According to Mandiant incident responders and threat hunters, suspected Chinese state-sponsored hackers who exploited Ivanti Connect Secure VPN flaws to breach a number of organizations have showed "a nuanced understanding of the appliance." They were able to make several changes to the device as well as install specialized malware and plugins to ensure persistence across system upgrades, patches, and factory resets.

The US government recently added Canadian network intelligence firm Sandvine to its Entity List, effectively banning organizations from trading with it.  The Waterloo, Ontario-based company provides network policy control products that support networking policies to enable congestion management, security, and censorship.  The US Department of Commerce announced that Sandvine was added to its trade restrictions list for providing the Egyptian government with the technology needed for mass surveillance and censorship.

A threat actor is conducting an investment scam using a Traffic Distribution System (TDS) that leverages the Domain Name System (DNS) to keep its malicious domains changing and resistant to takedowns. The "Savvy Seahorse" threat actor impersonates well-known brand names and uses Facebook ads in nine languages to trick victims into creating accounts on a fraudulent investing platform. Once victims add money to their accounts, the funds are transferred to what is believed to be an attacker-controlled account at a Russian state-owned bank.

Lazarus Group, the North Korean state-sponsored cyber threat group, exploited a flaw in the Windows AppLocker driver to gain kernel-level access and disable security tools, bypassing Bring Your Own Vulnerable Driver (BYOVD) techniques. The activity was detected by Avast analysts, who reported it to Microsoft, resulting in a fix for the flaw, now tracked as CVE-2024-21338. According to Avast, Lazarus Group exploited the vulnerability to create a read/write kernel primitive in an updated version of its FudModule rootkit, which previously abused a Dell driver for BYOVD attacks.

Epic Games recently announced that it found zero evidence of a cyberattack or data theft after the Mogilevich extortion group claimed to have breached the company's servers.  Epic Games noted that they immediately began investigating the incident after seeing a screenshot of the dark web page promoting the breach and attempted to contact the threat actor.  However, the company said they have not received a response from Mogilevich.

Global pharmaceutical solutions provider Cencora recently announced that it fell victim to a cyberattack that resulted in personal information being stolen from its systems.  The data breach was identified on February 21.  It is currently unclear exactly what type of data has been exfiltrated and who it belongs to, whether it’s employees or customers.  The company noted that it has taken steps to contain the incident, and an investigation has been launched with the assistance of law enforcement and external cybersecurity experts, but it provided no further details.

Xeno RAT has been made available on GitHub, allowing other threat actors to use it. According to its developer, the open-source Remote Access Trojan (RAT), written in C# and compatible with Windows 10 and Windows 11 operating systems, includes a comprehensive set of features for remote system management. It has a SOCKS5 reverse proxy and real-time audio recording capability, as well as a Hidden Virtual Network Computing (HVNC) module. The developer says Xeno RAT was made from scratch, resulting in a one-of-a-kind and customized approach to remote access tools.

A team of scientists in China has introduced a quantum communication technique that could help protect Web 3.0 from the threat of quantum computing. According to the team, their approach, Long-Distance Free-Space Quantum Secure Direct Communication (LF QSDC), improves data security by allowing encrypted direct messaging without needing key exchange, which is traditionally vulnerable to quantum attacks. They add that the approach bolsters security and adheres to the decentralized ethos of Web 3.0, providing a strong defense in the digital landscape.

According to security researchers at Trend Micro, more threat actors have started exploiting two recently resolved vulnerabilities in the ConnectWise ScreenConnect remote desktop access software.  The issues tracked as CVE-2024-1709 (CVSS score of 10) and CVE-2024-1708 (CVSS score of 8.4) are described as an authentication bypass flaw and a path traversal bug.  The researchers noted that ConnectWise disclosed the security defects on February 19, when it announced patches for them.  Two days later, the company updated its advisory to warn of ongoing exploitation.