North Korean state-sponsored threat operation Kimsuky, also known as Thallium and Velvet Chollima, has launched a new spear-phishing campaign involving the use of malicious Google Chrome extensions to exfiltrate Gmail emails, BleepingComputer reports.
Malicious Chrome extension installation is being urged by spear-phishing messages sent by Kimsuky, with the extension exploiting Devtools API to facilitate email message interception and theft without being detected by account security protections, according to a joint advisory from the German Federal Office for the Protection of the Constitution and the National Intelligence Service of the Republic of Korea.
The advisory also warned about Kimsuky's use of the FastViewer Android malware, also known as Fastspy DEX and Fastfire.
Kimsuky has been noted by AhnLab to have updated FastViewer after the public disclosure of its hashes. Attacks with FastViewer commence with unauthorized access to Google accounts, which will be followed by the exploitation of the Google Play Store's web-to-phone synchronization functionality, which would eventually lead to the installation of FastViewer, which has file exfiltration and keylogging capabilities.
Microsoft credentials targeted new phishing attacks with RPMSG files New phishing attacks involving compromised Microsoft 365 accounts and encrypted restricted permission message, or RPMSG, files, are being leveraged by threat actors to facilitate the stealthy exfiltration of Microsoft credentials, according to BleepingComputer.
BleepingComputer reports that some Barracuda Email Security Gateway instances have been compromised in attacks exploiting a zero-day vulnerability, which has already been patched in security updates issued over the weekend.
Numerous sectors including government, financial services, media, manufacturing, transportation, and utilities have been targeted by the large-scale credential phishing campaign leveraging the SuperMailer newsletter distribution app, which has expanded by twofold monthly since January, according to SecurityWeek.