Fancy Bear returns, resuming its use of the Zebrocy toolkit against a familiar range of targets, for the most part embassies and foreign ministries in Eastern Europe and the Middle East. ESET, which says the renewed activity dates to late August, also notes that Zebrocy's suite of downloaders, droppers, and backdoors has shown some evolution into marginally more effective forms. Fancy Bear is also known as Sednit, Sofacy, Group 74, Strontium, and APT28, but Russia's GRU military intelligence service is always the man behind the curtain.
The University of Toronto's Citizen Lab describes a campaign directed against Tibetan diaspora groups by a threat actor the Lab calls "Poison Carp." A successor to Ghostnet, the campaign has used a suite of Android and iOS exploits; its typical infection vector was social engineering. Reuters observes that this appears to be the same threat actor that has been active against China's predominantly Muslim Uighur minority.
An anonymous researcher has published a zero-day affecting the widely used vBulletin web forum software. ZDNet says the vulnerability is a pre-authentication remote code execution bug. It’s unclear whether the posting was done with malign intent or simply amounted to a bungled disclosure.
Few will be surprised to hear that the GandCrab gang has returned from retirement. SecureWorks reports that the group has reassembled itself, and is responsible for attacks using REvil ransomware (also known as Sodinokibi).
Iovation predicts insurance fraud committed over mobile devices will include "Application," "Bad Debt," "Ghost Broking," "Account Takeover," "Claim," and "Contact Center."