Vietnamese threat actors have returned to the news. Over the long weekend Trend Micro researchers described a recently discovered macOS backdoor they believe is associated with Hanoi’s OceanLotus group. And Microsoft 365 Defender Threat Intelligence Team has found the group they track as Bismuth (and which they associate with OceanLotus, APT32) actively deploying a Monero miner against its victims. The development is interested: North Korea’s Lazarus Group has long been an outlier among state-directed threat actors in that financial gain was a major objective. It appears that Vietnam’s services may be headed down the same path.
Spamhaus has found a suspicious awakening: fifty-two dormant networks based in North America suddenly became active over the period of only a few days. All are physically hosted in Greater New York. While inactive networks do come back to life from time to time, the researchers find it suspicious that so many should reemerge essentially simultaneously, without having any obvious mutual connections.
A significant criminal campaign is underway against German Internet users. Malwarebytes finds the campaign unusual in that the criminals are serving either the Gootkit banking Trojan or REvil (Sodinokibi) ransomware.
The US Supreme Court yesterday heard arguments in a case challenging broad interpretation of the Computer Fraud and Abuse Act. The Wall Street Journal says a decision is likely to come in June.
The Baltimore Sun reports that Baltimore County Public Schools expect to be sufficiently recovered from the ransomware attack they sustained last week to be able to resume instruction tomorrow.