government agency with plans to release the stolen data. It was revealed that the group actually breached Evolve Bank and Trust.

Reports of a massive AT&T data leak have surfaced, with around seventy million customers potentially affected. The data is reportedly for sale on a leak forum or website.

DefenseStorm is aware of an incident involving  AnyDesk and the compromise of some of their production systems.  The incident was reported by AnyDesk on 2/2/2024.  We have not been able to locate any usable technical details or IOCs at this time.  AnyDesk is a widely used remote desktop software that allows users to access and control computers from anywhere in the world.

A recent vulnerability has been discovered for Confluence Server and Data Center and is being tracked as CVE-2023-22518.  At this time of this writing, this vulnerability is NOT known to have been exploited; however, Atlassian is recommending that those impacted take immediate action.  The below information was taken directly from the Atlassian FAQ page for CVE-2023-22518, and the page was last updated on November 1, 2023.

Xenomorph, an Android banking trojan, has resurfaced in a more advanced form. Originally discovered in early 2022, this malicious software was initially targeted at European banks using screen overlay phishing techniques and was distributed through Google Play. However, the latest iteration of Xenomorph has expanded its scope to include over 35 financial institutions in the United States and various cryptocurrency applications. 

If you haven’t already, you will likely begin to see cyber news headlines about a massive data exposure related to Microsoft.  While the exposure is bad and nothing to overlook, the report coming from Microsoft is that “ No customer data was exposed, and no other internal services were put at risk because of this issue. No customer action is required in response to this issue.” This was taken directly from Microsoft’s Security Research and Defense page.   

With the recent natural disasters that have occurred, it’s important to be aware that bad actors will attempt to leverage those devasting incidents for gain.  CISA has released a warning urging users to be aware of malicious activity when these types of incidents occur.  Please read the below alert from CISA.

While nothing official has been published by LinkedIn at the time of this post, accounts on the platform appear to be coming under attack in some type of hacking campaign of unknown origin.  Users are reporting on multiple other outlets that their accounts have been taken over, locked out of their accounts, and having difficulty resetting accounts to regain access

Internal communication applications, IE: Slack, MS Teams, etc.  Criminals are establishing domains that appear to be from legitimate technical support entities and then attempting to reach out to individuals to gain access to target users’ devices.  The below article was authored by Microsoft Threat Intelligence and taken from Microsoft directly and provides additional detail and threat actor attribution for these types of attacks.

Since March of 2023 a new mobile malware has been pushing the Android banking trojan “Anatsa” to online banking customers located in the United States, United Kingdom, Austria, Switzerland and Germany. It has since become one of the most prolific banking malware, targeting over 400 financial institutions across the world.

On June 12, 2023, a critical Remote Code Execution (RCE) vulnerability was discovered in Fortinet’s popular FortiGate firewalls, posing a significant security risk for organizations relying on these devices for network protection. The vulnerability, identified as a critical flaw, could potentially allow malicious actors to execute arbitrary code on affected FortiGate firewalls.

Defensestorm is aware of the recent disclosure of the Barracuda Email Security Gateway Application (ESG) Vulnerability and has been actively monitoring for potential Indications of Compromise.